A look into the Russian speaking ransomware ecosystem

Kaspersky’s recent report gives us a rare insight to the interpersonal and economic dynamics of the criminal community that is generating the current tsunami of ransomware attacks. The conclusions are sobering;

  1. Ransomware attacks increased 11 fold between Q1 & Q2 2106
  2. Increasingly criminals use data stolen from one infected victim to attack another
  3. Ransomware is no longer only system generated infection. New attacks involve hacking by professionals who choose the most important files and encrypt them with custom, and as yet unseen, build of ransomware.
  4. The primary mitigation advice from Kaspersky seems to be;

“First of all, make regular backups and store them on a drive that is air-gapped from your organization’s main network”.

Unfortunately air-gapped backups aren’t going to help for real time attacks on operators of critical infrastructure and services where lives depend on continuous availability of systems. Also, they are pretty unsatisfactory to anyone who is working from a real-time database since air-gapped archives are inherently out of date.

The drive-by nature of crypto ransomware has made it particularly difficult to block, especially where the environment is not well maintained or secured. However, we’re currently evaluating new proactive approaches to neutralising ransomware that actively frustrate the encryption vector including one that offers a $1 Million USD warranty against ransomware ($1,000 per machine) . We’ll be publishing our conclusions once the evaluation is completed so watch this space.