Tag Archives: Ransomware

RansomwareThe word “ransomware” terrifies individuals and organisations alike. We look at how this threat works - and how to fight it!

The ransomware mood music isn’t good this year. As security publications and commentators tell us, ransomware is expected to dominate the malware arena in 2017.

More than ever, then, security partners need to offer sound, confident advice to end-users on both the nature of ransomware, and how to defend against it.

So look no further!

Ransomware: how it works

Ultimately, the aim of ransomware is to paralyse companies’ operations, usually by encrypting data, then demanding money to decrypt it and render it usable again.

For security partners and their customers, one of the challenges with ransomware is that it can enter the network through many different routes – malicious links or infected file attachments in emails, drive-by attacks triggered by a visit to an infected website or ad, botnets, USB drives, Yahoo Messenger images… the penetration potential is extremely high.

But to rub salt into it, ransomware also dodges many of the traditional anti-virus defences.

It disguises filenames and attributes and hides behind legitimate file extensions. And it often uses secure communications protocols like https and Tor, and encrypts its communications as it goes, obscuring the tell-tale server calls that would ordinarily betray its presence.

What this means is that most anti-virus protection is none the wiser to the threat – and so the latter finds its target, which is usually the most critical data the business holds. (Indeed, the notorious Cryptolocker ransomware, as this blog, from Bitdefender, explains, hunted out 70 different specific file extensions, precisely for this reason).

Ransomware: how to stop it

A threat that can infect via so many different channels, and hide its tracks whilst it’s doing it, clearly can’t be stopped by a single “silver bullet.”

It can only be stopped by layered protection that detects and blocks at all the levels at which ransomware can penetrate and spread.

Research carried out by Trend Micro has found that 99% of over 99 million ransomware attacks were found in malicious email or web links, so robust defence at the email and web gateway level, as well as at the endpoint and network levels, are a must.

Protecting email and web traffic from ransomware

Analysis is the key here; in the absence of the normal malware “cues” that signal a threat, security solutions have to look harder, deeper and wider for signs of the miscreants.

This means not just analysing links in the body of an email, for example, but also the links in the attachments that that email contains – as well as the attachments themselves.

It means scanning for zero-day and browser exploits, and other favoured ransomware entry points that are buried in applications (such as within Office 365 – 2 million threats discovered to date, according to Trend Micro!), rather than just in links or attachments.

And it means both being able to instantly compare links with a global database of known malicious URLs, and automatically rewrite links (as we discussed in this post) to divert them into a sandbox and analysis environment.

There, they can be triggered and inspected at no risk - even if they are not “known suspects.”

Protecting endpoints from ransomware

But what if the threat enters the network from an endpoint, like a PC – triggered, perhaps, by an infected document on a USB stick?

Actually, it’s at this level that some of the most useful indicators of ransomware behaviours – rapid encryption of multiple files, for example, or exploit kits that look for unpatched software vulnerabilities, as a prelude to sending ransomware through them – can be detected.

A security solution that can isolate the endpoint can stop the ransomware from spreading further via the network. And on that point…

Protecting networks from ransomware

The network itself must of course be protected.

But network traffic flows across myriad nodes, ports and protocols, so security must be capable of identifying ransomware and attacker behaviour in and across each of these sub-layers.

Here, too the sandbox analysis that we mentioned above is a powerful resource, mirroring the actual network environment so that the presence of typical ransomware behaviours can be accurately tracked and their effect (and therefore likely objective) revealed.

And blocked!

Ransomware immunisation: using the threat against itself

But one of the slickest anti-ransomware developments we’ve seen recently is a “vaccine”, which literally uses the ransomware’s own programming against it.

Ransomware typically prevents a machine it has already infected from playing host to any other infection that could interfere with the ransomware’s own endgame.

But this same feature, deployed on uninfected machines, effectively blocks the ransomware itself, as we have previously described in this post. So, does this mean ransomware is finally hoist by its own petard?

I wouldn’t bet on it. But by sharing knowledge about how ransomware works, how we can defeat it, and where businesses and security partners can go for more advice, we make every hostage that bit more difficult to take.

And that’s a ransomware result.

Bitdefender have updated their GravityZone cloud console with some new features over the weekend and here at Blue Solutions we are happy to guide you through these changes and how they will affect you and your customers.

Anti-Ransomware

The big news is that Bitdefender has now incorporated Anti Ransomware vaccine to all its cloud customers, and will be rolling this out through the on-premise version on Tuesday 27th Sep 2016.  This module is activated through the policy section  Antimalware --> On Access settings

Gravityzone Ransomware Vaccine Policy Setting
Gravityzone Ransomware Vaccine Policy Setting

By activating this module, machines will be protected from all currently known forms of Ransomware.

Other New Features

Update Rings - this feature allows Administrators of the program to  chose when in the validation cycle an update is received.

Anti-Exploit Techniques - a new set of powerful techniques which further enhances existing technologies to fight targeted attacks.  These are integrated into the existing Advanced Threat Control module.

Web Access Control Rules - The categories list has been updated with multiple new categories added.

Exchange Protection - This can now be enabled/disabled when editing a customer with a monthly license subscription.

 

The above features are now in place for all current users of Bitdefender Gravityzone in the cloud and will be rolled out to Bitdefender Gravityzone on-premise users from the 27th Sep 2016.

