PatchingPatching is critical in defending your customers against vulnerabilities in everyday applications. It can now be automated from within security software, making it easier than ever to manage.

Think of all those vulnerable third-party applications your customers’ businesses basically run on. Can you rely on your humans to keep their patches up to date?

According to those involved in the recent Equifax debacle, for example, no! Break the human protocol, and the whole patching process falls apart. That’s terrifying when it’s been estimated that, overall, software exploits that target unpatched vulnerabilities account for 85% of all attack angles!

So, automating the patching process seems like a great idea, taking the cost, effort, disjointedness and sheer human fallibility out of keeping users protected against one of the most insidious forms of cyber-attack.

And, indeed, system management software (like the RMM solutions explored in this post) have arguably been doing this for a long time.

But wouldn’t it be neater, easier - and even cheaper – if this automated patching capability were simply built into the security software itself, rather than relying on an extraneous monitoring system? After all, we’re constantly being told patching is security!

Well, two vendors have listened.

Patching done the hard way

But before we look at what Heimdal Security and Bitdefender are offering , (for they are the vendors in question), let’s contemplate just a few of the manual patching challenges faced by end-user businesses and their security partners every day:

  • Slowcoaching – As the Equifax issue shows, being slow off the mark to patch a vulnerability sharply increases the likelihood of falling victim to it, but timeliness is a difficult thing to sustain when workloads are heavy.
  • Proliferation – By definition, the applications requiring patching tend to be big-name office and productivity solutions, so they are not only highly ubiquitous but also available in many different versions (including legacy products). Managing these kind of complex patching scenarios manually can create a massive drain on resources or – worse – a helpdesk meltdown!
  • Patch provenance – Obtaining patches from third-party websites is widespread practice, but does anybody seriously check the hashing of the patch with the hashing on the vendor’s website to make sure they’re downloading exactly what they think they are? Hmmm.
  • System workloads – Downloading and installing patches across large user populations can negatively impact core system workloads, ultimately resulting in disruption and loss of productivity
  • Cost – Every manual process involved in managing or deploying a patch burns through expensive admin and management minutes. Manual patching, though critical, eats readily into margins.

Now let’s consider the alternative.

Automatic patching = business as usual

Between them, what Heimdal and Bitdefender have done is to turn pesky patching (reactive, unpredictable, requiring extraordinary resource) into everyday ‘business as usual’ practice.– simply by automating it.

At a stroke, they have shifted third-party application security into the security layer (where it rightfully belongs), but in a way that it is easy (dare we say profitable?) to manage.

Here’s a snapshot of what this delivers:

  • Automatic patching of apps including Microsoft, Acrobat, Java, Flash and many more, with zero setup - and scheduling also possible.
  • Constant, instant protection – Heimdal checks for patches and updates every two hours and applies them from the moment they’re available
  • Non-disruptive operation – The update process happens ‘silently’ in the background whilst users carry on their work; Bitdefender also makes clever use of cacheing to maximise bandwidth and optimise performance.
  • Trustworthy patches – Updates are guaranteed authentic by automatic checking of the hash patterns against the vendors’ sites
  • Flexible legacy deployments – Updates can be set up to apply to specific software versions, enabling full coverage or legacy-specific deployments

Needless to say, none of this requires the additional cost of an RMM solution, either, but the financial benefits don’t stop there. The Heimdal solution, for example, is available with monthly aggregated billing, so upfront costs are zero and average margin rises with every additional seat.

(Bitdefender are currently pursuing a reseller model with perpetual upfront licensing, but an MSP variant is expected… watch this space!)

Human error: a thing of the patching past?

It’s tempting to see a miracle cure-all in solutions of this kind, but it pays to be appropriately cautious about their market viability.

Security partners can rely on their own product testing, of course – and they certainly should invest time and effort in this.

But the reality is that a security distributor with extensive experience of evaluating hundreds of solutions for sale using their own in-house technical experts is probably a more reliable source for determining the next rising star or the next puff of vapourware.

We like what we see. You should take a look too.


BadRabbit has munched through cyber-defences, sowing ransomware far and wide. So how does it work? And can you protect your customers against it?

“Run rabbit, run”, goes the song – and ransomware attack BadRabbit has certainly done some running over the past few days!

It has got its teeth into Russia, Ukraine and many other Eastern European countries besides, with some sources also reporting cases in Germany, Turkey, and the US. It seems only a matter of time before it spreads further afield.

