Ransomware Defense: The Do's and Don'ts
CrowdStrike's Con Mallon on the Evolution of Attacks and Mitigation
FIELD: Hi, I'm Tom Field, senior vice president of editorial with Information Security Media Group. I'm talking today about the evolution of the ransomware marketplace. It's my pleasure to be speaking with Con Mallon, a senior director of product marketing with CrowdStrike. Con, how are you today?
MALLON: I am very well, Tom.
FIELD: So Con, over the past year, 18 months, we have really seen ransomware emerge as one of the top threats to organizations across sectors and regions. From your perspective at Crowdstrike, how do you see this ransomware marketplace evolving this year?
MALLON: Well, I think the first thing, Tom, is that we definitely see it will continue to evolve. Unfortunately, it really shows no signs of disappearing off into the sunset. I think that really comes down to fundamentally, there is money to be made here in the ransomware marketplace. I think last year the FBI came forward and said they sized ransomware at about a billion dollars, here in North America, so that is quite a chunk of change and I think that continues to fuel the evolution and the growth of the market. And what we're really seeing is whether you are a large company or a small company, it really does impact you. And again I think one of the evolutions of ransomware has been that it started out maybe focused on the consumer and the individual. But it really is now morphing into the organization. And again, Tom, the reason for that is simply money.
Bad guys and bad actors, as I describe them, they can extort more money from an organization. As opposed to maybe getting hundreds of dollars out of an individual, they can potentially get thousands or tens of thousands out of a company or an enterprise. So I think that that is definitely going to be an evolution that will continue. Talking to other things, definitely I think we see an evolution this year in terms of the sophistication and maybe the stealthiness of ransomware.
Last year, we started to see it becoming a little more sophisticated and going after backups so again for some folk it can approach well. If the ransomware hits, since I've got a backup I can roll back to that and move forward then go ahead without having to pay the ransom, or be necessarily too impacted as a result of it. Obviously there is still a bit of work to be done there in terms of going and getting backups and then putting those back on to the machine. But again, the ransomware acts goes off and locks up those backups. And again, even in the context the enterprise, coming back to my comment earlier on, what we are seeing is an evolution where they can go after the backups. Not just on the individual machine but they are starting to look at the network shares and started to go off and encrypt the backups and the data that might be lying on those network drives.
So again, it's just that ongoing drum beat of evolution in here and I think that's something that we can't escape. Other things that might be relevant as well in the terms of ransomware is really for those organizations that have to operate within compliance, free marks and regulations. We are starting to see those regulators focusing on ransomware. And there is an interesting perspective here because a lot of regulation has been about protecting data, and quite rightly so. But it really is through the prism of protecting data from exploitation. Of being stolen out of the organization. Ransomware is kind of different. Yes, you have to protect that data, but it's not that it's being stolen out of the organization. It's still resident on that hard drive within that machine, so it's a new twist on an old problem. But certainly I think compliance requirements with regard to ransomware will be a former evolution of what individuals and corporations are going to have to look at as we go forward. And maybe just to finish off, I think another perspective we see here at Crowdstrike is a lot of ransomware to this point has been focusing on the Windows platform. We are starting to see it moving off into the world of Apple and the Mac, and onto Linux as well.
And maybe again even bigger macro trends is maybe the evolution of ransomware beyond simply the laptops, and desktops and servers we are all aware of, but maybe even moving into industrial control systems. How would it be for example, if you're a manufacturer and your line was dying simply because that is held to ransom. So maybe the evolution of this type of a track into those types of applications certainly are something that might be an evolutionary step, and maybe even beyond that into the hot sexy world of IOT. Any devices connected to the internet potentially could be party to a ransomware attack. Certainly I would know that in our household here it would be kind of domestic Armageddon if our television was held to ransom.
FIELD: That's a great overview of the evolution of the marketplace. When you look at growth, what would you say are some of the key technology and business drivers for this growth?
