How Splunk Can Help You Prevent Ransomware From Holding Your Business Hostage

Update 5/13/17: For more details and methods you can use to combat WannaCry and ransomware in general, please read, Steering Clear of the "Wannacry" or "Wanna Decryptor Ransomware Attack.  

A group of hackers recently cost Madison County, Indiana $200,000 and another group demanded $73,000 from the San Francisco Municipal Transport Agency (SFMTA) over the Thanksgiving holiday to decrypt frozen data. What was the common factor connecting the two attacks? A popular form of malware known as ransomware.

Why You Should Care About Ransomware

Ransomware is often used to extort funds directly from victims. Ransomware literally takes systems hostage, requiring a “ransom” to free those systems back to a usable state. This can be a very lucrative business for cyber criminals.

Ransomware, like other malware, gets into your network via bad actors who figure out a way to deliver it into your environment without “sounding an alarm” – for example, as an attachment to an email or by infecting a website (e.g. watering hole attack).

Ransomware Kill Chain

                                                        Ransomware Kill Chain

Ransomware exploits are on the rise, according to the Federal Bureau of Investigation (FBI), who reported $209 million paid to ransomware criminals in Q1 2016. The FBI anticipated ransomware to be a $1 billion source of income for cybercriminals this year. And this number doesn’t even include the damage from revenue loss / opportunity cost resulting from the business disruption caused by an attack.

What Can You Do to Protect Yourself?

The best defense to ransomware is to take a multi-pronged approach to being well-prepared.

How do you prepare? A good starting point is to apply the best practices that the FBI published earlier this year, as a general guideline to help prepare for ransomware attacks. The FBI’s best practices include prevention efforts — awareness, risk analysis, IR plans, and exercising good hygiene in areas such as patch management, vulnerability scans, privileged accounts, access controls, device configuration, and the like – as well as business continuity efforts – regular verified backups that are secured and appropriately isolated from the rest of the environment.

In optimizing your prevention strategy, an effective best practice is to take a proactive stance to detection and to arm yourself with better investigation methods – this will help you get ahead of the ransomware threat, even if your organization is affected by a ransomware exploit, and will also help to better inform your security operations teams on how to improve your existing prevention policies.

Get Proactive: Find and Prevent Ransomware Using Splunk

Splunk can help you investigate better, faster, and more effectively at all stages of the ransomware kill chain so you can make better decisions on what to do next.

Screen Shot 2016-12-15 at 1.42.52 PM
Screen Shot 2016-12-15 at 1.43.05 PM

If you’re interested in learning how to use Splunk to improve your ransomware defense, you can try these techniques online now – you don’t even need to have Splunk installed to try it out!

If you haven’t already seen our how-to webinar from Dec 13 2016 on this topic: Detection of Ransomware and Prevention Strategies, you should definitely check it out for an overview of these techniques.


And if you want the gory details, you should check out the recording and slides from the hands-on “Splunking the Endpoint!” session we ran at .conf2016 in Orlando in September – my fellow Splunk ninja Dimitri McKay and I covered ransomware techniques and much more.

James Brodsky
Splunk Security SME

James Brodsky
Posted by

James Brodsky

Long Island->NOVA->Upstate->Global Crossing->CA->IBM->Resolve->Tripwire->Splunk