Incident response teams dealing with 3 to 4 Ransomware incidents weekly

Ransomware has gone from a niche attack to a booming criminal market since its introduction in 2013. Dozens of organizations have faced Ransomware attacks this year, and some of them have turned to Stroz Friedberg for help. In an interview with Salted Hash, the company says they were dealing with three to four Ransomware cases per week in the first quarter of 2016.

Incident response is just one of the many areas of focus at Stroz Friedberg; the caseload for the company varies, but Ransomware is certainly one of the more prevalent types of attack seen by its investigators.

Erin Nealy Cox, Executive Managing Director at Stroz Friedberg, said that the company has been seeing more economic espionage cases lately, but not necessarily state-sponsored cases. What they’re seeing can be classified as pure economic espionage, in industries that one wouldn’t normally think of.

“It’s not going to be defense, it’s not going to be energy. It’s going to be distribution, or any kind of manufacturing company,” she said during an interview. “We’re seeing an uptick in sophisticated economic espionage cases, [and] we’re also seeing companies plagued by Ransomware.”

The Ransomware cases they’re seeing are mostly Locky and TeslaCrypt. There have been several reported Ransomware cases in the media, but when it comes to volume – how many cases has Stroz Friedberg seen in the first quarter?

“Three to four a week, at a minimum,” said Morgan Bjerke, VP of the firm’s global Incident Response practice.

The attacks are being reported in a number of organizations both large and small, who exist in a number of markets that span several verticals. Phishing is usually the root cause of infection, but there have been cases dealing with drive-by-downloads and other vectors. While Locky and TeslaCrypt are the Ransomware families that represent a majority of their work, the company also sees cases with CryptoWall and older Ransomware families.

The latest variants of TeslaCrypt have made it difficult to determine how widespread the infection is when that family hits a customer’s network, because the victim doesn’t know anything is wrong until they’ve opened a targeted file.

And while Stroz Friedberg doesn’t always see the full extent of an infection, generally their latest cases involve extensive infiltration, more than they’ve seen previously – particularly in Q1 2016.

When the victim is a larger, more mature organization, a majority of them can recover from an attack by recovering files and leveraging backups. But the smaller organizations are often faced with little choice but to pay the ransom because they lack proper backup solutions or policies. Sometimes, the organization will pay the ransom because it’s more affordable than the total cost of recovery.

When it comes to paying ransoms, the cost has gone up considerably. In some cases, the cost of recovery is extreme, but that doesn’t prevent the victim from at least considering payment as a valid option.

“A couple weeks ago, there was only one encrypted laptop that we knew of, and they [the criminals] were asking for a $10,000 ransom – and the company wanted to pay,” said Bjerke.

Over the last quarter, the firm has seen ransom demands of $5,000, $10,000, or if it’s a server – $50,000.

Recently, Salted Hash published a Blue Team reference manual for dealing with and preventing Ransomware, and many of the points in that story are the same basic bits of advice Bjerke would give to clients.

However, she had some additional thoughts on prevention that are worth noting.

“We’ve been trying to help them identify the initial infection vector. There’s a lot of intelligence coming around on what the Phishing emails are labeled and what they look like,” said Bjerke.

“Secondarily, if [the Ransomware] does get into the environment, looking at tuning their anti-virus or endpoint detection tools. So if they have a HIDS or HIPS solution, putting in-place some the blocking controls on a HIPS especially or anti-virus, including additional signatures; so that for some of the known processes they can at least block them so that it may execute, but it may not fully function in the way that it’s supposed to.”

Research from Trend Micro shows that there were more Ransomware infections in February 2016, than there were in the first six months of 2015. Yet, only a fraction of Ransomware attacks are actually reported.

The business model behind Ransomware operations has enabled a long-lasting, turn-key operation that doesn’t require any real skill in order to ensure success – a fact that will see Ransomware remain as a major concern for businesses of all types in the months to come.