Fighting Back Against Ransomware
According to 2019 SonicWall Cyber Threat Report, ransomware attacks were up in every geography except India, which saw a 49% reduction, and the U.K. However, India still has a major uphill task in combating malware, where attacks rose by 53% in 2018.
Article By Debasish Mukherjee, Country Director – India & SAARC, SonicWall
Enterprises are increasingly placing their dependence on connectivity. Along with this comes the risk of cyber safety and security. Looking at this risk in perspective, imagine a bug that can lock you out of your own device, holding your data and personal information hostage. This “bug” dubbed as ransomware is one of the biggest issues, businesses face today.
According to a study by CGI and Oxford Economics, which covered several attacks of 65 listed companies, ransomware attacks tend to lead the fall in share prices by an average of 1.8%.
The cyberattackers primarily use the following vectors to infect a device: compromised websites, phishing emails, unpatched programs, poisoned online advertising and free software downloads. According to 2019 SonicWall Cyber Threat Report, ransomware attacks were up in every geography except India, which saw a 49% reduction, and the U.K. However, India still has a major uphill task in combating malware, where attacks rose by 53% in 2018.
Examples of such exploits can range from weakness in an unpatched version of Adobe Flash, an old web browser or a bug in Java, to an unpatched, outdated operating system.
Understanding common attack vectors
Email: This is the most common attack vector for ransomware, which involves an email attachment disguised as an innocuous file. Often, hackers send a file with multiple extensions to try and hide the true nature of the file which the user is receiving. If a user receives an email with an attachment or a link to a software download and installs or opens the attachment without verifying its authenticity, it can lead directly to a ransomware infection.
Drive-by-Download: This is another easy modus operandi for attackers. Here, the user visits a compromised website with an old browser or an unpatched third-party application, which can infect the user’s device. The compromised website runs an exploit kit that checks for known vulnerabilities. Often, a hacker discovers an inherent weakness or bug in the software that can easily be exploited to allow the execution of malicious code. Once discovered, these are usually quickly caught and patched by the software vendor, but there is only a small window where the software user is vulnerable.
Free Software: Free software is one of the easiest ways to infect a user’s device. This infection comes in many forms, such as free games, “cracked” versions of software or expensive games, game “mods,” adult content or bogus software advertised in such a way that the user will click on the website link. By targeting such users, the hackers can easily bypass any email filter or firewall as the user himself downloaded the file directly. These are some commonplace methods cybercriminal use to install malicious software on a machine in order to exploit vulnerabilities.
How Organizations Can Protect Endpoints fromRansomware
While stopping advanced ransomware attacks requires many strategic security layers, businesses need to close vulnerability gaps created at endpoints. One such approach is the use of advanced endpoint protection or next-generation antivirus (NGAV) solutions.
For example, Capture Client Advanced endpoint protection monitors all activities and actions on protected devices, maintaining a full storyline of behavioural data. Behavioural AI modules analyse activities as they happen, providing real-time classification of potentially malicious actions. Therefore, if it reaches a malicious verdict, it can “roll back” or restore the device to the pre-malicious recovered state, without impacting benign activities on the device.
Capture Client Advanced recovers registry keys (often used by malware for persistence), scheduled tasks and other internal operating system functions. To do this, the rollback feature utilizes Microsoft Windows Volume Shadow Copy technology (VSS) instead of relying on limited caches of files saved for an emergency. This technological integration is natively built into all enterprise-grade Microsoft operating systems.
At the same time, Capture Client Advanced protects the VSS to ensure no malicious activity can interfere with the ability to rollback their impact. In other words, it creates tamper-proof shadow copies in the event malware does manage to reach the system.
Untrained employees are the weakest links in cybercrime. Caution should be exercised while clicking on any links or attachments embedded in emails (e.g., when a user visits a website with a malicious payload they could unknowingly download a document with malicious code. If Capture Client Advanced is already configured, it would immediately block this attack using static AI scanning and behavioural AI models, hereby successfully mitigating the detected actions and process flow.
In this example, rollback also restores the device. The rollback functionality traverses the entire storyline, locating every file that was affected during the infection. Then, Capture Client Advanced restores each file from the VSS storage to its state before the infection.
The user continues working without loss of data. There is no downtime, no data loss and the ransomware problem gets solved.
As tech progresses, so does the ingenuity and sophistication of cyberattacks. While some of the steps mentioned above can help the organization safeguard themselves from cyber risks, to deal with such an eventuality, businesses need to invest in new technologies and have a cyberattack readiness plan and a sound, layered security strategy that can help detect and prevent network attacks and data breaches.