So what is BadRabbit – and is there any defence that can protect your customers against it?

What’s up, Doc? What BadRabbit does and how

BadRabbit Screenshot
What users see when BadRabbit bounces into view

BadRabbit is cryptolocker ransomware – it encrypts Windows users’ files using a private key that is known only to the hackers’ own servers. The user must pay for access to this key, in order to decrypt and recover their files (a Bitcoin wallet appears on screen to enable this transaction to take place).

Technically, according to this specialist cyber-security website, BadRabbit is closely related to the recent NotPetya attack, using much of the same code.

However, it executes in a different way, using hacked websites to display a fake Adobe Flash update that, if clicked on, triggers the attack (it drives users to these sites using malicious links.)

Additionally, according to this threat alert website, BadRabbit can move laterally across a network and propagate or spread without user interaction!

Can security vendors stop the naughty bunny?

In short, it seems some of them can.

Bitdefender, for example, states on its website that if your customers are “running a Bitdefender antimalware product for either home or business, you don’t need to worry, as our solutions detect this threat…”

Bitdefender’s inbuilt machine-learning recognises the signs of ransomware and stops it before it can execute

Enabling machine-learning in Trend Micro’s solutions also appears to detect BadRabbit, according to the former’s website, whilst Malwarebytes states that “Users of Malwarebytes for Windows, Malwarebytes Endpoint Protection, and Malwarebytes Endpoint Security are protected from BadRabbit.”

An interesting take on keeping the cunning coney at bay, however, comes from Heimdal, who point out in this very comprehensive ransomware resource that some 85% of ransomware attacks target vulnerabilities in existing applications.

By this logic, updates to software (and not just security software) are, in themselves, a key anti-ransomware security layer.

Damage caused by Ransomware graphic
The consequences of ransomware. Source: Heimdal Security

What other steps can you take to protect customers against BadRabbit?

For systems admin and IT people, of course, quick technical fixes in the form of ‘kill switches’ or similar are indispensable, and it turns out that BadRabbit, like NotPetya and Goldeneye before it, can be tamed by changing the properties of certain files (scroll down to the bottom of this article to find them).

But fundamentally, ransomware works by holding your customers’ data hostage. If this data is backed up and easily accessible, as we discussed in this recent post, ransomware, by definition, loses pretty much all of its bite.

It’s important, therefore, that you advise your customers well on how to choose an appropriate data backup and recovery solution.

For a comprehensive list of all the other steps your customers need to take to protect themselves against ransomware, this recent article from the Carnegie-Mellon Software Engineering Institute offers some thorough advice.

BadRabbit is on the loose. So share what we’ve told you above with your customers and they’ll be all ears.

vaccineOrganisations in Europe and the US have been crippled by a ransomware attack known as ‘Petya’. There are claims of a ‘vaccine’ to stop it – but how credible are they?

Hot on the heels of WannaCry comes Petya – a nasty ransomware variant, based on the Goldeneye code.

It has already locked some of the world’s most prominent enterprises out of their data, including construction materials company Saint-Gobain, food giant Mondelez, legal firm DLA Piper, and advertising firm WPP.

But lo! There is a ‘vaccine’ that protects against it, apparently! Simply include the file C:\Windows\perfc.dat on the PC, and the ransomware is stopped in its tracks.

(Well, it’s stopped in its tracks on that machine – though it can still propagate to other machines on the network. So still not ideal.)

We took a look at what some security vendors are saying about Petya / Goldeneye – and whether the idea of a ‘vaccine’ is truly credible.

Bitdefender: ransomware vaccine is old news

The first thing that struck us is that security vendor Bitdefender has had a ransomware vaccine available for some time now, and it’s not just a quick fix using a read-only file.

Instead, it’s rather cleverer than that. It tricks ransomware into believing the machine is already infected, and so the attack goes looking elsewhere. In addition, it can be deployed to every machine on a network simply by ticking a box – meaning that one machine can’t pass the infection to another.

There’s little information at present, admittedly, as to whether this vaccine is effective specifically against the Petya /Goldeneye attack.

However, it has been stated publicly in the Bitdefender Resource Center that “Bitdefender blocks the currently known samples of the new GoldenEye variant. If you are running a Bitdefender security solution for consumer or business, your computers are not in danger.”