MALLON: Yeah, so here with ransomware, it would appear to be new and fresh and vibrant, but it's been around for a while, Tom. Probably at least 10 years plus. And during that time it's kind of evolved and morphed and changed. And certainly you know what we've seen is that there has been technical advances with ransomware. If we went back maybe 10 years ago, certainly the whole scam here is to get ahold of the machine and the data on the machine and then to encrypt it and then pop up a message to say, "Hey, give me some money if you want to see that data back." And we certainly see the encryption capabilities improve over those years. Back 10 years ago they may be using 56 bit encryption. Now they are using 2,048 bit encryption, state-of-the-art stuff.
As I mentioned earlier as well technical innovation about going after the backups we definitely see that happening. And also probably maybe one of the newer things we've seen and maybe one of the most troublesome things going forward is actually the arrival of ransomware that doesn't actually have any files or malware. So it's not a question of a piece of malware being loaded onto the machine and then executing. They have the ability to get onto the machine, leveraging exports, maybe in office productivity apps, and then directly enter commands into memory and run those commands without a piece of malware actually being used. I think that is certainly a new technical capability that's of consideration.
The other, kind-of parallel track has just been innovation in terms of monetization, back in the day, really how they were getting payment for the ransom was through credit or debit cards. The problem there is it kind of left a trail of breadcrumbs to be followed up afterwards maybe by law enforcement. Really what we now are seeing is the arrival of ransoms being asked for in the form of bitcoin or crypt currencies. And that gives that layer that hides the bad guys from law enforcement. So we certainly can assume that, and again with monetization, as I mentioned earlier on. The amounts being asked for are creeping up year after year after year. It's probably now about on average five or six hundred dollars that's being asked for. But as I said for enterprises that can run into thousands of dollars.
FIELD: Through Crowdstrike you get the opportunity to see lots of organizations and how they defend against ransomware. From your perspective, in terms of defense, what does not work?
MALLON: That's a great question, Tom. I'd certainly say Do Nothing doesn't work because that kind of leaves you open and exposed. Another interesting and troublesome statistic I saw from last year is that here in North America, there was probably about a 50/50 chance of being hit by ransomware. So that Doing Nothing approach isn't going to work. Certainly what we would suggest if you are invested in antivirus technologies or legacy technologies, you've got to make sure your adopting hygiene, so keep them updated, and make sure you are keeping up to date on backups. But really those technologies are failing and I think that's the reason why this market continues to exist, and ransomware continues to dominate the headlines. The approach of the technology solutions up to this point really focus around trying to find a specific tool or piece of ransomware and close it down.
What we would describe as whack-a-mole, really it's a failing strategy, I think we have to come up with a new strategy that adapts to the innovations that the bad guys are bringing to the ransomware marketplace. Because they are constantly their tactics and tools. So maybe we've got to look beyond those tactics and tools and a solution will lie there. And certainly from our point of view I think there are new approaches to be taken to ransomware and we definitely advise people that there is no silver bullet here. You probably have to have a collection of capabilities that you are deploying out. In summary I would suggest you want to have capabilities that allow you to identify known malware. You'd also then want a capability to identify unknown malware.
What we are seeing the bad guys doing is that once they create a piece of ransomware they can quickly iterate it, just quickly change the structure of it so they can bring out new variants literally every minute, second of the day if you wanted to. So therefore the ability to spot that, those unknown ingredients of malware. You want to have a capability to do that. And the third layer we suggest you would want to have is coming back to what I was talking about ... Ransomware attacks where, in effect, they don't actually have to drop a piece ransomware malware onto your device, you need to have capability to spot and prevent and detect against that. So really what you have to have is a kind of combination of these techniques if you want to basically keep yourself out of harm's way with regard to ransomware.
FIELD: Well that's good. We talked both about what doesn't work and what does work. While we are talking about what does work in defense, what can you tell me about the value of using behavioral analytics to look at attacks?
