At the risk of stating the obvious, most organisations are concerned about the possibility of falling victim to a Ransomware attack. In fact, a recent study has shown that upwards of 37% of small to medium sized businesses have already suffered a Ransomware attack with the average cots to business being over $1 million.
Given the prevalence and concern over these attacks, it is not surprising that at Byte25, we often get asked about our ability to identify and alert of potential Ransomware attacks.
The basic anatomy of a ransomware attack involves the attacker installing a piece of malicious code of the victims computer. This is usually done by enticing the user to click a malicious link or download an attachment using social engineering or via a phishing email or by exploiting a vulnerability in the victims system software.
Once installed, the malware executes, encrypting the users files with the attacker demanding payment to provide the decryption key.
Now much of this activity occurs on the victim’s machine with limited activity over the network. As such, device centric cyber mitigation techniques such as anti-virus or end-point protection is commonly relied on to identify and prevent such attacks, but increasingly, hackers are developing techniques that may bypass anti-virus and endpoint protection to conceal malicious activity.
As such, analysing network traffic remains an important strategy in identifying potential ransomware attacks. Network based threat detection can detect the early stages of a ransomware attack by analysing network traffic for the indicators of compromise (IOCs) associated with ransomware activity. These IOCs may include the use of known ransomware command and control (C2) servers, the use of certain network protocols or ports associated with ransomware activity, or the presence of suspicious file transfers or system changes.
The following video shows a live demonstration of how Byte25 can detect, identify and analyse Ransomware attacks in a network environment.