That’s pretty unequivocal. And what’s particularly interesting with this vendor is that the ransomware vaccine is standalone – businesses don’t need to have invested in Bitdefender’s suite of other security solutions to use it.

Trend Micro: decrypt it if you can’t stop it

Trend Micro has an established stable of solutions that provide layered protection against a whole range of threats, including ransomware, so they’d surely argue that a ransomware vaccine is unnecessary!

However, what they do also offer is decryptor tools that enable users to recover data even after their files have been encrypted by certain variants of ransomware.

Again, whether these solutions are effective against the most recent Petya / Goldeneye attack is not clear, although Trend Micro states here that it is “in the process of adding known variant and component detections” for Petya-related patterns “and all products that utilise them.”

So, more antidote than vaccine – but it’s worth noting that these decryption tools are free, so they could be a lifesaver (and pave the way to more proactive anti-ransomware strategies and product choices in the future).

Malwarebytes: no ransomware vaccine, but you're safe

Malwarebytes, for its part, has been less than confident about the ability of the C:\Windows\perfc.dat vaccine to stop the Petya infection – in fact, the company states that “our own tests have shown that in many cases, it doesn’t.”

Whilst Windows 10 systems, Malwarebytes says, “seem to have a fighting chance” by using this method, “Windows 7 gets infected every time.”

However, Malwarebytes also publicly says that customers using Malwarebytes Endpoint Security are protected against this specific ransomware variant – so, once again, a vaccine is – theoretically, at least – unnecessary.

Ransomware: vaccines, protection, remediation

For more of our thoughts on ransomware and what security vendors are doing to fight against it, check out our previous post here.

And remember – prevention is better than cure, so keep patching!

WannaCrypt0r ransomwareThe WannaCrypt0r ransomware floored the NHS and many other organisations besides. These guys reckon they could have stopped it.

WannaCrypt0r, the global cyber-attack that paralysed 45 NHS trusts, plus businesses in over 100 countries, has woken the world up.

It’s woken a few security vendors up too, as the flurry of emails in my inbox over the weekend shows.

And, predictably, they’re all keen to tell us that customers running their security software were protected from WannaCrypt0r’s terrifying exploits.

Here’s a summary of the claims each of these wannabe ‘WannaCrypt0r-killers’ have made. It will be interesting reading for those who are contemplating where to go next with their anti-ransomware strategy!


The mail from security software vendor Bitdefender states its case boldly: “Customers running Bitdefender are not affected by this attack wave.”

How so? Bitdefender has a ‘ransomware vaccine’ that users can switch on to immunise machines, and this uses the ransomware’s own programming against it.

But at a deeper level, it boils down to the ability to detect memory violations – in other words, to understand when a machine’s memory is being tampered with, which indicates that a cyber-exploit is afoot long before it can actually execute and cause any damage.

It’s this kind of device behaviour, Bitdefender implies, that, with their GravityZone products, would have shut WannaCrypt0r down before it even really got started.

Trend Micro

It’s machine-learning that’s writ large in the Trend Micro response to the WannaCrypt0r incident.

“Customers are already protected against this threat through Predictive Machine Learning and other relevant ransomware protection features found in Trend Micro XGen™ security,” the firm claims.

It’s a highly layered approach, involving email and web gateway solutions, behaviour monitoring and reputation analysis, file and website blocking, across physical and virtual machines, with the overall goal being to “prevent ransomware from ever reaching end users.”

Of course, if WannaCrypt0r has shown us one thing, it’s that ransomware is perfectly capable of activating before it reaches the end user!

However, a beacon of hope in Trend Micro’s communication that I did not see elsewhere is that it has a tool that can decrypt files affected by certain crypto-ransomware variants, meaning victims would not have to pay the ransom in exchange for a decryption key.

(How many IT guys would have killed for that last Friday evening?)


Malwarebytes’ communication slaps its cards down on the table thus:

“Malwarebytes is protecting your organization against this specific ransomware variant. Our anti-ransomware technology uses a dedicated real-time detection and blocking engine that continuously monitors for ransomware behaviors, like those seen in WannaCrypt0r.”

Like Bitdefender and Trend Micro, this is hinting at some sort of intelligent analysis of machine and network behaviours that might predict a ransomware attack, before it actually starts to execute.

Malwarebytes’ four-layered security approach – operating system, memory, application behaviour and application hardening – contributes to this detection capability, as it monitors at multiple system levels for ransomware and other exploits, simultaneously.