MALLON: We see great value in it, and actually there very excited about the capabilities of the behavioral approaches in this sector. Because, as I said, coming back to the analogy of whack-a-mole, if you're just constantly end up having to look over your shoulder about what you have learned from the past you're not really going progress. We really believe the behavioral is definitely a significant step forward with regard to ransomware and maybe I can give you an example of that.
We talk about indicators of attack and this is really just looking at patterns of behavior happening on that system with intent to lead us to understand that the attack is happening, that a ransomware attempt is being executed. Simplistically you know what that could mean is a program starts to operate on you laptop, that process executes, it goes off and starts to look at your file system. So it's looking through your files and your folders. Then it kicks off another process that starts to delete your backups. And then that process further more steps on and starts to call in an encryption routine. Now each of those individual steps I've outlined there, there could be ... they may not necessarily be malicious. People go and scan through their files and folders. That's ordinary every day activity. People do back up their data, we've asked them to do that. So that is not necessarily suspicious.
And certainly yes we also encrypt data to send files between ourselves for extra security, but if you can see those milestones in combination, then you're getting a bigger context of actually when I put all that together, that looks like ransomware to me. And then you can step in and detect it and block it. I'm not actually looking in that approach at any specific too that is being used or any specific exploit that's being leveraged. I'm simply looking at the steps in the behavior and I can spot that when I see these sequences coming together, or that pattern, that that is ransomware.
FIELD: Con if you would boil it down, how would you say organizations can improve their ransomware detection and prevention?
MALLON: I think it comes down to starting to look for those better solutions, and those I talked about a bit earlier on, starting to look at it from the point of view that there if no single silver bullet that necessarily can be fired. Really what you want to do is capabilities are layered as I said, the ability to spot known ransomware, spot unknown ransomware. Spot these new files of ransomware capabilities, and have something that can basically address all of those. And then overlay on top of that the ability to have those behavioral approaches and capabilities and a solution that you are looking at. That I think is really going be the future of how to defeat ransomware and keep the user safe.
FIELD: Con talk to me a little bit about crowd strike. What are you offering that will help organizations to improve their defenses?
MALLON: Well for sure ransomware is a problem for our customers and we at Crowdstrike have capabilities built into our Falcon platform to help protect organizations against ransomware. And coming back to what I was talking about having that layered approach, that's very much how we are approaching the problem here. We have the ability to spot those know ransomware attacks and pieces of malware that are out there, so using our ability using our cloud architecture to identify those files that we know about, and step in and block those. In terms of new or unknown pieces of ransomware files that might be out there, this is really where we use our machine learning capabilities that we have to identify those mutations of files and to quickly spot whether we believe them to be ransomware or not, and that kind of takes care of that second piece.
And then in terms of those more stealthier sophisticated ransomware attacks that's really where we use our exploit prevention capabilities, and then beyond that, coming back to the behavioral approaches, something we call indicators of attack, we have that capability to step in and identify those kind of sophisticated and stealthy ransomware attacks. It's really the combination of all of those elements we bring bear.
And also we are using the cloud to protect our customers. We really believe the cloud gives us a big advantage against the ransomware guys. As I said, they are not sitting idly by, they are innovating day by day, and from a cloud approach what we have is the ability for all of our first-rate customers, and millions of sensors out there that are feeding into our cloud. And we are building a huge data set, and we're seeing how the attack landscape with regard to ransomware is changing and pivoting. Second by second, every day.
That allows us then to spot new attacks, to identify anomalies that might be happening, and then to use that learning to then immediately protect our customers from the cloud, and again once we spot something we can deploy out to all our customer in real time and get them real time prevention and detection against what is a real and present danger today.
FIELD: Very good, Con. I appreciate your time and your insight today. Thank you so much.
MALLON: You are very welcome.
FIELD: We have been talking about the evolution of the ransomware marketplace, I've been speaking with Con Milan, a senior director of product marketing with Crowdstrike. For Information Security Media Group, I'm Tom Field. Thank you very much.