When it comes to ransomware detection, targeted ransomware attacks are very difficult to identify through classic anti-virus technology. Although such attacks are less frequent than their random, mass, counterparts, they are far more devastating and expensive mainly because they have a higher chance of succeeding in encrypting the files. Let’s look at some important differences between targeted and random attacks.
1. The scope
Targeted attacks are carried out against a single, particular company or institution. Usually, the victim is a corporation relying heavily on IT and using files as part of their internal processes. Such companies are more likely to need access to files as soon as possible and thus, more likely to pay a ransom.
Random attacks are fired across the internet without specific targets, in an attempt to infect as many machines as possible.
2. The technology
Perhaps the most significant difference between regular, mass ransomware attacks and the targeted ones lies in the technology being used. While both have the technology to elude standard antivirus engines, targeted attacks also use customized ransomware variants never used before, for which there are no signatures recorded and which are impossible to detect via traditional security solutions. The rule of thumb that guarantees a high rate of success is one variant per valuable target.
On the other hand, the mass ransomware attacks generally use known ransomware variants or samples used in other attacks as well. Classic signature-based solutions are more likely to detect such attacks because the payloads are known.
Targeted attacks use advanced social engineering techniques to deliver the malicious payloads into the network of particular victims. Usually, they spread via email, but the campaigns are targeted, more complex and carried out manually.
Mass ransomware attacks use email campaigns, malicious websites or software exploits to proliferate and are usually performed automatically via SPAM campaigns or via ransomware-as-a-service platforms running in the TOR anonymity network. In general, they are carried out unattended.
Targeted ransomware attacks demand far higher ransom. Most ask for thousands of dollars for a single computer, and the price goes up to hundreds of thousands or even millions, for more machines. Usually, the ransom is hard-coded in the ransomware itself and does not change. The high ransom demand is based on the fact that such companies are in urgent need of files and can also afford the price.
Mass attacks require far less ransom – a few hundred dollars to begin with, based on the fact that the victims are mostly small companies and consumers who do not afford more and because of a lower reliance on IT, they may be willing to lose the files and not pay the ransom.
5. Ransomware detection
Mass ransomware attacks may be detected by classic, signature based techniques, provided that the anti-virus is up to date and the vendor is aware of the ransomware variant. However, we must not forget that in many cases, mass ransomware attacks may use zero day ransomware variants which elude detection. Targeted ransomware attacks are very likely to evade detection of most traditional security tools. To accurately detect targeted attacks using custom, never-seen-before variants, companies need specialized anti-ransomware solutions that are able to detect ransomware based on advanced file-access patterns. Such detection technology delivers the best ransomware detection and outperforms signature-based solutions. Find out why specialized anti-ransomware does way better than anti-virus technology here.
Ransomware attacks support an extended and elaborate cybercrime system that generates massive profits at the expense of legitimate companies and institutions. Clearly bypassing traditional malware in the effectiveness of monetization and with far easier exploitation than other cybercriminal activities like data exfiltration, ransomware is likely to remain the number one threat for the next years. Targeted ransomware attacks finance and support the development of criminal organizations in need of specialized attackers, with their own employment and training system to support more complex, effective and devastating attacks. The Register writes about targeted attacks and how they support cybercriminal organizations here.
How we can help
TEMASOFT Ranstop is an anti-ransomware software that can detect both types of attacks, providing critical assistance especially when dealing with the custom variants in the targeted attacks, and with the zero-day variants in the mass, random attacks. By combining detection features with real-time file protection functionality, Ranstop protects against ransomware incidents and delivers next-to-zero downtime and no important file loss.
For more information, follow us on social media and subscribe to our newsletter.