A recent report from Unit 42, Palo Alto Networks threat intelligence team, highlights that ransomware is not a single family of malware, but a criminal business model. The threat is growing, and attacks are showing ever greater levels of sophistication.

Ransomware has no bias. It can “infect” anyone, and it’s even likely someone you know may have fallen victim to it – regardless of how IT savvy they are. A particularly devious form of malware, ransomware infiltrates a computer in order to encrypt its hard drive, in an attempt to extort money from the user in exchange for the safe unlocking of their data.

A recent report from Unit 42, Palo Alto Networks threat intelligence team, highlights that ransomware is not a single family of malware, but a criminal business model. The threat is growing, and attacks are showing ever greater levels of sophistication.

Australian businesses are increasingly falling prey to ransomware attacks with 1.1 million ransomware hits reported against Australia in 2016. It’s time to look at how companies can better protect themselves from these violations.


The most common vector for ransomware is via a spear-phishing attack, where users are deceived into clicking on a link in what appears to be a legitimate email from a trusted source. The link invariably leads to a malicious site that then downloads and installs the ransomware package - recent attacks by the Locky crypto-virus are a perfect example of this approach.

Such emails can even be designed to appear as though they’ve come from trusted software solution providers, whose services your company may be subscribed to. In such instances, users can be lured into support chat-sessions, where the payload can be delivered in the guise of a link to a product update.


According to software security firm Avast!, recent code changes to Locky have added the capacity for encryption of over 160 different file-types, including virtual disks, databases, and source codes. The payload can be delivered via Word docs, Excel files, zip files, and web-based forms, as well as Javascript.

Additionally, evidence of advanced code obfuscation in Locky means it is getting better at evading detection by anti-virus/malware protections. Newer iterations of ransomware will also now commonly prioritise encryption of any backup drives first, or target network shares, before moving to lock down any local drives.

What makes Locky a particularly dangerous instance of ransomware, however, is that it appears to use advanced scraping tools, to scan online profiles and address recipients with personal information such as their full name, location, and even workplace and job description. With employees now using their own devices across both work and personal contexts, there is increasing evidence that handsets are being targeted: a major concern for companies with BYOD policies. In saying this, even company-issued devices are at risk if not properly managed and secured.

“Ransomware has transitioned from a niche attack into one of the largest threat to organisations large and small today.” * Unit 42, Ransomware: Unlocking the Lucrative Criminal Business Model


It’s not just the low-hanging fruit of small businesses that is at risk. According to security firm Kaspersky, over 2015 the focus of attacks unmistakably shifted towards the corporate sector. Given the widespread acceptance of BYOD and remote working, as documented by Aruba Networks, the threat to enterprise security from within the network perimeter is growing.

The role of IT in defending your network becomes proportionally harder when employees do not take the responsibility of keeping their personal devices, OS and applications up-to-date. Harder still if they do not install all recommended security patches, or rely on insufficiently-secured public Wi-Fi networks and unapproved cloud services in the course of remote work.

With ransomware frequently able to circumvent, or even dismantle, anti-virus platforms, companies need to look beyond AAA security systems and consider a holistic approach to system-wide security. While MDM/EMM and even SIEM protections can mitigate the risks of ransomware to a degree, an end-to-end solution that can co-ordinate these distinct measures to provide a cohesive, dynamic defense is increasingly required.

Organisations therefore need to adopt solutions that can leverage contextual data to provide role-based, device-aware access and real-time threat protection across their network. In response to the dynamic threat landscape facing enterprise today, Aruba Networks has developed an Adaptive Trust Defense framework; a vendor-agnostic platform that acts as a central policy manager, integrating with AAA solutions and enabling them to work as one platform to close potential security gaps in your network. As malware adapts, so too should your security posture.


Common sense will go a long way to preventing ransomware from impacting your organisation. Nonetheless, here are some key actions you can take to prepare against the threat it poses.

  • Develop a sound backup strategy, using either offline storage not connected to your network, or via cloud-based backup solutions.
  • Ensure you run a regular patching and maintenance schedule to keep your software and user devices up to date.
  • Train and continually train your users on the social engineering tactics most commonly used by ransomware.
  • Implement an integrated security solution that can co-ordinate your existing security solutions for real-time, contextual protection according to user roles and device types.
  • If compromised, do not pay the ransom – it only encourages further attacks, and there are no guarantees your data will be released to you.

Finally, it pays to keep informed. Whatever you do, don’t ignore the threat. If you’d like further information about how you can better protect your business, get in touch with us here at Matrix CNI for advice tailored to your needs.