Anti-ransomware is a technology created to protect user data, in response to the ransomware phenomenon, a major concern and one of the biggest threats to cyber security nowadays. However, it is a rather new type of threat as major ransomware attacks started over three years ago, and it took some time until the community recognized ransomware as a new threat, different and more dangerous than the typical malware.
Naturally, people expected antivirus solutions to handle this new threat as it happened with all types of threats in history. However, it was soon proven that standard antivirus solutions are not effective in detecting and stopping ransomware to an acceptable extent. The traditional anti malware approach of proactively stopping malicious processes fails with ransomware, as it mimics user behavior very well. At the same time, ransomware comes in complex packages with features designed to avoid antivirus technologies like Sandbox, Application Control, Heuristics, etc. Only signature-based detection can stop ransomware but, unfortunately, that does not work against new and custom variants and requires constant updating.
In this context, new specialized anti-ransomware technology emerged. It that detects ransomware reactively, based on what it does on a system, and not proactively, before it executes. Here are the main features of specialized anti-ransomware solutions:
Ransomware detection and reactions
The approach of reactively detecting ransomware allows a more accurate detection process which can stop new and custom ransomware variants without relying on updates and signatures. On the other hand, this behavioral analysis technique allows the ransomware to execute, and this means that some files may be encrypted, by the time the malicious process is stopped and quarantined. Some implementations also feature protection of the Master Boot Record to protect against ransomware that attempts to boot up its own code. There are also detection techniques that combine behavior analysis with honeypot detection techniques that involve placing decoy files and observing them. Some solutions only rely on the latter, but their effectiveness at stopping ransomware is questionable.
Along with stopping and quarantining the ransomware payload, the specialized anti-ransomware software also enables IT admins to react to the incident by stopping the affected computer, notifying the user and administrators or, in rare occasions, isolate the infected machine from the network.
In essence, the detection rate is far better than of traditional antivirus solutions and allows for an efficient response to ransomware incidents, minimizing downtime and data loss. When it comes to false positives, many implementations have an acceptable rate, and only in rare occasions, the solution manages to maintain a low level (next to zero) of false positives.
Real-time backup capabilities based on file changes
Since the detection takes place seconds or minutes after ransomware executes, anti-ransomware technology must provide a way to recover the files encrypted before the ransomware process was stopped. Hence, some solutions include a real-time backup mechanism designed to make sure that any encrypted files can be recovered as soon as the encryption process is stopped.
There are various implementations, but in general, the technique relies on analyzing file changes and making copies of those files that are manipulated suspiciously. Some solutions rely on the Windows shadow copy functionality for this purpose, but there is an important risk when doing so, as many ransomware families make sure that files cannot be recovered in this way.
File protection capabilities
Along with detecting ransomware and restoring the data affected during the detection process, a few anti-ransomware solutions also provide file protection against ransomware by creating copies of user files to protected zones on the local hard drive. This ensures that even if the ransomware successfully attacks the files, it cannot access the protected zone and consequently cannot attack the protected copies. Technically this would allow data to be recovered even in the case of successful ransomware attacks. The safe repository can be used by backup solutions to ensure encryption free backups.
How we can help with anti-ransomware
TEMASOFT develops Ranstop, an anti-ransomware software that combines accurate ransomware detection with file protection capabilities to ensure next to zero downtime and no important file loss on ransomware incidents. Ranstop can block ransomware in seconds, automatically recover affected files and keep the data safe at the same time. The data is recoverable even in the unlikely case of a successful ransomware attack that is not detected.
For more information, follow us on social media and subscribe to our newsletter.