But Malwarebytes goes further than this in its claims. It says in this blog about WannaCrypt0r that itwill stop any future unknown ransomware variants.”

(The italics are mine – but I’m sure you’ll agree they’re worth emphasising!)

What next for WannaCrypt0r?

There are few certainties in cyber-security but what experts are predicting is that wave two of the WannaCrypt0r attack will come soon – and wearing a different guise.

Will the security solutions above recognise it rapidly enough to combat it?

Let’s see whether the communications live up to their word.

Bitdefender updated its  GravityZone cloud console with new features that you may not be taking full advantage of.  Here at Blue Solutions we are happy to guide you through these changes and how they will affect you and your customers.

Ransomware Vaccine

The big news is that Bitdefender has now incorporated Anti-Ransomware vaccine for all its cloud customers, that immunises end-users against both existing and emerging ransomware attacks – at no additional cost!  This module is activated through the policy section  Antimalware --> On Access settings

Bitdefender Policy
(Click to enlarge)

By activating this module, machines will be protected from all currently known forms of Ransomware. The Vaccine works independently, does not need any other modules to be installed, and is switched on simply by ticking the box in the customer’s policy.

Other New Features in GravityZone

  • Update Rings - this feature allows Administrators of the program to  choose when in the validation cycle an update is received.
  • Anti-Exploit Techniques - a new set of powerful techniques which further enhances existing technologies to fight targeted attacks.  These are integrated into the existing Advanced Threat Control module.
  • Web Access Control Rules - The categories list has been updated with multiple new categories added.
  • Exchange Protection - This can now be enabled/disabled when editing a customer with a monthly license subscription.

For more details on the above features and a look at the other features included please click here

Bitdefender Authorized Distributor

Bitdefender’s GravityZone solutions are chock-full of benefits that make them easy, slick, and profitable for security partners to use. Read more.

GravityZone killer benefits, (1): Overarching ease of use

The first thing to note is that GravityZone’s whole management workflow, across all customers and products, is driven from a single console with a single login.

Everything – policies, licensing, reporting - is controlled from one space, not two or three different dashboards, as is the case with some vendors.

An exceptionally fluent interface all but dispenses with annoyances like multiple popups that can confuse users and provoke error, whilst a neat hierarchical tree structure enables users to see all their customers in one view (grouped by site or office where necessary), and to simply click to drill down into the detail of their licensing, usage, reporting, etc.

No more firing up multiple tabs and screens, and managing multiple logins!

Overarching ease of use
One view onto everything, and everything under control! (Click to enlarge)

Extensive and instant reporting

But Bitdefender has dragged the process of actually generating and delivering the reports into the 21st century, too.

Not only can security partners (MSPs and resellers alike) pull down accurate usage and other reports on demand, independently of the wholly automatic invoicing process, but the sheer array of possible reports and delivery mechanisms is impressive.

From Amazon AWS usage, to device control, to licence status, to Top 10 malware statistics, and much more, the reports can be fired up ad hoc or scheduled automatically, run on the dashboard, sent as alerts or emails, and basically tailored to whatever form the partner finds easiest and most useful to deal with.

Extensive and instant reporting
I’ll have that anti-malware activity report right now, please! (Click to enlarge)

AWS integration

Looking cloudward, GravityZone’s integration with AWS also delivers enviable simplicity; the MSP can spin up an AWS virtual server and that server will immediately be protected by GravityZone.

It’s a strong reminder of the fact that GravityZone is built from the ground up for virtual environments, in contrast to many other vendors’ solutions, which feature virtual refinements built around an essentially physical-heritage core (as we explore in this recent white paper).

GravityZone killer benefits, (2): Customer-friendly flexibility

For customers that don’t want to be out of the security loop entirely, end-users can have their own logins, giving them role-based access to services and features within the GravityZone security products their business uses.

This is particularly useful for customers who have invested in some degree of security expertise in-house and want to realise the value locked up in that investment.

But of course it can also reduce the management workload for the partner, putting a keener edge on their margins!

Customer-friendly flexibility
Differentiated access for different user roles and needs (Click to enlarge)

GravityZone killer benefits, (3): Integrations - and automations - that matter

Every security partner wants to sell market-leading solutions, but not if managing them on a day-to-day basis will send their operational expenditure through the roof.

