The very definition of ransomware is misleading. The use of ransomware is not necessarily for relieving an organization of money, and is often just a tool for leveraging a position in a complicated game of cat and mouse. Ransomware has made its way through government institutions, and is back to declaring unfathomable bounties as it debilitates the private industry. Prevention is favored over the cure in this case, and often is overlooked by the short sightedness of those in charge of budgets.
There is very little to be done during a hostage situation when your data is being held captive. People will spend much more than annual IT budgets to recover data they believe is gone. If you are facing an enemy that is already demanding money from you, it is probably already too late. Not all malware results in a ransom as seen by the ‘Meow’ attack.
With the introduciton of Lockheed Martin’s Cyber-Kill-Chain, a group published the “taxonomy of crypto-ransomware features” that illustrates the subversion techniques for avoiding this pitfall. The scholarly article is freely available here. This focused research pertains to personal computing devices, but similarities can be drawn to begin talks on future cybersecurity taxonomies relating to devices such as those found in mobile, or IoT. Interestingly, this group lists timing-based evasion techniques as one of the most common. This may indicate that stricter control policies based on behavioral characteristics of user logons and computer services may prove effective when combined with detection and automation. The stigma for automation is still present for early adopters though, because of the dynamic environments present in computing.
It is important to know how this taxonomy relates to real-world application and why ransomware is so prevalent. While security controls are very important, the fact remains that social engineering, especially phishing, has proven that humans are the weakest point of the architecture time and again. Susan Bradley covered this in her 2016 paper titled “Ransomware.” This SANS paper is not without or apart from providing analysis and remediation techniques with a general approach using current methodologies to recover or even prevent this from happening. With the taxonomy building a shell or framework, and using the paper for actionable steps, workplaces can begin to comfortably approach this topic instead of not talking about it because they think that will help them avoid it.