Anti-ransomware software

Find out what enterprise anti-ransomware software is and how it helps companies protect against the ransomware threat

Summary

What is enterprise anti-ransomware?

How is anti-ransomware software different than antivirus software?

How can anti-ransomware software support your disaster recovery plan?


Enterprise anti-ransomware software is a technology created to protect user data, in response to the ransomware phenomenon, a major concern and one of the biggest threats to cybersecurity nowadays. However, it is a rather new type of threat as major ransomware attacks started over three years ago, and it took some time until the community recognized ransomware as a new threat, different and more dangerous than the typical malware.

Naturally, people expected antivirus solutions to handle this new threat as it happened with all types of threats in history. However, it was soon proven that standard antivirus solutions are not effective in detecting and stopping ransomware to an acceptable extent. The traditional anti-malware approach of proactively stopping malicious processes fails with ransomware, as it mimics user behavior very well. At the same time, ransomware comes in complex packages with features designed to avoid antivirus technologies like Sandbox, Application Control, Heuristics, etc. Only signature-based detection can stop ransomware but, unfortunately, that does not work against new and custom variants and requires constant updating.

In this context, new specialized enterprise anti-ransomware software technology emerged to provide enterprise ransomware protection. It that detects ransomware reactively, based on what it does on a system, and not proactively, before it executes. Here are the main features of specialized anti-ransomware solutions:

Ransomware detection and reactions

The approach of reactively detecting ransomware allows a more accurate detection process which can stop new and custom ransomware variants without relying on updates and signatures. On the other hand, this behavioral analysis technique allows the ransomware to execute, and this means that some files may be encrypted, by the time the malicious process is stopped and quarantined. Some implementations also feature protection of the Master Boot Record to protect against ransomware that attempts to boot up its own code. There are also detection techniques that combine behavior analysis with honeypot detection techniques that involve placing decoy files and observing them. Some solutions only rely on the latter, but their effectiveness at stopping ransomware is questionable.

Along with stopping and quarantining the ransomware payload, the specialized anti-ransomware software also enables IT admins to react to the incident by stopping the affected computer, notifying the user and administrators or, in rare occasions, isolate the infected machine from the network.

In essence, the detection rate is far better than of traditional antivirus solutions and allows for an efficient response to ransomware incidents, minimizing downtime and data loss. When it comes to false positives, many implementations have an acceptable rate, and only in rare occasions, the solution manages to maintain a low level (next to zero) of false positives.

Real-time backup capabilities based on file changes

Since the detection takes place seconds or minutes after ransomware executes, anti-ransomware technology must provide a way to recover the files encrypted before the ransomware process was stopped. Hence, some solutions include a real-time backup mechanism designed to make sure that any encrypted files can be recovered as soon as the encryption process is stopped.

There are various enterprise anti-ransomware software implementations, but in general, the technique relies on analyzing file changes and making copies of those files that are manipulated suspiciously. Some solutions rely on the Windows shadow copy functionality for this purpose, but there is an important risk when doing so, as many ransomware families make sure that files cannot be recovered in this way.

File protection capabilities

Along with detecting ransomware and restoring the data affected during the detection process, a few anti-ransomware solutions also provide file protection against ransomware by creating copies of user files to protected zones on the local hard drive. This ensures that even if the ransomware successfully attacks the files, it cannot access the protected zone and consequently cannot attack the protected copies. Technically this would allow data to be recovered even in the case of successful ransomware attacks. The safe repository can be used by backup solutions to ensure encryption free backups.

How we can help with anti-ransomware

TEMASOFT develops Ranstop, an anti-ransomware software that combines accurate ransomware detection with file protection capabilities to ensure next to zero downtime and no important file loss on ransomware incidents. Ranstop can block ransomware in seconds, automatically recover affected files and keep the data safe at the same time. The data is recoverable even in the unlikely case of a successful ransomware attack that is not detected. Read our advice on how to protect against ransomware!

Lately, there is a lot of disagreement related to why people who have various types of antivirus solutions in place, still get infected by ransomware. Experts’ opinions on the matter vary, some say antivirus is obsolete and should evolve into something else, like ransom antivirus, while others advocate for multi-layered ransomware protection strategies that include several solutions and activities. Most security vendors have functionality that in some marginal way helps with ransomware prevention but far from offering an appropriate solution. Things like patch management, log management, file monitoring, user behavior analysis may help under certain circumstances to various degrees but none offer adequate ransomware protection on its own. For example, appropriate patch management could stop WannaCry from spreading, but it does not stop the original WannaCry infection, nor other ransomware. Similarly, log management, file monitoring, user behavior analysis may help to detect a ransomware infection, but not fast enough and they cannot stop it.

The main issue with ransomware is the fact that it is not designed like a common virus. Not by the behavior it generally exposes. In the end, it mimics user behavior very well; it reads files, writes information to the disk and removes files. Just like all of us do on an average day. Some newer variants also have worm-like capabilities exploiting vulnerabilities to proliferate, and all of them usually have obfuscation technology in place, enabling them to elude classic antivirus detection and making reverse engineering very difficult.

Antivirus solutions rely on various technologies to provide ransomware protection and stop the malicious process before it executes, but all may be bypassed, especially by zero-day variants.