GravityZone has addressed this concern head-on, by developing an integration to ConnectWise Manage (the PSA solution used by some 70% of the top technology solutions and service providers).

The integration with ConnectWise Manage supports the delivery of automated, end-to-end helpdesk, contract management, time tracking, account management, sales and marketing enablement and potentially much more, reducing the MSP’s workload, whilst delivering improved customer satisfaction levels.

Automatic policy assignation also slices a significant chunk out of the MSP workflow, as it enables them to effortlessly trigger and roll out security policies based on existing variables like IP address, network type, server address type, and so on.

Integration with ConnectWise Manage, plus automatic policy assignation, make GravityZone a natural choice for workflow-savvy security partners (Click to enlarge)

GravityZone killer benefits, (4): Anti-malware with common sense

An office full of software developers needs more freedom to build, run, and test code and applications than a team of salespeople.

So, GravityZone enables the techies’ anti-malware parameters to be set less sensitively, whilst the business development crew can benefit from somewhat more stringent protection!

Naturally, though, this kind of adjustment just won’t work if it is complex or risky to use, and on both fronts GravityZone scores highly.

Sensitivity is controlled by simple tick-boxes, but users are also protected by GravityZone’s N-Tier structure, which means certain security settings and policies are automatically “inherited” based on past and present operation. Plus, security is also enforced by the distributor (us!).

Basically, it’s possible to fine-tune security, but it’s never possible to leave users unprotected.

GravityZone’s granular take on anti-malware
GravityZone’s granular take on anti-malware is simple to set up but its settings can never leave users unprotected (Click to enlarge)

GravityZone killer benefits, (5): Playing ransomware at its own game!

Ransomware’s ability to terrorise businesses has an Achilles’ heel.

It prevents a machine it has already infected playing host to any other infection that could interfere with its planned endgame – and this same defence, used on uninfected machines, effectively blocks the ransomware itself!

Enter the GravityZone Anti-Ransomware Vaccine, which uses exactly this technique to enable partners to “immunise” users against ransomware attacks, simply by enabling it as a policy within existing anti-malware protection.

GravityZone Anti-Ransomware Vaccine
Simply enable Anti-Ransomware as part of GravityZone’s anti-malware protection, and users are “immunised”!

GravityZone: where to learn more

As ever, there isn’t the space here to explore the benefits of GravityZone’s innovative features in ultimate detail.

But there’s some more detail on recent feature updates in this post, and more on the various GravityZone products, and their benefits for both MSPs and resellers, on the Web here.

Hope we’ve helped to put you “in the know”!


Bitdefender have announced that its GravityZone solution is now certified by VMWare and has achieved the VMware Ready status.

What this means?

Organisations can now enable agentless scanning on guest virtual machines via NSX introspection, which eliminates the overheads that can be seen when running a separate instance of the agent in each VM.  It also offers increased resilience against APT's which target the security solution.

Enterprise Customers now have access to a new and proactive approach for securing Datacenters and their Network Virtualisation environments.

From Kirsten Edwards, Director, Technology Alliance Partner Program, VMware

“We are pleased that the Bitdefender GravityZone qualifies for the VMware Ready™ logo, signifying to customers that it has met specific VMware interoperability standards and works effectively with VMware cloud infrastructure. This signifies to customers that GravityZone can be deployed in production environments with confidence and can speed time to value within customer environments,”

Harish Agastya, Vice President, Enterprise Solutions, Bitdefender

“Data centers are the heart of the digital economy, and security is paramount for data center operators across the world. The VMware Ready certification marks another step in our commitment to provide security that is easy to deploy and scale, and meets the unique requirements of today’s highly virtualized environments. Our award-winning security solution leverages NSX capabilities in the software-defined data center to provide automated deployment and orchestration of security services,”

About VMware Ready

vmware_readyVMware Ready is a cobranding benefit of the Technology Alliance Partner (TAP) program which makes it easy for customers to identify partner products which have been certified to work within the VMware Cloud infrastructure.  With thousands of members worldwide, TAP includes best of breed technology partners who bring the highest expertise and business solutions for each individual customer.

About Bitdefender GravityZone SVE

Bitdefender GravityZone SVE provide security for virtual machines, virtualised Datacenters and cloud instances, through the GravityZone On Premise console.

