By Dave Palmer, Director of Technology, Darktrace.
Ransomware attacks are both indiscriminate and effective. They target everyone from Wall Street corporations to small-town hospitals; from CEOs to union leaders. In 2016 alone, ransomware attacks spiked by 6,000 percent, raking in over $1 billion from unsuspecting victims. For attackers, ransomware is as tried-and-true as they come.
But as the threat landscape continues to grow and evolve, so too does ransomware. Attackers have started to realize that targeting trust can be just as lucrative as targeting data. Reputation has become one of a company’s most valuable assets and is now under assault.
Traditional ransomware can often be dealt with behind the scenes. Whether the organization mitigates the ransomware on their own, recovers the files through a backup system, or even if they pay the ransom, the situation can be resolved without involving customers or press.
But the newest strain of ransomware – dubbed ‘Doxware’ – is not so discrete. Doxware packages a company’s data and threatens to release it to the public. This might include confidential documents like patient records and proprietary blueprints, or personal information like passwords and credit card numbers – the more sensitive the better.
85 percent of industry leaders now consider reputational damage the most significant impact of a cyber-attack. The rise of Doxware shows that cyber-criminals are good at adapting to new market opportunities, and they have a multitude of weapons at their disposal to inflict that damage. Meanwhile, legacy security tools still try to defend networks at the border or concentrate on finding ‘known bad’. Unless these novel attacks are stopped at an early stage, they’re bound to undermine organizational reputation.
As ‘trust attacks’ are becoming increasingly mainstream, safeguarding reputation has become an essential component of cyber security. To protect their brand and trustworthiness, organizations have to be able to evolve in step with the rapidly changing threat landscape, proactively protecting their assets from subtle, stealthy cyber-attacks.
When it comes to ransomware, paying the ransom isn’t a failsafe option, because there’s no guarantee the attacker will decrypt the data. Likewise, bracing for a public data dump via Doxware is equally inadvisable. The best alternative is to detect the threat while it’s still emerging.
At Darktrace, we see ransomware on a daily basis. The reason we can catch it comes down to the detection approach. We’re not looking for a specific signature or a pre-identified ransomware strain. Instead, the technology is constantly learning and re-learning what normal looks like, so when a new type of malware is launched, we don’t have to play catch-up. We detect it straight away.
Here’s an example of a ransomware attack that got through the perimeter at a California non-profit and how it was detected within minutes, allowing the security team to stop it before it spread to a second computer.
Publié le 16 février 2018