Author Christoph Mahrl Version 1.0
Date 27. April 2016
SPARC: SBA Preventive and Agile Ransomware Controls
The SBA Research Approach for Effective Defense against
Ransomware-based Attacks
4/27/2016 SPARC: SBA Preventive and Agile Ransomware Controls 2/19
Table of Contents
1 Introduction ...................................................................................................................................... 3
2 Executive Summary ........................................................................................................................ 4
3 Evolution of Ransomware ............................................................................................................ 5
4 Statistics and Predicts .................................................................................................................... 8
5 SBA Preventive and Agile Ransomware Controls .............................................................. 10
SPARC 1: Security Awareness ....................................................................................................... 10
SPARC 2: Breach Detection System ............................................................................................. 11
SPARC 3: Endpoint Security Solution ......................................................................................... 12
SPARC 4: Network Segmentation ................................................................................................ 13
SPARC 5: Access Control and Rights Management................................................................. 13
SPARC 6: Application and Directory Whitelisting .................................................................. 14
SPARC 7: Data Recovery Strategy ................................................................................................ 15
SPARC 8: Incident Response and Business Continuity ......................................................... 15
SPARC 9: Contact Security Vendors and Authorities ............................................................. 17
SPARC 10: Cybercrime Insurance ................................................................................................ 18
6 References ...................................................................................................................................... 19
4/27/2016 SPARC: SBA Preventive and Agile Ransomware Controls 3/19
1 Introduction
Ransomware is currently hyped all over the media with dedicated headlines one after
another. Many sophisticated ransomware variants like TeslaCrypt, KeRanger, Locky are
currently in circulation threatening home users and huge organizations alike.
The intention of this type of malicious software is to render computer and / or data
useless in order to blackmail victims, making them pay ransom money for recovery. The
evolution of ransomware shows various techniques ranging from very simple up to more
advanced techniques in order to disable computers or render stored data unusable. Lately
it became common that ransomware apply cryptographic measures specifically designed
to encrypt valuable data. After encryption, a ransom message (see Figure 1) is then
displayed to the user leaving him with essentially two choices:
1. Pay the requested ransom money within a period of time to (hopefully) obtain a
decryption key.
2. Refuse to pay, taking the risk of a possible permanent loss of involved data.
Figure 1 - Example of a Ransomware Message 1
The purpose of this whitepaper is to provide a security guide for organizations to be
prepared for incidents concerning ransomware. It discusses proactive and reactive
security controls recommended for implementation in order to establish an effective
ransomware defense.
1 http://thehackernews.com/search/label/CryptoLocker
… to obtain the private key for this computer,
which will automatically decrypt files, you
need to pay 100 USD …
Any attempt to remove or damage this
software will lead to the immediate
destruction of the private key by the server.
4/27/2016 SPARC: SBA Preventive and Agile Ransomware Controls 4/19
2 Executive Summary
Ransomware with cryptographic capabilities (also: crypto locker) that render valuable data
of victims useless are very widespread lately. Without precautionary measures, a
ransomware infection can have a devastating and costly impact on business ranging
from small operational interruptions to even a permanent shutdown of the business.
Therefore, this whitepaper discusses various security controls (see Figure 2) recommended
for implementation in order to cope with the impact of a compromising and therefore to
preserve daily business.
Building an effective defense against ransomware requires both a proactive and reactive
approach. Proactive security controls (e.g. network segmentation, access control
management, etc.) are designed to harden an environment against attacks in order to either
reduce the impact of a successful attack or prevent the attack at all. On the other hand,
reactive security controls (e.g. incident response management, data recovery, insurance,
etc.) deal with being able to correctly detect, respond and recover from attacks in an
effective and efficient way.
Figure 2 - Overview of SBA Security Controls for Defense against Ransomware
In general, information security should be seen as iterative process that has to be reviewed
and refined regularly to keep up with up-to-date security standards. This can be a
challenging task as new technologies and attacks emerge and evolve in a very fast pace.
