Endpoint Detection and Response is a Key Weapon in the Battle Against Ransomware
Ransomware Protection: Why you need it
It is extremely dangerous to hold a person hostage in the real world. The act of kidnapping a victim by malefactors is dangerous. They must then keep the victim alive while they negotiate for their release. Another flashpoint is the exchange of victims for ransom. Computer ransomware is, however, as manageable as it can be. The malware sneaks in undetected, encrypts files, and demands a ransom in an untraceable currency. In frustration, the victim may throw crockery at a wall and cause violence. Your antivirus utility should indeed wipe out ransomware, just like it wipes out any other type of malware, but if it doesn’t, the consequences can be dire.
Although it is not ideal to have a Trojan or virus infect your computer, cause havoc for a few hours, then be removed by antivirus updates, it can still be managed. It’s quite different when ransomware is involved. Your files are already encrypted so removing the perpetrator will not do any good and could even affect your ability to pay the ransom if you choose to. You can add ransomware-specific protection to your security products.
It’s even worse when your business gets attacked by ransomware. Every hour of productivity lost could cost thousands or more depending on the nature and size of the business. While ransomware attacks have increased, there are ways to combat them. We will be discussing some tools that you can use to defend yourself against ransomware.
What is Ransomware and how can you get it?
Ransomware works on a simple principle. The attacker will find a way to steal your data and demand payment. The most popular type of ransomware is encryption ransomware. This allows you to lock out your documents and replace them with encrypted copies. You will receive the key to decrypt the documents if you pay the ransom. Another ransomware is available that blocks all access to your computer and mobile devices. Screen locker ransomware is less dangerous than encrypting ransomware, but it’s easier to defeat. The most dangerous malware is the one that encrypts all of your hard drives, making it unusable. This last type of malware is rare.
You won’t be able to recognize a ransomware attack if it happens. It doesn’t show the usual signs that you’ve got malware. The ransomware encryption works quietly in the background and aims to finish its evil mission before you even notice it. After the job is completed, the ransomware displays instructions on how to pay the ransom or get your files back. Naturally, the perpetrators require untraceable payment; Bitcoin is a popular choice. Ransomware might also ask victims to buy a gift card, prepaid debit card, and provide the card number.
This infection is often transmitted via infected Office documents or PDFs that are sent to you by email that appears legitimate. This may appear to be coming from your company’s address. That seems to be what happened with the WannaCry ransomware attack a few years ago. Do not click on the link if you are unsure about the legitimacy of the email.
Ransomware is a type of malware that can be delivered to your computer using any method. For example, a drive-by download that is hosted on a malicious advertisement at a site otherwise safe. This could be done by installing a fake USB drive on your computer, but this is rare. If you’re lucky, your malware protection utility will catch it immediately. You could get in trouble if it doesn’t.
CryptoLocker, and other encryption malware
CryptoLocker was the most well-known ransomware variant until the WannaCry attacks. It first appeared several years ago. An international consortium of law enforcement and security agencies took down the group behind CryptoLocker, but other groups kept the name alive, applying it to their own malicious creations.
A Dwindling Field
A few years back, there were dozens of standalone ransomware protection tools available from consumer security companies. Many of these tools were also free. Many of these tools have disappeared, and not for the best reasons. Acronis Ransomware Prevention was once a standalone tool that could be used for free, but it is now part of the company’s backup software. Malwarebytes Anti-Ransomware is now only available as part of Malwarebytes Premium. Heilig Defense RansomOff’s web page simply states that “RansomOff” will return at some point.
Enterprise security companies offer ransomware protection tools as freebies to consumers. Many of these tools have fallen to the wayside as companies realize that offering a free product takes up resources. CyberSight RansomStopper and Cybereason RansomFree have also been discontinued.
Bitdefender Anti-Ransomware has been discontinued for a practical reason. It was still available, but it used an unusual approach. Ransomware attackers who encrypt the same files twice could lose the ability to decrypt them. Many ransomware programs leave a marker to prevent double-dipping. Bitdefender would mimic the markings for well-known ransomware types and tell them to “Move on!” You’re already here! This approach was too narrow to be practical. CryptoDrop too seems to have disappeared, although its website is still available.
Even if ransomware can get past your antivirus, there are chances that an antivirus update will remove the attacker from your computer in a matter of minutes. Unfortunately, removing ransomware doesn’t guarantee your files will be recovered. You can only guarantee your files’ recovery by having a backup in the cloud.
