CyberArk Labs: New Research Analyzes Ransomware Behavior and Evolving Enterprise Risk

LAS VEGAS – Black Hat USA 2016 (booth #432) – August 2, 2016 – CyberArk (NASDAQ: CYBR), the company that protects organizations from cyber attacks that have made their way inside the network perimeter, today released new ransomware research from CyberArk Labs. More than 23,000 real-world samples from common ransomware families were tested to gain insight into typical ransomware behavior and identify potential strategies for mitigating the impact of ransomware attacks.

Ransomware poses an increasingly prevalent and critical threat to enterprises. In 2015, there were nearly 407,000 attempted ransomware infections and more than $325 million extorted from victims1; these numbers are expected to rise. CyberArk Labs tested ransomware samples from more than 30 prevalent malware families, including Cryptolocker, Petya and Locky, in order to better understand common infection, encryption and removal characteristics.

In the report, “Analyzing Ransomware and Potential Mitigation Strategies,” CyberArk Labs outlines:

  • The typical path to encryption, including specific ransomware behavior upon network infection and different “triggers” or actions that prompt the ransomware to execute;
  • Discrepancies and commonalities in ransomware execution, depending on access to local administrator rights, standard user permissions, encryption keys and more;
  • Mitigation and protection strategies – including endpoint security, best practice backup protocols and application controls – that can significantly lower the risk that ransomware poses to organizations.

In one of the key findings, testing done by CyberArk Labs demonstrated that application control, including greylisting, coupled with the removal of local administrator rights was 100 percent effective in preventing ransomware from encrypting files. This approach was compared to the effectiveness of other mitigation strategies, including the use of traditional anti-virus software, which relies on known blacklists.

The research also found that while many strains of modern malware require local administrator rights to properly execute, many strains of ransomware do not require these rights. While 70 percent of ransomware attempted to gain local administrator rights, only 10 percent of ransomware would fail to execute if these rights were not attained. Because ransomware behaves differently, organizations need to combine the removal of local administrator rights with application control to prevent file encryption.

“Ransomware has emerged as a credible and opportunistic tactic for attackers, leaving infected organizations with the difficult choice of abandoning hijacked data or paying cybercriminals for the chance to retrieve their files,” said Chen Bitan, general manager, EMEA & APJ, CyberArk. “By analyzing how ransomware typically behaves, we’ve been able to gain critical insight into how to help protect against these attacks. Moving beyond traditional anti-virus solutions, which are not effective in blocking ransomware, and adopting a proactive approach to endpoint and server security is an important step in protecting against this fast-moving and morphing malware.”

To learn more, download the full report, “CyberArk Labs: Analyzing Ransomware and Potential Mitigation Strategies,” here:

Research from CyberArk Labs focuses on targeted attacks against organizational networks – the methods, tools and techniques employed by cyber attackers, as well as methods and techniques to detect and mitigate such attacks.

1 – Cyber Threat Alliance, “Lucrative Ransomware Attacks: Analysis of the Cryptowall Version 3 Threat,” October 2015