It is not the question if but when a security incident will happen. So when reading this
whitepaper ask yourself if your company’s security controls currently in place can actually
handle ransomware-based attacks or incidents respectively.
Proactive
Reactive
•SPARC 1: Security Awareness•SPARC 2: Breach Detection System•SPARC 3: Endpoint Security Solution•SPARC 4: Network Segmentation•SPARC 5: Access Control and Rights Management•SPARC 6: Application and Directory Whitelisting
•SPARC 7: Data Recovery Strategy•SPARC 8: Incident Response and Business Continuity•SPARC 9: Contact Security Vendors and Authorities•SPARC 10: Cybercrime Insurance
4/27/2016 SPARC: SBA Preventive and Agile Ransomware Controls 5/19
3 Evolution of Ransomware
The basic idea of ransomware is nothing new. First incidents of malicious software that
demanded a ransom to be paid in order to remove prior applied restrictions already date
back to 1989.
At this time, the so called AIDS Trojan malware counted the number of system boots of a
DOS2 machine. After exceeding a pre-defined limit of boot counts, the malware triggered a
malicious payload. It hid directories, encrypted the names of all files on the drive C: and
would eventually claim that the “user’s license” had expired. To “renew” the license and
therefore to recover the victim machine’s system, the affected user had to make a payment
of $189.
Figure 3 - The History of Ransomware (ESET)
Although the AIDS Trojan laid the foundation of a new malware category, ransomware had
disappeared for many years. Only in 2005 a new family of ransomware, named Gpcode
emerged. Gpcode was one of the first ransomware that used cryptographic techniques to
encrypt the actual files on the hard disk. Since then the popularity of ransomware increased
steadily and different types have emerged. In recent years, criminal organizations regularly
release new major variants of ransomware multiple times almost every year (see Figure 3).
Beside crypto ransomware, other types of ransomware have evolved over time. In general,
these include:
• Masqueraded Applications
Early ransomware disguised as legitimate applications such as performance
enhancement tools or endpoint security solutions. These fake tools led the user to
believe that the computer would suffer from several issues that consequently would
affect computer performance or security respectively. Users were then informed
2 Disk Operating System
AIDS-Trojan1989
2005Gpcode
Winlock2010
2012Reveton
Crypto-locker2013
2014Crypto-
wall
Tesla-crypt2015
2016Locky
4/27/2016 SPARC: SBA Preventive and Agile Ransomware Controls 6/19
that the corresponding tool could fix these “issues” but in order to resolve them the
user had to pay a small fee for a license in advance. Obviously, the tools did not fix
anything and the victim was cheated.
• Computer Locker
Ransomware of this type is designed to deny access to a computer by locking or
restricting capabilities of available interfaces. Interfaces include:
o Graphical User Interfaces (Operating System, Applications, etc.)
o Human Interface Devices (Mouse, Keyboard, etc.)
This means that if a system is compromised with a computer locker ransomware,
access to the underlying system is denied. The user would then be asked to pay
ransom to regain access again. Limited interface capabilities would then allow the
victim to enter e.g. numbers to indicate the payment code only.
• Data Locker
As mentioned previously, ransomware with cryptographic capabilities are very
common lately. In contrast to computer locker, this type of ransomware “locks” data
stored on the computer or even on the network by encrypting them. Without the
corresponding decryption-key data cannot be unlocked anymore. After
compromising the system, its functionality is still fully retained as only user data
(e.g. photos, movies, data files, etc.) on the computer or network is encrypted. If no
backup of the data exists, the data is most probably lost. Data locker ransomware is
especially dangerous for businesses as one compromising could lead to loss of very
valuable data. Without a reasonable data recovery strategy, affected businesses will
probably go bankrupt.
When speaking of data locker there is and will not be any solution to reverse its
cryptographic actions without the corresponding decryption key. This is because data
locker ransomware follow a simple cryptographic pattern as depicted in Figure 4.
1. First, a random symmetric key is generated (e.g. 256-Bit AES Key).
2. The data locker builds a list of files that shall be encrypted. Each file in this list is
then encrypted using the prior generated key.
