{"id":49203,"date":"2017-11-13T13:00:31","date_gmt":"2017-11-13T21:00:31","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=49203"},"modified":"2026-06-11T15:28:12","modified_gmt":"2026-06-11T22:28:12","slug":"threat-brief-ransomware-hurts-much-hard-stop","status":"publish","type":"post","link":"https:\/\/www2.paloaltonetworks.com\/blog\/2017\/11\/threat-brief-ransomware-hurts-much-hard-stop\/","title":{"rendered":"Threat Brief: Why Ransomware Hurts So Much and Is So Hard to Stop"},"content":{"rendered":"<p>In our updated report on ransomware from Unit 42, \u201c<a href=\"https:\/\/www.paloaltonetworks.com\/resources\/research\/ransomware-report\">Ransomware: Unlocking the Lucrative Criminal Business Model<\/a>,\u201d Unit 42 researcher Bryan Lee notes: \u201cIn 2016, it was thought that there were less than one hundred active ransomware variants out in the wild. Today, the number of total ransomware variants at least over 150, if not hundreds more.\u201d<\/p>\n<p>It\u2019s reasonable to ask why ransomware continues not only to exist but to thrive. The first answer to this, as we\u2019ve outlined in our report, is that ransomware is a lucrative cybercriminal business model. However, in addition to the human factor, there are technical reasons. Specifically, there are three things that combine to make ransomware a particularly potent threat on the technical level:<\/p>\n<ol>\n<li>Ransomware very effectively exploits the total trust the Microsoft Windows operating system places in the user.<\/li>\n<li>Ransomware specifically targets file types and locations that are valuable to users..<\/li>\n<li>Ransomware operates quickly, thwarting post-compromise tools for response<\/li>\n<\/ol>\n<p>In some ways, these three points state the obvious. But the full ramifications and why these make ransomware hard to stop aren\u2019t always discussed.<\/p>\n<p>The way ransomware works is well documented, but let\u2019s recap here. Ransomware is downloaded to a user\u2019s system and executed on it. The way the attackers get the ransomware on the system varies: it can be through unpatched vulnerabilities, social engineering or both. The most common way ransomware operators levy attacks is through email or by web browsing to malicious or compromised sites. The overwhelming majority of ransomware attacks are against Microsoft Windows systems. Once malware is running on the user\u2019s system, it seeks out and encrypts files and folders that hold information critical for the user, such as documents, business applications or even database files. In some cases, the ransomware is sophisticated enough to target specific application files. Most importantly, because the ransomware is executing with the compromised user\u2019s privileges, any file the legitimate, now-compromised user has access to, including network shares and backups, is fair game for the ransomware.<\/p>\n<p>It\u2019s this last point that gets to the heart of why ransomware is so potent. From an operating system point of view, the ransomware IS the user. Even though Microsoft Windows today features a robust user access control system, that system has inherent limitations. In the early days of Window Vista, Microsoft enabled aggressive security checking to ensure user-initiated actions were legitimate. This was well-intentioned but ultimately backfired: users got fed up clicking \u201cAre you sure?\u201d dialog boxes and quickly disabled the feature, or just mindlessly clicked \u201cOK\u201d every time they saw it. Microsoft made reasonable adjustments so that these alerts are now raised sparingly. Although that feature was never enabled to protect user data files like ransomware targets, there is a clear lesson from the experience: too many security checks on user activity fails in the end.<\/p>\n<p>Bringing that lesson to bear here, the only way the operating system could protect against ransomware would be to raise \u201cAre you sure?\u201d dialog boxes on everyday operations against the kinds of files that ransomware targets.\u00a0 And this is where the second point comes to bear.<\/p>\n<p>Unlike other forms of malware, ransomware is very specific in its targeting. It goes after the files users are most likely to care about. These also happen to be files users are most likely to use on a day-to-day basis or that are critical to an organization\u2019s operations. Extra layers of protection for those files would be incredibly onerous. Imagine having to click through \u201cAre you sure?\u201d dialog boxes for every document or picture you opened in a day.<\/p>\n<p>From an engineering point of view, this sole, specific targeting of files that matter significantly increases the chances of ransomware\u2019s success. This brings us to the third point: there is little attack time wasted on files that don\u2019t matter to the victim. Even a successful ransomware attack that is halted early by security software will achieve some level of damage \u2013 enough to make the victim consider paying the ransom to get the files back. If user32.dll were encrypted and unusable, it would be a problem. But when your organization\u2019s overall accounting and audit report is inaccessible right before the big deadline, that\u2019s catastrophic.<\/p>\n<p>The net of these three points is that ransomware is a threat such that focus needs to be placed solely around prevention. There is no effective solution for ransomware at the operating system level, as outlined above. And unlike other attacks, ransomware attacks can\u2019t succeed \u201cjust a little.\u201d In some cases, a single file lost is more than enough to count as a fully successful attack.<\/p>\n<p>In some ways, ransomware is a threat unlike any other. Its impact and scope are both broad and deep in ways that are unique. Because of that, from a risk assessment point of view, ransomware needs to be put in a class by itself \u2013 a class that acknowledges that the risks from a successful attack of any kind are very high.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Get the Threat Brief on why ransomware hurts so much and is so hard to stop.<\/p>\n","protected":false},"author":287,"featured_media":25785,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[10737],"tags":[221],"coauthors":[3069],"class_list":["post-49203","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-threat-intelligence","tag-ransomware"],"jetpack_featured_media_url":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2017\/03\/Linkedin.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/49203","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/287"}],"replies":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=49203"}],"version-history":[{"count":3,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/49203\/revisions"}],"predecessor-version":[{"id":49215,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/49203\/revisions\/49215"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/25785"}],"wp:attachment":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=49203"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=49203"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=49203"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=49203"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}