Many business organizations have faced ransomware attacks lately, and some of them have turned to the incident response teams from Stroz Friedberg for help. According to an interview with Salted Hash, the company experts were dealing with three to four ransomware cases weekly in the first quarter of this year.
The Executive Managing Director at Stroz Friedberg, Erin Nealy Cox said that the company has been seeing more economic espionage cases lately, but not necessarily state-sponsored cases. What they’re seeing can be classified as pure economic espionage, in industries that one wouldn’t normally think of.
The main question here is how to react these threats.
“It’s not going to be defense, it’s not going to be energy. It’s going to be distribution, or any kind of manufacturing company,” she said. “We’re seeing an uptick in sophisticated economic espionage cases, [and] we’re also seeing companies plagued by ransomware.”
Most often, the ransomware cases the incident response teams register are Locky and TeslaCrypt. Some of these cases have already been reported in the media, though when it comes to volume, it is interesting how many cases has Stroz Friedberg seen in the first quarter of 2016?
“Three to four a week, at a minimum,” said Morgan Bjerke, VP of the firm’s global Incident Response practice.
The ransomware attacks are being reported in a number of large and small organizations, who exist in a number of markets that span several verticals. Usually, the root cause of infection is phishing, though there have been several cases dealing with drive-by-downloads and other vectors. While Locky and TeslaCrypt are the ransomware families which represent a majority of their work, the company also registers cases with CryptoWall and some older Ransomware families.
The most recent variants of TeslaCrypt have made it more difficult to determine how widespread the infection is when that family hits a customer’s network, because the victim doesn’t know anything is wrong until they’ve opened a targeted file. In general, the latest cases of infections involve more extensive infiltration than Stroz Friedberg have seen before.
In cases when the victim is a larger organization, a majority of them can recover from an attack by recovering files and leveraging backups. However, the smaller organizations are often faced with little choice but to pay the ransom because they lack proper backup solutions or policies. In some cases, the organization prefers to pay the ransom because it’s more affordable than the total cost of recovery.
Regarding the ransoms, their cost has gone up considerably. Sometimes, the cost of recovery is extreme, though this doesn’t prevent the victim from at least considering the payment as a valid option.
“A couple weeks ago, there was only one encrypted laptop that we knew of, and they [the criminals] were asking for a $10,000 ransom – and the company wanted to pay,” said Bjerke.
Over the last quarter, the firm has seen ransom demands of $5,000, $10,000, or if it’s a server – $50,000.
Not long ago, Salted Hash wrote a Blue Team reference manual for dealing with and preventing ransomware, and many of the points there are the same basic bits of advice Bjerke would give to clients. However, she had some additional thoughts on prevention that are worth noting.
“We’ve been trying to help them identify the initial infection vector. There’s a lot of intelligence coming around on what the Phishing emails are labeled and what they look like,” said Bjerke.
“Secondarily, if [the Ransomware] does get into the environment, looking at tuning their anti-virus or endpoint detection tools. So if they have a HIDS or HIPS solution, putting in-place some the blocking controls on a HIPS especially or anti-virus, including additional signatures; so that for some of the known processes they can at least block them so that it may execute, but it may not fully function in the way that it’s supposed to.”
According to Trend Micro’s research, there were more ransomware infections in February 2016, than there were in the first six months of 2015. However, only a fraction of the Ransomware attacks have been reported.