3. The symmetric key is then protected by encrypting it using an asymmetric
cryptographic algorithm (e.g. RSA). To do so a public key is downloaded from the
C&C server in the Internet.
4. The encrypted symmetric key is then embedded (together with the public key) into
the encrypted file.
4/27/2016 SPARC: SBA Preventive and Agile Ransomware Controls 7/19
Figure 4 - General Technique of Crypto Ransomware (Fischer, 2014)
As long as the private key is protected and kept secret by the C&C server, chances are low
for decrypting the files again. Early crypto ransomware often lacked proper key
management or key sizes leaving an open window for recovery measures. However, authors
of ransomware continuously improve their malicious software, so that nowadays recovery
can only be achieved with the corresponding decryption key. Nevertheless, there are still
ways to protect against ransomware. These proactive and reactive security controls are
explained in detail in section 5.
There are many attack vectors (see Figure 5) of how a system could get compromised by
ransomware, provided that no or only a few security controls are implemented.
Once a system is compromised due to exploitation of any arbitrary attack vector, it could
happen that the ransomware propagates within the respective network.
Crypto ransomware attacks are not only dangerous because of their data locking
techniques, but also because of their propagation capabilities. Hence, minimize attack
vectors and adhere to the ransomware security controls discussed later on.
Traffic Distribution System
Malvertisment
SpamDownloaders
Social Engineering
Figure 5 - Attack Vectors of Ransomware (Symantec Corporation, 2015)
4/27/2016 SPARC: SBA Preventive and Agile Ransomware Controls 8/19
4 Statistics and Predicts
The ransomware business is growing rapidly and with upcoming variants, it will remain a
major threat in the next years. One principal reason for the popularity of ransomware is
that more and more criminal organizations are seeking for easy ways of direct income.
Cyber criminals behind ransomware usually do not have specific targets. Their aim is to
infect as many systems as possible independent from its location or owner. This way cyber
criminals can demand a rather small ransom from each of their victims but in total they will
attain a vast amount of ransom money.
Figure 6 - Top Countries Affected by Crypto Ransomware (Symantec Corporation, 2015)
Ransomware is very widespread - out of 11 of the top 12 countries impacted by crypto
ransomware are member of the G20 organization. Yet occurrence of ransomware in
different countries varies greatly (see Figure 6). With the USA, Japan and UK ranking at the
top, the occurrence of ransomware stagnates rapidly with Germany being the last in the list.
According to Symantec, file-encrypting ransomware (e.g. TeslaCrypt, CryptoWall, etc.) are
predominant. Findings revealed that in 2015 over 64 percent of ransomware detected
have been crypto ransomware whereas the other 36 percent made up ransomware with
computer locking capabilities. It was also revealed that crypto ransomware gradually gains
more and more popularity amongst cyber criminals. This is probably because victims are
more willing to pay for lost data than for lost computing capabilities.
USA38%
Japan26%
UK11%
Italy7%
Australia4%
Netherlands3%
Russia3%
Canada3%
India3%
Germany2%
4/27/2016 SPARC: SBA Preventive and Agile Ransomware Controls 9/19
Another interesting study investigates how much and when victims do pay the demanded
ransom money. Usually the cyber criminals behind ransomware give victims multiple
opportunities to pay the ransom. When the “payment countdown” runs out, it is often
restarted again while usually demanding a higher ransom. With each iteration the amount
of ransom is increased drastically until a certain point is reached and the decryption key is
definitely deleted.
A research group at Dell published data about ransom payments of CryptoWall victims (see
Table 1). CryptoWall emerged in March 2014 and back then, it was one of the leading file-
encrypting ransomware. In Table 1 each row represents an iteration, which means that the
payment countdown ran out. Most of the victims that paid the ransom (about 64.6%), paid
the ransom of $500 in the period of the second iteration There has even been one victim
that paid an astonishing amount of $10.000 in the 9th iteration in order to recover the
encrypted data. Of nearly 625.000 infections only 1.683 (0.27%) victims paid the ransom
money, yet the cyber criminals could carry off a total of $1.101.900 over the course of only
six months.
