New Research Analyses Ransomware Behaviour and Evolving Enterprise Risk


Research Identifies Common Denominators Across Thousands of the Most Notorious Ransomware Types; Helps Enterprises Reduce Risk and Block Attack Progression

cyberarkimgCyberArk has released new ransomware research from CyberArk Labs. More than 23,000 real-world samples from common ransomware families were tested to gain insight into typical ransomware behavior and identify potential strategies for mitigating the impact of ransomware attacks.

Ransomware poses an increasingly prevalent and critical threat to enterprises. In 2015, there were nearly 407,000 attempted ransomware infections and more than US$325 million extorted from victims (1); these numbers are expected to rise. CyberArk Labs tested ransomware samples from more than 30 prevalent malware families, including Cryptolocker, Petya and Locky, in order to better understand common infection, encryption and removal characteristics.

In the report, “Analyzing Ransomware and Potential Mitigation Strategies” CyberArk Labs outlines:

  • The typical path to encryption, including specific ransomware behavior upon network infection and different “triggers” or actions that prompt the ransomware to execute;
  • Discrepancies and commonalities in ransomware execution, depending on access to local administrator rights, standard user permissions, encryption keys and more;
  • Mitigation and protection strategies – including endpoint security, best practice backup protocols and application controls – that can significantly lower the risk that ransomware poses to organisations.

In one of the key findings, testing done by CyberArk Labs demonstrated that application control, including greylisting, coupled with the removal of local administrator rights was 100 percent effective in preventing ransomware from encrypting files. This approach was compared to the effectiveness of other mitigation strategies, including the use of traditional anti-virus software, which relies on known blacklists.

The research also found that while many strains of modern malware require local administrator rights to properly execute, many strains of ransomware do not require these rights. While 70 percent of ransomware attempted to gain local administrator rights, only 10 percent of ransomware would fail to execute if these rights were not attained. Because ransomware behaves differently, organisations need to combine the removal of local administrator rights with application control to prevent file encryption.

“Ransomware has emerged as a credible and opportunistic tactic for attackers, leaving infected organisations with the difficult choice of abandoning hijacked data or paying cybercriminals for the chance to retrieve their files,” said Chen Bitan, general manager, EMEA & APJ, CyberArk. “By analysing how ransomware typically behaves, we’ve been able to gain critical insight into how to help protect against these attacks. Moving beyond traditional anti-virus solutions, which are not effective in blocking ransomware, and adopting a proactive approach to endpoint and server security is an important step in protecting against this fast-moving and morphing malware.”

To learn more, download the full report, “CyberArk Labs: Analyzing Ransomware and Potential Mitigation Strategies,” here:

Research from CyberArk Labs focuses on targeted attacks against organisational networks – the methods, tools and techniques employed by cyber attackers, as well as methods and techniques to detect and mitigate such attacks.

(1) – Cyber Threat Alliance, “Lucrative Ransomware Attacks: Analysis of the Cryptowall Version 3 Threat,” October 2015

About CyberArk
CyberArk is the only security company focused on eliminating the most advanced cyber threats; those that use insider privileges to attack the heart of the enterprise. Dedicated to stopping attacks before they stop business, CyberArk proactively secures against cyber threats before attacks can escalate and do irreparable damage. The company is trusted by the world’s leading companies – including more than 40 percent of the Fortune 100 – to protect their highest value information assets, infrastructure and applications. A global company, CyberArk is headquartered in Petach Tikvah, Israel, with U.S. headquarters located in Newton, Mass. The company also has offices throughout EMEA and Asia Pacific and Japan. To learn more about CyberArk, visit, read the company blog:, follow on Twitter: @CyberArk or Facebook at: