From Bible to Bitcoin$ – we all have our own image of Ransom…

The concept of holding something to ransom isn’t new and is illustrated by many such stories and events dating back to biblical times.

But whilst communication media has changed, never before have so many people been exposed to a real threat of ransom as they are today, in its most recent form; Ransomware.

The Cyber Threat Alliance (CTA), an eight-vendor coalition that amongst others includes: Fortinet, Intel Security, Palo Alto Networks and Symantec, said its review of one common strain of Ransomware revealed 406,000 attempted infections worldwide between Jan – Oct 2015.

So what is Ransomware?

Ransomware is malicious code, or “malware” that, once on a victim’s computer will encrypt data, locking it down and only decrypting it if victims pay a fee – often in Bitcoins.  A typical approach is to claim you have been doing something illegal with your PC, and that you are being fined by a police force or Government agency.

Sometimes it can be specific files that are encrypted, and sometimes complete file systems.  The longer you take to pay, the more you pay.



Being so lucrative, there are many strains, a few of which include:

Cryptowall family

Designed to infect all versions of Windows, CryptoWall Ransomware uses RSA-2048 encryption to lock the victim’s files and insists the Bitcoin ransom to be paid using a Tor browser to retain the attacker’s anonymity. A new report from the Cyber Threat Alliance (CTA) on the latest version of the CryptoWall malware family shows it emerging as one of the biggest threats to web users in recent times, costing US $325 million in damages so far.


Many gangs making Ransomware keep the code for themselves, but Ransom32 is freely downloadable from one dark web site.  It is Javascript powered, and Developers take a cut of the ransom money.

Power Worm

PowerShell-based code infects Microsoft Word and Excel files but the latest poorly written update of it goes after many more types of data files it finds on a victim’s machine.

Why me you ask?

You are not alone – research suggests Ransomware has emerged as a top concern for Chief Information Security Officers.

According to the CTA, CryptoWall 3 is being primarily distributed through phishing emails and exploit kits. In nearly two-thirds of the attempted infections, victims received a phishing email with an attachment titled “internal,” “fax,” “invoice” or some other similarly innocuous name, but the file extension can be virtually anything. More recently, cyber attackers have begun using well-known exploit kits like Angler to distribute CryptoWall 3 to victim systems, according to CTA. Angler is designed to inject payloads like CW3 directly into the victim systems’ memory rather than onto the drive to avoid detection and removal by anti-malware tools.

A small sample of recent high-profile Ransomware attacks

30 January 2016

In the UK, Lincolnshire County Council’s computer systems were down for four days after being hit by computer malware demanding a reported £1m ransom. The Ransomware infection came from a Spear Phishing attack.

Several hundred machines were affected, and staff had to revert to paperwork. It transpired the actual ransom was $500 to supply the encryption key, but the council said it would not pay. The problem was resolved by resorting to a backup from before the attack, during which time, four days were lost.

15 February 2016

Hollywood’s Presbyterian Medical Centre was affected by a Ransomware infection.

Again, staff had been forced to carry out tasks on paper. The cyber-criminals requested 40 bitcoins to unlock the files, equivalent to approximately $17,000 which was paid.

28 February 2016

Getting right up to date now, several German Hospitals have been infected with Ransomware.

The Hospitals were in the German state of North Rhine-Westphalia where several hundred servers again were affected before they pulled the plug on them.

The Hospital officials say they will not pay and as a result they expect to be down for several weeks.

How can I avoid Ransomware?

A good Backup and Network Share strategy is essential, although you can avoid Ransomware in the same way you avoid other forms of malware bearing in mind that infections occur via email attachments, Java plug-in, or botnets, but like most problems – prevention is better than cure.

What else can I do?

In many of the Ransomware cases we have seen so far, the attack has originated from a country for which the organisation attacked does not have any reason to communicate – no customers, no stakeholders and no strategic directions for growth.

Blocking all IP addresses that are known to be malicious from communicating with the network would mean the Ransomware attackers would not have the means to communicate with the target organisation.

But surely my firewall can do that…

Yes, most can… But a good firewall can process up to around 10,000 rules – rules that need to be manually monitored and updated, and are resource intensive, so managing them to ensure they are blocking new bad IP addresses and bad IP address regions as and when they emerge is a laborious and costly process.

This is where we can help… with ThreatARMOR

Automatically blocking all bad IP addresses and regions from even reaching your firewall, ThreatARMOR can shrink your attack surface and in doing so, dramatically reduce the amount of malware reaching your organisation; and this includes reducing the opportunity for Ransomware attacks.


ThreatARMOR appliance

Think of it as consolidating the Internet to make it much more relevant to your unique organisation.

Automatically blocking bad IP addresses and regions from your network also allows your firewall, Intrusion Prevention and SIEM solutions to better serve the core functions for which they were intended.

Furthermore, as bad IP addresses emerge each day, Ixia’s Application Threat Intelligence (ATI) engine updates all ThreatARMOR appliances every 5 minutes – making sure organisations are protected against new bad IP addresses and regions as and when they become known to the ATI engine.

When blocking, one of the ways we express this threat intelligence is through the automatic provision of a “Rap Sheet” for each and every blocked IP address. This clearly demonstrates and documents the malicious activity executed by the attacker  – providing clear proof of why that site is blocked.

The Rap Sheet will show you:

  • The malicious activity taking place at that site

  • The date it was last validated

  • Screen shots of the malware downloader or a phishing site or other evidence.

Don’t worry; you can add your own whitelist to action any required exceptions.

ThreatARMOR can also block Command & Control, phishing and other malicious traffic from leaving your environment.

Anything else?

Well, yes. Whilst ThreatARMOR will block criminal IP addresses and confirmed threats from communicating with your network and ease the load from your other security measures, further improvements can be made to your security appliances by testing them to improve their configurations and increase resiliency.

You can perform such tests yourself using the Ixia PerfectStormONE solution, or we can carry out the work for you as a professional service as and when required to do so.

The same solutions/professional services can be used when seeking new security solutions, allowing you to perform independent bake-offs between solutions under consideration. This allows you to cut through the claims of each vendor datasheet and learn how each appliance will perform under the real conditions of active use in your own environment.

What now?

More information about Ixia ThreatARMOR can be found here.

You can learn more about PerfectStorm ONE here and our security testing professional services here.