Ransom Amount Number Paid Percentage
$200 6 0,4%
$500 1.087 64,6%
$600 3 0,2%
$750 122 7,2%
$1.000 399 23,7%
$1.500 27 1,6%
$1.750 1 <0,1%
$2.000 6 0,4%
$10.000 1 <0,1%
Table 1 - Distribution of Ransom Payments Made by CryptoWall Victims (Dell, 2014)
As long as victims imprudently pay ransom money that generate fast and direct cash for
cyber criminals, ransomware will not decline. In contrast, according to a report of Intel
Security the peak has not yet been reached and it is expected that the growth of ransomware
will continue in 2016. However, predicting the evolvement of the ransomware landscape
over the next couple of years is not that easy. Symantec believes that crypto ransomware
will probably soon reach its peak and then decline steadily. Yet with cyber criminals finding
other options and alternatives for fast cash, it is also believed that crypto ransomware will
relaunch within a period of two years after a rather short stagnation phase.
4/27/2016 SPARC: SBA Preventive and Agile Ransomware Controls 10/19
5 SBA Preventive and Agile Ransomware Controls
Many studies and predictions suggest that ransomware with file-encryption capabilities
will continue to grow, as more and more criminal organizations realize the great potential
for fast and easy cash by distributing ransomware. Since there is no and will never be a
simple solution for recovery of encrypted data, organizations must prepare beforehand in
order to cope with the impact of a compromising and therefore to preserve daily business.
SBA Research has come up with several proactive and reactive security controls explained
in detail below to set up an effective defense against ransomware attacks. It is highly
recommended to consider these security controls for implementation to increase resistance
against ransomware.
SPARC 1: Security Awareness
One security control against ransomware, that is obvious but hard to master, is awareness.
Employee awareness is not something that is simply achieved, but should be considered as
an iterative and ongoing process. There are many attack vectors allowing ransomware to
compromise whole enterprise networks. Many of those attack vectors (e.g. spam emails,
social engineering …) include the involvement of employees considering them as the
weakest link of the security chain.
Therefore, it makes sense to train staff properly to prevent an incident beforehand. Even if
an employee should fall for a spam message leading to the compromising of his or her
system, it is not that bad as long as the employee knows and follows strict rules of an
incident plan and immediately alerts the incident to the persons in charge. Employee
behavior like this will allow the incident response team (see SPARC 8: Incident Response
and Business Continuity) to take immediate actions initiating remediating measures to stop
propagation of ransomware and clear infected systems.
This means that employees being able to recognize malicious content (e.g. E-Mails,
malicious Websites, suspicious binary files …), to know what to do in certain situations and
who to inform in such cases should be the key goal of every security awareness
program.
With this goal in mind, it is recommended to develop a comprehensive security
awareness program. To help communicate core security messages, various types of
awareness training exist, e.g.:
4/27/2016 SPARC: SBA Preventive and Agile Ransomware Controls 11/19
• Classroom-type Training
o Lecture-based and interactive learning in classrooms.
• Security Awareness Website
o Website consisting of different sections and areas that should be covered.
Interactive content such as tutorials, videos, online quizzes etc. help users to
understand the content.
• Helpful Hints
o Complementary to other types of awareness training, helpful hints (e.g. tips,
reminders, visual aids, …) of key points emphasized in trainings will help
users to remember and deepen security awareness.
• Promotions
o Promoting security awareness across the entire enterprise is also a good
technique to improve security awareness continually amongst employees.
Possible methods of promotion include flyers, posters, catchy reminders or
phrases and more.
SPARC 2: Breach Detection System
Breach detection systems, also considered as the next generation of conventional
intrusion detection systems, help secure corporate networks by thoroughly inspecting
network traffic to detect malicious behavior and attacks. Inspection include extraction of
data such as files, mails and drive-by-downloads for further analysis by using a combination
of signature-, heuristics- and sandboxing-based techniques.