There is a chance of recovering files, but it depends on the ransomware strain that encrypted them. It’s great if your antivirus (or ransom note) gives you an address. Some antivirus vendors, including Trend Micro, Kaspersky, and Avast, offer a variety of decryption utilities. Sometimes, the utility will need the original unencrypted file of an encrypted file to correct the problem. A master decryption key is also available in other cases, like TeslaCrypt.
Ransomware is best stopped from taking over your files. This goal can be achieved in a variety of ways.
A well-designed antivirus utility ought to eliminate ransomware on sight, but ransomware designers are tricky. They can bypass both traditional signature-based malware detection as well as more modern, flexible techniques. One slipup in your antivirus can cause your files to be unusable due to a ransomware attack. Even if your antivirus receives an update to remove the ransomware it cannot bring back the files.
Modern antivirus software adds behavior monitoring to signature-based detection. Others rely solely on monitoring for malicious behavior, rather than searching for known threats. Behavior-based detection is increasingly common for ransomware-related behavior.
Ransomware targets files located in common places like the Documents folder and the desktop. Some antivirus tools and security suites foil ransomware attacks by denying unauthorized access to these locations. They pre-authorize known good programs like word processors or spreadsheets. They ask the user if they want to grant access to any unknown program. Block it if you get a notification out of the blue and not from something you did.
Of course, using an online backup utility to keep an up-to-date backup of your essential files is the very best defense against ransomware. With the assistance of your antivirus company’s technical support, you must first remove the infected malware. Once that is done, you can restore the backup files. Some ransomware also attempts to encrypt backups. Your backup systems that store your backup files on a virtual drive could be particularly vulnerable. To find out the protections offered by your backup provider against ransomware, consult them.
Detecting Ransomware Behavior
Cybereason’s RansomFree utility was free for a limited time and had one purpose. It was to prevent ransomware attacks. This utility had a very distinctive feature: it created “bait” files at locations that are often targeted by ransomware. Ransomware would be triggered upon any attempt to alter these files. The ransomware relied also on behavior-based detection methods, but its creators were reluctant to provide much detail. It is not fair to tell bad people what they should avoid. Unfortunately, the Enterprise-focused company was unable to maintain this free product for its customers.
Kaspersky Security Cloud Free, along with many others, also uses behavior-based detection to eliminate ransomware that has escaped your regular antivirus. They don’t use “bait files”, but rather monitor how programs treat your documents. The quarantine ransomware once they detect it.
Ransomware protection by Check Point ZoneAlarm Anti-Ransomware uses bait files too, but they aren’t as obvious as RansomFree’s. It clearly has other layers of protection. It was able to defeat all ransomware samples tested in real life, and it even fixed any files that were affected.
Webroot SecureAnywhere AntiVirus uses behavior patterns to detect all forms of malware. This includes ransomware. It eliminates malware and leaves behind known good processes. Webroot monitors the behavior of programs that belong to either group. Webroot central blocks unknown programs from connecting to the internet and records every action. The unknown program is analyzed at Webroot central. Webroot can use the journaled data to reverse any actions taken by the program, even encryption files if it is found to be malicious. Webroot warns that the journal database can’t be unlimited in size and recommends backing up all important files. Webroot was able to successfully reverse the actions of ransomware samples from real-world ransomware, but a few others were left behind.
Trend Micro RansomBuster, a free program that scans for suspicious processes trying to file encryption, will back up the file and keep an eye on it. It will notify the user if it sees multiple attempts to encrypt files in quick succession. This feature failed to detect half the ransomware samples that we tested in real-world ransomware attacks. Trend Micro has confirmed that Trend Micro Antivirus+ Security provides better ransomware protection.
Acronis True Images is primarily used for backup. However, the Acronis Active Protection module monitors and prevents ransomware behavior. It uses whitelisting to avoid falsely flagging valid tools such as encryption software. It actively protects Acronis’ main process from modification and makes sure that backup files are not accessible to any other processes. Acronis can restore files encrypted by ransomware from the most recent backup if they are not deleted.
Preventing Unauthorized Access
Trend Micro Antivirus+ Security will not allow a ransomware program to cause any serious damage if it is caught in time. The Folder Shield feature protects files in Documents and Pictures, in local folders that represent online storage for file-syncing services, and on USB drives. Avast Premium Security has a similar feature.
Trend Micro’s standalone RansomBuster protects only two folders and their subfolders. The protected area is not accessible to any unauthorized programs. However, file creation is allowed. In addition, the company offers a ransomware hotline that’s available to anyone, even noncustomers. You can also find tools to decrypt ransomware files and defeat screen locker ransomware on the hotline page.
