Ransomware poses an increasingly prevalent and critical threat to enterprises. In 2015, there were nearly 407,000 attempted ransomware infections and more than $325 million extorted from victims; these numbers are expected to rise.
In the report, “Analyzing Ransomware and Potential Mitigation Strategies,” CyberArk Labs found that application control, including greylisting, coupled with the removal of local administrator rights was 100 percent effective in preventing ransomware from encrypting files. This approach was compared to the effectiveness of other mitigation strategies, including the use of traditional anti-virus software, which relies on known blacklists.
The research also found that while many strains of modern malware require local administrator rights to properly execute, many strains of ransomware do not require these rights. While 70 percent of ransomware attempted to gain local administrator rights, only 10 percent of ransomware would fail to execute if these rights were not attained. Because ransomware behaves differently, organizations need to combine the removal of local administrator rights with application control to prevent file encryption.
“Ransomware has emerged as a credible and opportunistic tactic for attackers, leaving infected organizations with the difficult choice of abandoning hijacked data or paying cybercriminals for the chance to retrieve their files,” said Chen Bitan, general manager, EMEA & APJ, CyberArk. “By analyzing how ransomware typically behaves, we’ve been able to gain critical insight into how to help protect against these attacks. Moving beyond traditional anti-virus solutions, which are not effective in blocking ransomware, and adopting a proactive approach to endpoint and server security is an important step in protecting against this fast-moving and morphing malware.”