Breach detection systems play an integral part of cyber defense, especially when it comes
to defense against ransomware, providing both a proactive and reactive approach for
malware identification. In general, a breach detection system covers the following
functionalities:
• Signature-based and / or heuristics-based malware identification
• Network traffic analysis
• Sandboxing
• Browser emulation
• Domain reputation identification
• Response mechanism e.g. alerting, session termination etc.
• Reporting on compromised hosts
4/27/2016 SPARC: SBA Preventive and Agile Ransomware Controls 12/19
A breach detection system can be considered as a first technical measure in line that
identifies and in the best case even prevents ransomware from actually infecting hosts
within the corporate network. Lastline is one good example for a breach detection
platform that is currently deployed in many companies worldwide and provides businesses
with automated detection of active data breaches. Good detection rates of malicious files
and network traffic heavily rely on the engine as well as on threat intelligence data (e.g. file
reputation, IP reputation, URL reputation, etc.). To enhance detection rates further
malicious IP addresses and domains could be integrated manually into the breach detection
system (e.g. by using third-party threat intelligence data3). In the most recent malware
detection test conducted by the independent NSS Labs, Lastline managed to achieve an
overall malware detection rate of 98.6%.
Even though the malware detection rate of Lastline is relatively high, it also shows that
breach detection systems are not a panacea. In order to cope with ransomware attacks and
prevent financial damage additional security controls will have to be taken into account.
SPARC 3: Endpoint Security Solution
Endpoint security solutions provide another layer of security that might prevent
ransomware to be executed on a system. They should be considered as a complementary
security control that plays an important role in cases where breach detection systems fail
or simply cannot detect malicious activity (e.g. infection via portable USB drive, etc.).
A signature-based approach on host systems ensures that many (known) malicious files
or websites are blocked in advance before they can actually be executed on the system.
Obviously, detection rates heavily depend on current threat intelligent data that is obtained
from vendor-specific clouds. However, this approach would only provide protection against
ransomware that has already been examined and whose signatures have been pushed into
the threat intelligence cloud.
Therefore, make sure to deploy professional endpoint security solutions (independent from
the host’s operating system!) that provide additional security modules such as sandboxing,
intrusion prevention, application control, etc. Especially an application control module
that allows blacklisting/whitelisting of applications can be (if used correctly) an
3 https://ransomwaretracker.abuse.ch/
4/27/2016 SPARC: SBA Preventive and Agile Ransomware Controls 13/19
excellent “quick win” against ransomware. Whitelisting will be discussed in detail in
SPARC 6: Application and Directory Whitelisting.
Apart from application control, detection via dynamic techniques (such as sandboxing,
heuristics, etc.) should not be considered optional but necessary in order to have an
effective ransomware defense.
SPARC 4: Network Segmentation
Segmentation of the corporate network in separate zones, each meeting certain security
requirements, is one of the most important aspects when it comes to ransomware defense.
The purpose of segmentation is to keep a possible ransomware infection within a zone
and prevent it from spreading across the whole network.
This approach helps to limit damage and hence to lower expenses of remediating measures
as ransomware can only make data unusable it has access to. Obviously this only works if
proper rights management and access control mechanisms (see SPARC 5: Access Control
and Rights Management for details) are in place. If binaries are executed with privileged
access rights e.g. administrator account then the concept of network segmentation most
probably will not work, since administrators would have access to zones that ordinary users
usually do not have.
In general, segmenting networks the following zones are frequently implemented and
highly recommended:
• Public domain and guest zone
• External server zone / Demilitarized zone (DMZ)
• Internal server zone
• Internal client zones
• Internal system management zones
SPARC 5: Access Control and Rights Management
The reason why ransomware gains so much attention now is (amongst other things)
because companies often lack proper access control and rights management. This
could be fatal for organizations especially when experiencing a ransomware attack. The
impact of insufficient access control and rights management is almost identical to bad
network segmentation as it results in ransomware having access to resources that it
definitely should not have at all.
4/27/2016 SPARC: SBA Preventive and Agile Ransomware Controls 14/19
It is considered best practice to always adhere to the least-privilege principle, which means
that users should only have access to resources they really need. A worst case would be a
corporate file share that every user has unlimited access to. Without proper access control
settings, a ransomware with propagation capabilities could distribute with ease across the
whole network making the data of all affected hosts unusable. Incidents like this can easily
be prevented or at least mitigated if users only had access to resources they really need.
In general, when it comes to access control and rights management the following
questions should be asked and regularly assessed:
• What resources do users have access to?
• Are the access privileges sufficient (always adhere to least-privilege principle) for
the user’s role in order to cope with his or her daily work?
• Have users taken on new roles in the meantime?
• If so, do these users still have access privileges of their old role?
SPARC 6: Application and Directory Whitelisting
Many ransomware infections can be prevented beforehand by simply disallowing
execution of unknown or unwanted binaries. Various solutions exist for application
whitelisting, which means that only applications explicitly defined are allowed to be
executed. The opposite – application blacklisting – is also possible where explicitly
defined applications are not allowed to be executed. In general, a whitelisting approach
should be preferred over a blacklisting approach as it up front restricts users to only
required applications and per default blocks all other applications.
Since management of application whitelists can be an extensive task, especially in big
environments, directory whitelisting might be preferred. For instance, a malicious drive-
by downloader will most probably hide malware in system or configuration directories such
as %TMP% in which only temporary application data is stored and users actually do not
need privileges for execution. Often it is only necessary to prevent execution of binaries in
exactly these certain directories (e.g. C:\Windows, %TMP%, etc.) to avoid a ransomware
infection. In addition to withdrawing execution privileges of directories, preventing the
overall execution of scripts (e.g. *.bat, *.cmd, *.cs, *.reg, *.vbs, *.js …) could further minimize
the risks of a ransomware compromising.
4/27/2016 SPARC: SBA Preventive and Agile Ransomware Controls 15/19
SPARC 7: Data Recovery Strategy
The most obvious but also the most important security control for effective ransomware
defense is to have working and current backups that can be imported into systems in
order to guarantee availability of data. Meeting this security control will require a data
recovery strategy to be planned and tested thoroughly to be able to recover from disasters
at any possible time. In any case, there should be a plan that clarifies at least the following
questions:
• Who is responsible for backups?
• What systems or data are critical and therefore qualify for backups?
• When and what kind of backups are carried out?
• At what intervals are backups carried out?
• How long must data be retained?
• Are backup intervals actually sufficient to meet data retention criteria?
• Are backups stored offline (Ransomware could encrypt online “backups” on storage
systems)?
• Are backups valid and actually tested?
• Does a data recovery procedure exist and is responsible staff trained to conduct this
procedure?
There are many more things to be aware of when speaking of data recovery. The main goal
is to have valid and tested offline backups of critical systems or data stored somewhere
securely. These backups should be tested regularly to ensure everything is working as
expected and to train staff so that they are prepared for recovery in case of actual incidents.
SPARC 8: Incident Response and Business Continuity
The purpose of an incident response process is to ensure business continuity in the event
of an incident such as a ransomware attack by responding quickly and effectively to the
incident. A poorly conducted or even a non-existing process can have serious consequences
leading to business interrupts and possibly even to a permanent shutting down.
An incident response infrastructure is needed to speed up discovery of attacks and to
contain damage. A comprehensive incident response plan needs to be in place, including a
policy statement that defines terms, roles and responsibilities and provides step-by-step
instructions that should be followed in case of incidents.
4/27/2016 SPARC: SBA Preventive and Agile Ransomware Controls 16/19
The main goal of incident response management should be
• to limit the impact,
• to find and resolve the root cause of the incident,
• and to remediate caused damage (e.g. data recovery).
Incident response management is an iterative process consisting of various phases to
handle incidents effectively. Figure 7 depicts the lifecycle of the iterative incident response
process:
Figure 7 - Incident Response Lifecycle
1. Preparation
This step is crucial to ensure response actions are known and coordinated by
developing a formal incident response infrastructure.
