Press Release

Ixia on how organizations can block the increasingly complex ransomware threats

Posted 06/27/2017

CALABASAS, CA — June 27, 2017— Ixia, a leading provider of network testing, visibility, and security solutions, offers organizations three core principles to develop an appropriate resistance against increasingly complex ransomware threats.

Ransomware has become the hacker’s favorite tool to make money in the cybercrime economy. The latest Verizon Data Breach Investigations Report (DBIR) states that it is the most common type of crimeware, as holding files for ransom is fast, low risk, and easily monetizable, especially with Bitcoin to collect anonymous payment1. Attacks targeting businesses have grown by 300 percent since January 2016, and an attack happens approximately every 40 seconds2.

The latest global ransomware attack appears to be a complex attack based on several ransomware families as well as multiple vectors. It has affected companies worldwide including utilities and oil companies, shipping companies and airlines, and financial institutions across Europe.

All this points to the clear fact that organizations need to protect themselves from future breaches by implementing preventive measures now. The methods of ransomware delivery have evolved as criminals look to increase infection rates and grow their illegal revenues. The early conventional methods of delivery, such as an infected file attached to an email, could be detected and blocked relatively easily by antivirus products and security sandboxes. Today’s increasingly complex infections are specifically designed to bypass these traditional defenses.

“Cybercriminals can easily mutate and adapt the ransomware code just enough so that it isn’t detected by the signature banks of antivirus software and easily avoids detection,” said Steve McGregory, Senior Director of Application Threat Intelligence at Ixia. “Once identified, ransomware signatures can be updated and rolled out so that antivirus products will block the new variant, although this could take days. During this time, organizations are still vulnerable, and cybercriminals often continue to exploit this to their advantage.”

McGregory also stated, “Cyberattacks are increasingly complex. For example, there's a fair bit of speculation as to the source of today’s attack and how it works. It appears to be a targeted and coordinated attack using multiple ransomware families and multiple vectors. This has enabled the attack to avoid detection and to be difficult to replicate for researchers. We are in that vulnerable time, early in the discovery phase of the attack.”

According to Ixia, there are three core principles that organizations need to be aware of, if they are to develop an appropriate resistance against ransomware:

1. Discover the origin

The ransomware infection chain invariably starts with a targeted phishing email, with an attached document. The document will contain a macro, small enough to appear innocuous even to sandboxing technologies. When the document is opened, the macro activates and connects to the attacker’s remote server on the internet, and starts downloading the ransomware payload onto the machine. The macro also rewrites the payload as it downloads, so the content appears harmless until it actually enters the host machine. 

2. Understanding its behavior

Focusing ransomware protection on the content being sent to the organization is a losing battle. Email-based macros are unlikely to be picked up, even by advanced virtualized sandboxing, because they do not exhibit malicious-looking behavior when examined. The payload will not appear malicious until it is actually on the machine and starts encrypting, so organizations should look at the vital clues of where the infection is coming from, rather than just at what it is.

3. Blocking the infection

Most payloads in the final stage of ransomware infection are delivered from known, malicious IP addresses on the internet. As IP addresses are relatively scarce, the same ‘bad’ ones tend to be continually re-used. Even brand-new malware variants can usually be linked to a small number of compromised IP addresses. 

This means that if a machine in an organization’s network attempts to download content from a known malicious IP address, they are usually in the initial stages of a ransomware attack, and there’s no need to examine the macro that is attempting the download, or the content being downloaded.

The simplest, most cost effective way to avoid attacks is to automatically block all corporate connections to known malicious IP addresses using a continuously-updated threat intelligence feed. This lets it nullify all new attacks, as well as existing, dormant infections.

McGregory concluded, “Today’s attack makes it clear that organizations cannot turn a blind eye to ransomware. If the organization has not backed up critical data, which exclusively resides on the systems affected by an attack, the costs could be considerable, both monetarily and to their reputation. Loss of customer data, financial records, and any other irreplaceable information could render an organization unable to transact business and potentially leave permanent gaps in records.”

About Ixia

Ixia, recently acquired by Keysight Technologies, provides testing, visibility, and security solutions, strengthening applications across networks and cloud environments for enterprises, service providers, and network equipment manufacturers. Ixia offers companies trusted environments in which to develop, deploy, and operate. Customers worldwide rely on Ixia to verify their designs, optimize their performance, and ensure protection of their networks and cloud environments to make their applications stronger. Learn more at

About Keysight Technologies

Keysight Technologies is a leading technology company that helps its engineering, enterprise and service provider customers optimize networks and bring electronic products to market faster and at a lower cost.  Keysight's solutions go where the electronic signal goes, from design simulation, to prototype validation, to manufacturing test, to optimization in networks and cloud environments.  Customers span the worldwide communications ecosystem, aerospace and defense, automotive, energy, semiconductor and general electronics end markets.  Keysight generated revenues of $2.9B in fiscal year 2016. In April 2017, Keysight acquired Ixia, a leader in network test, visibility, and security. More information is available at

Ixia and the Ixia logo are trademarks or registered trademarks of Ixia in the United States and other jurisdictions.  All other trademarks used herein are the property of their respective owners.

Connect with Ixia via:
Ixia Blog

Ixia Media Contact:
Denise Idone, Director of Corporate Communications
Office: (631) 849-3500
Mobile: (516) 659-7049

Press Contact