Panda Dome Essential, Panda Dome Complete, and Panda Dome Complete both offer Data Shield. Data Shield is a default feature that protects each Windows user’s Documents folder and subfolders. It protects certain file types, including Microsoft Office documents, images, and audio files. You can add additional folders or file types if necessary. Panda also protects against any unauthorized access. It can even read-protected files’ data so data-stealing Trojans are prevented.
This type of defense can be tested easily. A very basic text editor was created, which is guaranteed to not be whitelisted by ransomware protection systems. We tried to access and modify the files that were protected. We were able to access and modify protected files in nearly all cases.
A secure backup of your most important files is the best way to survive ransomware attacks. Acronis True Image does more than just backup your files. It actively detects and prevents ransomware attacks. Similar features are expected to be found in other backup tools.
CryptoDrop Anti-Ransomware kept copies of your sensitive files within a secure folder that is not visible to other processes. The CryptoDrop website is still available, but it’s now a weird mix of ads and content with no trace of its utility.
Trend Micro backs up files when it detects suspicious encryption activity. It will quarantine suspicious encryption activity and restore the files it has backed up. ZoneAlarm can also monitor suspicious activity and repair any damage that is caused by ransomware.
NeuShield Data Sentinel uses a unique approach. It does not attempt to detect ransomware activity, since ransomware must be publicly announced to demand the ransom. Instead, it virtualizes changes to files in protected folders and allows you to reverse any changes made after an attack. It can also restore the system to its previous state to get rid of ransomware. It was tested and proved to be effective. However, you may lose some of the changes made to your files.
Ransomware criminals are unable to decrypt files that have been encrypted for ransom. This can cause them to lose their credibility. Multiple times encrypting the same set of documents could make it impossible or impossible to decrypt them. Ransomware programs are designed to protect infected systems from being attacked by them. For example, the Petya ransomware initially just checked for the presence of a certain file. You could effectively infect your computer with Petya by creating a fake copy of that file.
Bitdefender Anti-Ransomware was able to prevent the infiltration of TeslaCrypt and BTC-Locker. It also prevented Petya’s first edition from being infected. It did not affect Sage, Cerber, Petya’s later versions, or any other ransomware families. It couldn’t protect against a new strain of malware the way behavior-based detection systems can. Bitdefender had to remove the tool due to these limitations and the constantly changing nature of malware. Instead, Bitdefender relied on its powerful ransomware protection.
Anti-Ransomware Tools Tested
You can test ransomware protection by releasing ransomware in controlled conditions and observing how the product responds to it. This is possible only if the product allows you to turn off its real-time antivirus and keep ransomware detection activated. Testing is easier if the product is only used for ransomware protection and does not include a general-purpose anti-virus component.
Ransomware samples can be difficult to remove. We run them in a virtual machine without any connection to the internet. Some will not run on a virtual computer. Others are unable to communicate with the internet. They can be dangerous. We keep a link to the log folder on the virtual machine host open when analyzing a new sample and deciding whether it should be added to the collection. We’ve seen ransomware samples reach out to us twice now and begin encrypting logs.
KnowBe4 is a training company that helps employees and individuals avoid being hacked. Phishing is one-way malware coders distribute ransomware, so developers at KnowBe4 created a ransomware simulator called RanSim. RanSim simulates 10 ransomware attacks, as well as two harmless (but very similar) behaviors. While a high RanSim score is a plus, we don’t consider a low score a negative. RansomFree and other behavior-based systems don’t detect the simulation because no ransomware limits the activities of the ransomware to subfolders four-level below the Documents folder.
What’s not here?
This article focuses on ransomware protection options that consumers have access to. It’s not worth including the one-time, free decryption tool, as the tool you require completely depends on the ransomware that encrypted your files. It is better to avoid the attack.
CryptoPrevent Premium was created in the early days of CryptoLocker and promised several levels of behavior-based ransomware protection. It infected the computer with several bait files at the highest security level. However, many real-world samples were able to get past its detection even at this level. In its current form, we cannot recommend this tool.
We’ve also omitted ransomware solutions aimed at big businesses, which typically require central management or even a dedicated server. For example, Bitdefender GravityZone Elite or Sophos Intercept X are not worthy of our review, however, they may be valuable.
A penny of prevention
It is one thing to get your files back after an attacker has attacked you. But it is better to prevent the attack entirely. There are many ways to keep your files safe. Ransomware protection is a constantly evolving field. It’s possible that anti-ransomware utilities, as well as ransomware, will change over time. ZoneAlarm Anti-Ransomware remains our preferred choice for ransomware-specific security. It identified all ransomware samples (including the disk-encrypting Petya) and fixed all files that were damaged by it. Consider switching to an antivirus/security suite that offers ransomware-specific protection if your budget is not sufficient.