2. Identification
In the second step, identification of incidents and escalation of the incidents to the
appropriate individuals takes places. Various security mechanisms (e.g. SIEM …) can
support security staff to identify them.
3. Containment
In phase three, incidents are examined and assessed to determine how far the
problem has spread and to prepare a proper response. Its main goal is to stop the
attacker, contain the damage and gain control of victim machines again.
4. Eradication
The root cause of the incident is investigated to understand the attack vector in
order to subsequently remove it and clean up any signs left over from the attack.
1. Preparation
2. Identification
3. Containment
4. Eradication
5. Recovery
6. Lessons Learned
4/27/2016 SPARC: SBA Preventive and Agile Ransomware Controls 17/19
5. Recovery
In the recovery phase machines are remediated (e.g. image restore …) and put back
into production to return to normal operational status. These machines are
periodically monitored to ensure the system has been remediated entirely.
6. Lessons Learned
Finally, the whole incident response process is reviewed using all acquired
information of the specific incident. The goal is to identify what went wrong and
what worked well to continuously improve the process.
SPARC 9: Contact Security Vendors and Authorities
When affected by ransomware one essential measure is to contact security vendors of
anti-malware solutions, CERTS (Cyber Emergency Response Team) and local
authorities. In case of an incident, vendors and CERTS might provide useful help/support
(especially if the IT security expertise of the affected company is low) to cope with
ransomware. There might also be the chance of obtaining a decryption key without paying
the demanded ransom as security vendors develop decryption tools4 for ransomware of
which the decryption keys were obtained by local authorities.
Ransomware incidents should be reported to authorities by filing a charge. This allows
authorities to conduct investigations in order to
• track down the flow of ransom money,
• to observe C&C server to obtain vital information,
• to confiscate participating systems or
• to locate and eventually arrest ransomware authors.
In addition, authorities provide dedicated contact points for organizations that fell victim to
ransomware. These contact points provide consultation and guidance to handle incidents.
Furthermore, companies will probably need a quick and uncomplicated way to contact their
respective vendor of endpoint security technologies (e.g. Anti-Virus). If the Anti-Virus
solution in place is not detecting the ransomware, customers will need a signature update
to prevent new infections.
4 https://noransom.kaspersky.com/
4/27/2016 SPARC: SBA Preventive and Agile Ransomware Controls 18/19
SPARC 10: Cybercrime Insurance
As a last resort, organizations can consider buying a cybercrime insurance. This allows
organizations to pass the risk of an expensive ransomware compromising on to a third
party. Depending on the contract, the subject matter of the insurance could include:
• costs of remediating measures (e.g. technicians, third party expertise, failover
services, …),
• value of lost data and
• demanded ransom money.
However, an insurance should only be seen as complimentary and not as primary
security control. It is not recommended to make use of an insurance only to avoid
implementing other suggested security controls.
4/27/2016 SPARC: SBA Preventive and Agile Ransomware Controls 19/19
6 References
Bundesamt für Sicherheit in der Informationstechnik. (2016). Ransomware:
Bedrohungslage, Prävention & Reaktion.
Dell. (2014). Threat Analysis CryptoWall Ransomware. Retrieved from SecureWorks:
https://www.secureworks.com/research/cryptowall-ransomware
ESET. (n.d.). The Evolution of Ransomware.
Fischer, T. (2014, December). Private and Public Key Cryptography and Ransomware.
Intel Security. (2016). McAfee Labs 2016 Threat Predictions.
SANS Institute. (2008). The Importance of Security Awareness Training.
SBA Research. (2015). Isolation of Legacy Systems.
Symantec Corporation. (2012). Ransomware: A Growing Menace.
Symantec Corporation. (2015). The evolution of ransomware.
Trend Micro. (n.d.). Ransomware. Retrieved from
http://www.trendmicro.com/vinfo/us/security/definition/Ransomware#The_Ev
olution_to_CryptoLocker