When asked why he robbed the bank, the old saying goes, the thief replied: because that’s where the money was. But in fact, there was no need to rob; applying the modus operandi of recent ransomware attacks, all the thief had to do is disrupt the entrance to the bank, and collect the money without any extra effort.

Ransomware recently made the headlines when several organizations, including hospitals, were infected and forced to pay tens of thousands of dollars in ransom to restore precious files and applications. According to some estimates, ransomware has quickly become a multi-million dollar industry, and, driven by its own success, is likely to continue to grow.

Ransomware is similar to other types of malware, with a major distinction that makes it very powerful: simplicity. Whereas attacks such as credit card or PII theft have been highly lucrative, they are complex and require in depth knowledge of systems and networks. Gaining initial access to a network, creating a persistent presence, scanning for and identifying the desired assets, and ensuring safe and undetected exfiltration can be difficult, time consuming, and relatively easily to disrupt by intentional or unintentional network changes.

Compared to the simplicity of ransomware, the difference is staggering. All that the ransomware operator has to do is convince the victim to open a malicious file or click on a malicious link. So far, phishing campaigns have been the preferred vehicle for this, but other techniques such as malvertising will work just as well. Once the file has been opened, or the link clicked, everything happens extremely quickly. The malware encrypts all the files it can on local and network shares, deletes backups, and displays the ransom message and payment instructions.

This process takes seconds, rather than days or weeks to execute, requires much less specialized knowledge, and incorporates a much-reduced risk of detection or interruption. In addition, it makes such programs very attractive for reselling. The customer would only need to customize the payment instructions or perhaps rebrand the ransom message and they are good to go. Unfortunately, this means we will be seeing more of such evil going forward.

Using UEBA to detect ransomware

Because of its simplicity, defending against ransomware can be difficult. Organizations would have to ensure that users are well-educated and trained about the risks of phishing, and adequate email and network scanners are in place. Backups have to be done regularly and rigorously, stored at a safe location and frequently tested to ensure recovery. Networks have to be segregated, operating systems regularly updated and patched, and capable endpoint protection systems deployed.

Unfortunately, this is no minor task for any organization and a single flaw can compromise the entire effort.

Knowledge of what is happening on the network is another important aspect of defending against ransomware, as well as any other kind of malware. Simply being aware of what may be going on will bring you most of the way to the solution. Fortunately, in this aspect, the defenders have the upper hand as far as ransomware is concerned.

In this aspect, the same things that make ransomware so efficient and successful – simplicity and speed — are also its weaknesses. With user and entity behavior analytics (UEBA), multi-dimensional digital profiles of users and entities are built and make any uncharacteristic activity immediately stand out. Encryption of hundreds of files in a short period of time is certainly such an uncharacteristic behavior for most users, as is access of numerous files and folders that are first or unusual for the user or their peers. All this makes ransomware susceptible for detection by UEBA.

Another advantage of addressing this problem with UEBA is that you don’t have to be concerned with how the specific ransomware operates: some will change the names of encrypted files while others will just add an extension. Regardless of the specific method, all will generate an unusual amount of file activity for most users — making it a clear target for early UEBA-based detection. Another advantage is that high-granularity logs which give in depth view of file activity are readily available on all Windows systems, as well as on most cloud services, such as Box or Office 365. So, if the next strand of ransomware will target files on the cloud, you will be aware of this activity and be able to take necessary actions. Finally, if for some reason a user has a legitimate reason to encrypt or handle hundreds of files, this activity will not create an alert, as would be the case with traditional rule based SIEMs. The result of this UEBA approach is fewer false positives .

Exabeam not only supports monitoring all types of file activity — be it on premises or in the cloud — we also tie it together with other expected and unexpected activity, giving the analyst a complete picture of the attack and where it may be going. Such knowledge will be critical in case of an attack, and may make the difference between averting it with minimal damage or paying up.

Schedule a demo today!

For more information, visit: https://www.exabeam.com/product/