  • Best protection for Windows and Linux virtual machines: enabling real time scanning for file systems, processes, memory and registry
  • Best proven performance in datacenters: up to 20% performance improvement compared to traditional security vendors
  • Works on any virtualization platform: VMware, Citrix, Microsoft Hyper-V, KVM, Oracle, and others on demand
  • Agentless security for VMware NSX


Keyboard equipped with a red ransomware dollar button.
Keyboard equipped with a red ransomware dollar button.

There has been report of several companies becoming infected by the Crysis Ransomware and as such we have had a look into what it does and how it can be prevented.


First detected in February 2016, this virus has multiple methods of infection typically an email which has attachments using double extensions to make them appear non-executable.  Although it has been seen to also come through SPAM emails and compromised websites.  There has also been reports that it has been distributed to online locations and shared networks disguised as an installer for various legitimate programs.


Crysis Ransomware itself is capable of encrypting over 185 file types across fixed, removable and networks drives and uses RSA and AES encryption, once infected it will also look to delete the computers shadow copies.  Whilst also creating copies of itself into the following locations.

  • %localappdata%\­%originalmalwarefilename%.exe
  • %windir%\­system32\­%originalmalwarefilename%.exe

The virus will then look to create/edit certain registry keys to ensure it is run on each system start.

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%originalmalwarefilename%" = "%installpath%\­%originalmalwarefilename%.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%originalmalwarefilename%" = "%installpath%\­%originalmalwarefilename%.exe"

Finally after encryption there is a .txt file placed in the computers desktop folder, sometimes this accompanied by an image set as the desktop wallpaper.

  • %userprofile%\­Desktop\­How to decrypt your files.txt

There has also been reports of Crysis stealing data and credentials from the affected machines and passing these back to its Command and Control server.  This would then allow the computers and local networks that have been infected to become vulnerable to further attack if the credentials are not changed.

It has also been seen that Crysis will monitor and gather data gathered from IM applications, webcams, address books, clipboards and browsers prior to sending this to the C&C server with the windows variant stealing account and password credentials.


To reduce the risk of infection we recommend the following

  • Ensure you are using an upto date AV product
  • Ensure any specific Ransomware prevention tools in the AV are used
  • Ensure you have a regular tested backup of the data
  • Educate users in the dangers of opening attachments from an unknown source



Bitdefender have updated their GravityZone cloud console with some new features over the weekend and here at Blue Solutions we are happy to guide you through these changes and how they will affect you and your customers.


The big news is that Bitdefender has now incorporated Anti Ransomware vaccine to all its cloud customers, and will be rolling this out through the on-premise version on Tuesday 27th Sep 2016.  This module is activated through the policy section  Antimalware --> On Access settings

Gravityzone Ransomware Vaccine Policy Setting
Gravityzone Ransomware Vaccine Policy Setting

By activating this module, machines will be protected from all currently known forms of Ransomware.

Other New Features

Update Rings - this feature allows Administrators of the program to  chose when in the validation cycle an update is received.

Anti-Exploit Techniques - a new set of powerful techniques which further enhances existing technologies to fight targeted attacks.  These are integrated into the existing Advanced Threat Control module.

Web Access Control Rules - The categories list has been updated with multiple new categories added.

Exchange Protection - This can now be enabled/disabled when editing a customer with a monthly license subscription.


The above features are now in place for all current users of Bitdefender Gravityzone in the cloud and will be rolled out to Bitdefender Gravityzone on-premise users from the 27th Sep 2016.

For more details on the above features and a look at the other features included please click here

logo     bs-logo

Keyboard equipped with a red ransomware dollar button.

Ransomware is on the rise, but the authorities struggle to deal with it, so businesses often end up paying the ransom! What are security vendors doing to combat it?

You don’t need to look very far to see the hoo-ha that ransomware has recently caused.

This is not only because the sheer volume of ransomware attacks has swollen as never before (global cases increased by almost 170% in 2015, with the UK “disproportionately hit,” according to this article), but because the number of cases reported has actually gone down.

This can only lead to one conclusion: businesses are paying the ransom, in an attempt to get their businesses back up and running, because the authorities are failing to help them do so!

It’s one hell of a gamble. Cybercriminals aren’t exactly known for their integrity or willingness to be bound by contract, so where’s the guarantee that they’ll give businesses back the access to their files once they’ve coughed up?