Classic antivirus

• Signature-based detection does not catch zero-day threats nor targeted attacks with custom variants. Also, it requires constant updating, and there is a significant time gap between when the attacks start to proliferate, the AV team learns the signatures, and the end user updates the antivirus signature database. During this period, you are vulnerable. However, signature-based detection stops known ransomware before it damages files, thus delivering some ransomware protection;
• Sandbox analysis is another technique used by AV solutions – it allows the ransomware to execute in a controlled environment that simulates the operating system so that its actions are noted, and a decision is made by the AV solution, on if to allow the process to execute on the real operating system. However, advanced ransomware has environmental awareness and detects sandbox and virtualized environments. Hence, the ransomware does not perform any action while in a sandbox, thus eluding this technique;
• Heuristics allow AV technologies to detect malware based on its behavior. This method involves machine learning via rules and statistical weights in sophisticated algorithms. However, this only works in time and only with proper training. Antivirus solutions do not have the technology to extract behavioral information relevant to ransomware because it cannot distinguish it from the regular users. Hence heuristics cannot be trained well against ransomware, but it may perform well against malware or ransomware that uses worm-like capabilities;
• Automatic reverse engineering – usually part of Heuristics and involves decompiling and analyzing ransomware source code or its in-memory activity, on the fly. However, most ransomware includes obfuscation and protection technologies that prevent antivirus solutions to use this technique, thus the ransomware protection is marginal when dealing with advanced ransomware;
• Application whitelisting – this method only allows authorized applications to execute and efficiently blocks all other processes. However, there is script-based ransomware that uses an authorized application to perform the encryption process (command line scripts, or MS Word macros), thus bypassing the whitelisting technology. Next, there is fileless ransomware that hooks on system processes like the Service Host process, thus being able to execute in spite of application whitelisting. Last, there are ransomware exploiting vulnerabilities of authorized applications such as the browsers, which also bypasses this technique. Application whitelisting provides some ransomware protection but cannot stop several types of ransomware.

Dedicated enterprise anti-ransomware software provides better ransomware protection

In turn, enterprise anti-ransomware software solutions implement ransomware protection by attempting to detect ransomware as it performs malicious activity. This approach involves different technology and yields better results regarding accuracy and protection against zero-day threats. However, it means that some files are encrypted before ransomware is detected and stopped. To eliminate this disadvantage, there are anti-ransomware solutions that provide data protection and the ability to recover the files lost during the detection process. Advanced ransomware protection tools also provide real-time backup capabilities and data safeguarding in impenetrable repositories, allowing file recovery even in the case of a successful ransomware infection. All these make dedicated anti-ransomware solutions better than the antivirus counterparts at detecting and protecting against ransomware.

For good enterprise ransomware protection, antivirus and anti-ransomware should be used together to eliminate known threats before they execute and contribute to ransomware prevention, reduce the chance of ransomware infection and ultimately provide effective ransomware protection, especially against zero-day ransomware variants.

Enterprise anti-ransomware software supports your disaster recovery plan and protects files and backups and so it is a great addition to your strategy. Disaster recovery plans are being developed to ensure business continuity in case of incidents that affect systems and data. All such projects include solutions that perform regular backups of important files, in various ways and to different locations but most do not include anti-ransomware protection. However, ransomware is a problem even for good disaster recovery plans as there are at least three ways in which it can break even the most efficient ones:

1. Ransomware may compromise reachable backup repositories

If during a ransomware infection, the backup repositories are online and reachable from the infected machine, and if the ransomware runs in a security context that has sufficient rights to access the backup repositories, it may attack and encrypt the backups. Depending on the backup strategy in place, the impact of this type of incident:
•With proper offline/online backup synchronization, it may just involve rebuilding the online backup from another (offline) backup, eventually losing a few hours worth of files;
•Without proper offline/online backup synchronization, or if the timing is terrible, it may involve losing a significant time range of backups.

In any case, there is serious downtime and concern for IT.

2. Ransomware may compromise files before they make it into the backup repositories

If endpoints get infected with ransomware, and if a backup task runs before the infection is detected (usually the case in unprotected environments), it may be that the backup solution will copy encrypted files into main backups. These encrypted files may propagate to offline backups, etc. The impact of this incident varies depending on when and how the ransomware infection is being detected, but it all boils down to having backups which cannot be restored.

Here is a real-life scenario experienced by one of our customers before using our solution.

It provides some insight into the impact of such an incident: a laptop is connected to the network and infected with ransomware. During the infection, the ransomware attacks a mapped drive on the laptop, that points to the file server and encrypts part of the data on the file server. Next, the ransomware infection is detected on the laptop as ransom notes pop out, but nobody has any idea about the fact that the file server was also compromised remotely. The endpoint is restored from the last backup, some files are lost, but the incident is closed. Next, the backup job runs on the file server and backs up encrypted files without anybody knowing. At this point, there is a backup that IT relies on, but which cannot be restored.

3. Ransomware may compromise files recently changed which were not backed up yet.

Ultimately, with incremental backups, if there is a ransomware incident, you always lose the files changed between the last backup and the ransomware incident itself. Restoring from the last backup helps a lot in this case, but there are cases where the files changed in-between are critical and cannot be recovered. In these cases, the business loses time and money re-doing work already done.

How can enterprise anti-ransomware software help?

Our enterprise anti-ransomware software detects and stops ransomware in seconds, and notifies IT on such incidents. At the same time, it creates real-time backups of files being manipulated in suspicious ways, covering the gap between the last incremental backup and the ransomware incident, and ensuring no data is lost. It also protects the files it backs up in safe vaults on the local hard drive. The backup solution part of the disaster recovery plan can feed on these secure vaults ensuring no encrypted files make it to the backups.

By using enterprise anti-ransomware software together with backups, your disaster recovery plan benefits from the following enterprise ransomware protection features:
•No important file loss on ransomware incidents, even if the incremental was taken hours ago;
•No backup repositories get compromised;
•No encrypted files make it into main backups that IT needs to rely upon.

Enterprise anti-ransomware software delivers adequate ransomware protection for your latest files and backups, and the advantages it brings make it a great addition to your disaster recovery plan.
For more information, follow us on social media and subscribe to our newsletter.

Follow @TemasoftSRL