For more details on the above features and a look at the other features included please click here

logo     bs-logo

Over the last week we have seen an increase in the amount of companies receiving emails containing Zepto Ransomware, a file encrypting virus based on the infamous Locky cryptoware.
Most of the emails have been carefully crafted to ensnare the victims using social engineering techniques, typically greeting the recipient by first name and asking them to open an attachment which they had requested.
zepto image
The attachment will typically be either a .zip extension or .docm extension and once opened will run a malicious JavaScript which then encrypts all files on the users machine with the .zepto extension

To try and combat the infection, we offer the following advice
1. To protect against JavaScript attachments, tell Explorer to open .JS files with Notepad.
2. To protect against VBA malware, tell Office not to allow macros in documents from the internet.
3. Ensure your AntiMalware program is upto date
4. Ensure your users are careful with email attachments and only open the ones they are sure they have requested
5. If possible set email filtering to quarantine all .zip and .docm files

Keyboard equipped with a red ransomware dollar button.

Ransomware is on the rise, but the authorities struggle to deal with it, so businesses often end up paying the ransom! What are security vendors doing to combat it?

You don’t need to look very far to see the hoo-ha that ransomware has recently caused.

This is not only because the sheer volume of ransomware attacks has swollen as never before (global cases increased by almost 170% in 2015, with the UK “disproportionately hit,” according to this FT.com article), but because the number of cases reported has actually gone down.

This can only lead to one conclusion: businesses are paying the ransom, in an attempt to get their businesses back up and running, because the authorities are failing to help them do so!

It’s one hell of a gamble. Cybercriminals aren’t exactly known for their integrity or willingness to be bound by contract, so where’s the guarantee that they’ll give businesses back the access to their files once they’ve coughed up?

Indeed, as FBI Cyber Division Assistant Director James Trainor has commented,  “Paying a ransom doesn’t guarantee an organisation that it will get its data back—we’ve seen cases where organisations never got a decryption key after having paid the ransom.”

Ransomware: what it is, what it does

Before we go any further, though, let’s clarify terms. All ransomware (CryptoLocker, CryptoWall, and CTBLocker are names that crop up often, but there are many others, some of which are listed here) is about blocking a business’s access to a system and/or its files until a sum of money is paid to the malefactor.

In practice, this happens in many different ways, varying from scareware, to browser or screen-locking software, to encrypting ransomware. (This Malwarebytes infographic, that our partners can now request to co-brand and use for their own marketing campaigns, explains it very neatly).

In a further malevolent twist, cyberattackers may choose to “leak” the files that they have sequestered if the ransom is not paid, exposing a business’s potentially confidential and legally privileged information to public view online.

Reputationally, this can be shattering, but the financial impact of ransomware is breathtaking too. The Verizon Data Breach Investigations report puts the business cost of losing access to just 1000 records at more than £46,000!

In short, businesses are vulnerable, the authorities are swamped, and there’s no honour among cyber thieves. So it’s down to security vendors to step up to the plate and prevent ransom situations from arising in the first place. Here’s a taste of how three of them are turning the tables on the file felons!

Bitdefender: cross-product protection at startup

Bitdefender’s answer to the ransomware challenge has been to develop a Ransomware Protection module that is included in all Bitdefender 2016 products (including business versions sold through the IT channel).

Clearly, this makes ransomware protection accessible to the end-user, regardless of the product they or their organisation have purchased.

But Bitdefender products also activate the Ransomware Protection module at startup, and scan all critical system areas before files are loaded, with zero impact on the system’s performance.

At the same time, protection is provided from certain attacks that rely on malware code execution, code injections, or hooks inside dynamic libraries, so defence against the ransomware is instant, broad, doesn’t slow end-users’ core computing tasks down, and – most importantly of all – doesn’t let the ransomware get a foothold.

Malwarebytes: ransomware protection throughout the infection timeline

Malwarebytes has built a solid reputation on its ability to detect, monitor and block malware of all kinds, right from the earliest attempts by the malware’s author to probe the most effective delivery methods.

This means it can spot indications of threatening behaviours way before the threat actually deploys – and it has applied this philosophy to its Anti-Ransomware product, too.

In the words of their security blog, it “uses advanced proactive technology that monitors what ransomware is doing and stops it cold before it even touches your files.” The ransomware therefore “has no shot at encrypting.”

Although the product is still in beta, it is based on an already successful application  - CryptoMonitor - that Malwarebytes acquired from EasySync Solutions, so its provenance certainly inspires trust.

We don’t yet know how Malwarebytes will market the general release version for business users through the IT channel. Will businesses be able to buy it standalone? Or as part of the existing Malwarebytes Endpoint Security suite?

The latter is already a truly potent bundle. It includes the powerful Anti-Malware solution that (uniquely!) also comes with an inbuilt remediation tool – that is to say, it can clean up already infected systems, making for some very grateful customers!

It also includes the Anti-Exploit solution, that detects the zero-day exploits that other solutions simply miss. Factoring Anti-Ransomware into this already compelling combination would be something of a coup!

Watch this space…

Trend Micro: fight ransomware at every layer

Ever the source of insightful and sobering security stats, Trend Micro has publicly announced that ransomware infections among UK firms in February 2016 alone far exceeded the figures for the first six months of 2015!

Its approach to fighting ransomware is highly layered, with Ransomware Protection features included in its endpoint products (OfficeScan, Worry-Free Business Security), email and gateway products (ScanMail, Cloud App Security, Hosted Email Security, amongst others) and network products (Deep Discovery).

Trend Micro was named a Leader in the 2016 Endpoint Protection Platforms Magic Quadrant, published by industry analyst Gartner. This covers, amongst other technologies, anti-ransomware, so Trend’s solutions are definitely “up there” when it comes to stopping businesses being held at gunpoint!

Anti-ransomware: a pattern emerges

In all the three vendor cases mentioned above, there is a strong underlying truth: everything turns on being able to stop the ransomware infection happening in the first place. Once files are infected, it’s way too late.

This knowledge has certainly been an incentive for security vendors to act. If it’s not an incentive for businesses and the IT channel partners who supply them to act, too, I don’t know what is.