Talk to sales

Ask a member of our sales team about our products or services:

Ransomware is big business

Learn how ransomware works and how to protect against it

Overview

Ransomware is a type of malicious software that blocks access to a computer system or data, usually by encrypting it, until the victim pays a fee to the attacker. In many cases, the ransom demand comes with a deadline—if the victim doesn’t pay in time, the data is gone forever.

Ransomware Reference

Locky Ransomware

Earlier this year, Proofpoint researchers discovered Locky ransomware. Most notably, the same actors behind many of the largest Dridex campaigns were involved in distributing Locky and were doing it at a scale we'd previously only associated with the Dridex banking Trojan.  We have also observed the actors behind these campaigns varying their delivery strategies to evade security defenses. For example, we are seeing:

  • Increasingly convoluted JavaScript obfuscation
  • Additional junk files to help evade detections
  • Mangled “Content-Type” headers to help evade detection
  • The use of RAR instead of Zip compression of JavaScript

 

Watch the Locky Demo Video

How Ransomware Works and How to Protect Against it

Ransomware is a type of malicious software that blocks access to a computer system or data, usually by encrypting it, until the victim pays a fee to the attacker. In many cases, the ransom demand comes with a deadline—if the victim doesn’t pay in time, the data is gone forever. 

ransomware-incopy.png

Figure 1: Ransomware Screen Notification

Other attacks install malware on the computer system even after the ransom is paid and data released.

While originally focused largely on personal computers, encrypting ransomware has increasingly targeted business users as business will often pay more to unlock critical systems and resume daily operations than individuals.

Enterprise ransomware infections usually start with a malicious email. An unsuspecting user opens an attachment or clicks on a URL of a website that is malicious or has been compromised.

At that point, a ransomware agent is installed and begins encrypting key files on the victim’s PC and any attached file shares. After encrypting the data, the ransomware displays a message on the infected device. The message explains what has occurred and how to pay the attackers. If the victims pay, the ransomware promises, they’ll get a code to unlock their data.

Before you’re infected

  • Defend your email. Email phishing and spam are the main way that ransomware is distributed.  Secure Email Gateways with targeted attack protection are crucial for detecting and blocking malicious emails that deliver ransomware. These solutions protect against malicious attachments, malicious documents and URLs in emails being delivered to user computers.
  • Defend your mobile devices. Mobile attack protection products, when used in conjunction with mobile device management (MDM) tools can analyze apps on your users devices and immediately alert users and IT to any apps that might compromise your environment.
  • Defend your web surfing. Secure web gateways can scan your user’s web surfing traffic to identify malicious web ads that might lead them ransomware.
  • Monitor your server, network and back up key systems. Monitoring tools can detect unusual file access activities, network C&C traffic, and CPU loads—possibly in time to block ransomware from activating. Keeping a full image copy of crucial systems can reduce the risk of a crashed or encrypted machine causing a crucial operational bottleneck. 

If you’re already infected

  • Call federal and local law enforcement. Just as you would call a federal agency for a physical-world kidnapping, you need to call the same bureau for ransomware. Their forensic technicians can ensure your systems aren’t compromised in other ways, gather information to better protect you going forward, and try to find the attackers.
  • Restore your data. If you’ve followed best practices and kept system backups, you can restore your systems and resume normal operations.

ransomware-cover-1.jpg

Ransomware Survival Guide

Ransomware attackers collected more than $209 million from victims during the first three months of 2016 alone, with the volume of attacks 10 times higher than all of 2015. In addition to the ransom itself, these attacks can exact a heavy cost: business disruption, remediation costs, and a diminished brand. 

Hades Locker Ransomware Mimics Locky

Proofpoint researchers identify a new ransomware variant known as Hades Locker sent via the same spam botnet as recent CryptFile2 and MarsJoke campaigns.

Read More

MarsJoke Ransomware Mimics CTB-Locker

Proofpoint researchers uncover a new ransomware variant called MarsJoke in a large campaign targeting government and educational institutions.

Read more

CBS News: The Big Business of Cyber Ransom

Proofpoint's Ryan Kalember talks to CBS News about the latest cybersecurity threats.

Read More