Indeed, as FBI Cyber Division Assistant Director James Trainor has commented,  “Paying a ransom doesn’t guarantee an organisation that it will get its data back—we’ve seen cases where organisations never got a decryption key after having paid the ransom.”

Ransomware: what it is, what it does

Before we go any further, though, let’s clarify terms. All ransomware (CryptoLocker, CryptoWall, and CTBLocker are names that crop up often, but there are many others, some of which are listed here) is about blocking a business’s access to a system and/or its files until a sum of money is paid to the malefactor.

In practice, this happens in many different ways, varying from scareware, to browser or screen-locking software, to encrypting ransomware. (This Malwarebytes infographic, that our partners can now request to co-brand and use for their own marketing campaigns, explains it very neatly).

In a further malevolent twist, cyberattackers may choose to “leak” the files that they have sequestered if the ransom is not paid, exposing a business’s potentially confidential and legally privileged information to public view online.

Reputationally, this can be shattering, but the financial impact of ransomware is breathtaking too. The Verizon Data Breach Investigations report puts the business cost of losing access to just 1000 records at more than £46,000!

In short, businesses are vulnerable, the authorities are swamped, and there’s no honour among cyber thieves. So it’s down to security vendors to step up to the plate and prevent ransom situations from arising in the first place. Here’s a taste of how three of them are turning the tables on the file felons!

Bitdefender: cross-product protection at startup

Bitdefender’s answer to the ransomware challenge has been to develop a Ransomware Protection module that is included in all Bitdefender 2016 products (including business versions sold through the IT channel).

Clearly, this makes ransomware protection accessible to the end-user, regardless of the product they or their organisation have purchased.

But Bitdefender products also activate the Ransomware Protection module at startup, and scan all critical system areas before files are loaded, with zero impact on the system’s performance.

At the same time, protection is provided from certain attacks that rely on malware code execution, code injections, or hooks inside dynamic libraries, so defence against the ransomware is instant, broad, doesn’t slow end-users’ core computing tasks down, and – most importantly of all – doesn’t let the ransomware get a foothold.

Malwarebytes: ransomware protection throughout the infection timeline

Malwarebytes has built a solid reputation on its ability to detect, monitor and block malware of all kinds, right from the earliest attempts by the malware’s author to probe the most effective delivery methods.

This means it can spot indications of threatening behaviours way before the threat actually deploys – and it has applied this philosophy to its Anti-Ransomware product, too.

In the words of their security blog, it “uses advanced proactive technology that monitors what ransomware is doing and stops it cold before it even touches your files.” The ransomware therefore “has no shot at encrypting.”

Although the product is still in beta, it is based on an already successful application  - CryptoMonitor - that Malwarebytes acquired from EasySync Solutions, so its provenance certainly inspires trust.

We don’t yet know how Malwarebytes will market the general release version for business users through the IT channel. Will businesses be able to buy it standalone? Or as part of the existing Malwarebytes Endpoint Security suite?

The latter is already a truly potent bundle. It includes the powerful Anti-Malware solution that (uniquely!) also comes with an inbuilt remediation tool – that is to say, it can clean up already infected systems, making for some very grateful customers!

It also includes the Anti-Exploit solution, that detects the zero-day exploits that other solutions simply miss. Factoring Anti-Ransomware into this already compelling combination would be something of a coup!

Watch this space…

Trend Micro: fight ransomware at every layer

Ever the source of insightful and sobering security stats, Trend Micro has publicly announced that ransomware infections among UK firms in February 2016 alone far exceeded the figures for the first six months of 2015!

Its approach to fighting ransomware is highly layered, with Ransomware Protection features included in its endpoint products (OfficeScan, Worry-Free Business Security), email and gateway products (ScanMail, Cloud App Security, Hosted Email Security, amongst others) and network products (Deep Discovery).

Trend Micro was named a Leader in the 2016 Endpoint Protection Platforms Magic Quadrant, published by industry analyst Gartner. This covers, amongst other technologies, anti-ransomware, so Trend’s solutions are definitely “up there” when it comes to stopping businesses being held at gunpoint!

Anti-ransomware: a pattern emerges

In all the three vendor cases mentioned above, there is a strong underlying truth: everything turns on being able to stop the ransomware infection happening in the first place. Once files are infected, it’s way too late.

This knowledge has certainly been an incentive for security vendors to act. If it’s not an incentive for businesses and the IT channel partners who supply them to act, too, I don’t know what is.