Site Notice: Just to make you aware we are still open for business as usual.

Safeguard-your-Business_banner
Safeguard Your Business from Advanced Malware
26th July 2022

Escape the Ransomware Maze

Social_media_ebook_Ransomware_2

Ransomware is an ever-evolving form of malware designed to steal business-critical data and then sell it or encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption.

Ransomware attacks are dramatically increasing in number and frequency year over year, with high-impact, headline-making incidents continuously growing in volume and scope. Ransomware gangs are also looking at their primary victim’s business partners to pressure them into paying a ransom to prevent data leakages or business disruptions caused by the attack.

 

Social_media_ebook_Ransomware_2

 

 

 

 

 

 

 

Download Ebook

Is your Business Adequately Protected?

Ransomware is perhaps the most lucrative method of cybercrime encountered to date, and this makes a distinct shift in how cybercriminals derive value from their victims’ data. With ransomware, attackers no longer need to focus on stealing data they can easily resell but rather exploit the importance of that data to the victim.

Even though the data may not be sensitive in its content, it may be business-critical for the organisation. By holding the data hostage and demanding a ransom for its return, attackers can monetise data for which they may have had no other use.

This paradigm shift places a host of organisations, many of whom have long felt themselves too small to be an appealing target for cyberattacks, firmly in the crosshairs of cybercriminals.

 

Ransomware: Behind the Scenes

 

Today’s cyberattackers use sophisticated tactics to bypass traditional ransomware detection measures and hide in the everyday nature and complexity of their target’s environment. They move through the network seeking to steal data, installing ransomware, encrypting data and wreaking havoc. Once they have what they need, they threaten to sell or leak exfiltrated data or authentication information if the ransom is not paid.

 

Stopping Ransomware with WatchGuard Endpoint Security

 

Prevent incidents before they happen

With ransomware attacks is especially important to prevent the attack before it happens. Once the ransomware is in your organisation and starts encrypting the files in your laptops, computers and servers can be too late. The costs associated with a ransomware attack are huge, so the best defense is prevention. Our unique protection layer contains different protection layers and tens of advanced technologies to protect against ransomware.

 

Use a strong password manager system

Password security is essential to protecting your organisation’s data, but many companies fail to implement proper password use and management across their teams. This simple line of defense can drastically reduce the chances of a ransomware attack or any other cyberattack. Organisations that prioritise a robust password management system will be more successful in preventing an attack. With Password Manager, admins manage all their passwords under one master key, auto-fill forms for speed and ease, synchronise passwords, update passwords, avoid duplications, and provide military security level keys.

 

Implement multi-factor authentication (MFA)

Ransomware attacks typically start with the theft of a user credential that gives an attacker access to the network or a sensitive business account. AuthPoint, our multi-factor authentication (MFA) solution ensures that attackers can’t get where they don’t belong with stolen credentials alone by requiring additional factors to prove a user’s identity. This minimises the impact of lost and stolen passwords while giving transparency into user access.

Even if one credential becomes compromised, unauthorised users will be unable to meet the second authentication requirement and they will not be able to access the targeted physical space, computing device, network, or database.

Note: Companies looking for cyber insurance will be required to prove they are protecting emails, servers, remote access, and sensitive data with MFA.

 

Contextual detections

Our Endpoint Security products include behavioral detection to prevent and block fileless attacks based on scripts embedded in Office files as well as attackers using living-off-the-land (LotL) techniques.

It spots the misusage of existing applications at the endpoint that try to bypass the security control and gain access to the system or move laterally to other endpoints. This is a highly effective protection against exploits taking advantage of web browser vulnerabilities and other commonly-targeted applications such as Java, Adobe Reader, Adobe Flash, Office, etc.

Our products include hundreds of contextual detections to stop attacks based on the context. All of these detections are proactive as they are not based on signature files or any other
reactive technology.

Part of the context is obtained from Windows AMSI (Anti-malware Scan Interface). The use of AMSI provides our solutions with telemetry and additional information about script and macro execution, improving protection without negatively impacting computer performance.

 

Decoy files

Decoy files are a honeypot to monitor if some specific files deployed by our solutions are modified. If these files are changed, an event is sent to our behavioral detection engine. It is likely that this action will be classified that ransomware is the root process killed, preventing the file’s encryption on the endpoints.

 

Anti-exploit technology

Anti-exploit technology is an important protection to prevent lateral movements by adding virtual patching capabilities to our EDR solutions. It complements Patch Management solutions by protecting against unpatched applications or those applications that have reached the end of their maintenance period, such as Windows XP or Windows 7.

Unlike other solutions, our anti-exploit includes generic detections based on the anomalous behavior of exploited processes.

 

Zero-Trust Application Service

Our EDR products are the only solution on the market that classifies 100% of running processes. Any unknown application is blocked until it is validated as trustable by our machine-learning
technologies (99.98%) or by our cybersecurity experts worldwide (0.02%). And all is done in real time for unknown applications with the flexibility of adding authorised software with granular rules for those organisations that build their own software.

This protection layer allows us to have malware-based attacks under control, and it is essential for already-infected organisations to stop lateral-movement attacks inside the network.

 

RDP protection

RDP protection is part of the Threat Hunting Service, and it is available for all customers acquiring our EDR solutions. Among the cyberattacks that target companies, RDP brute force attacks are
the most frequently used by adversaries, especially where systems are directly exposed to the Internet. Our EDR solution detects and protects network computers against attacks that use the
RDP (Remote Desktop Protocol) as an infection vector.

When a computer protected by our solutions receives many RDP connection attempts that fail due to invalid credentials, the protection software puts the computer into Initial RDP attack containment mode. In this mode, RDP access to the computer is blocked from IPs outside the customer network that have sent a large number of connection attempts over the last 24 hours.

If a computer protected by our EDR solutions receives a successful login attempt from an account that previously failed due to invalid credentials, the account is considered to have been compromised. As a mitigation mechanism, all external RDP connections that have tried to connect at least once with the target computer in the previous 24 hours are blocked.

 

Anti-malware technologies

As many other next-gen antivirus solutions do, our Endpoint Security solutions include signature files, access to our real-time protection to our Collective Intelligence, and heuristic
technologies using deep learning to prevent ransomware attacks not using LotL (living-off-the-land) techniques. Anti-tampering protection.

Many ransomware attacks will attempt to freeze the protection installed on endpoints before they try to spread over the network and encrypt files in the whole organisation. It is crucial to
include anti-tamper protection against hackers trying to stop or suspend services and processes.

Our anti-tampering protection uses proprietary technologies, and it also leverages the ELAM (Early Launch Anti-Malware) technology included in Windows 10, Server 2019, or higher operating systems.

 

Patch to reduce the attack surface

Hackers are constantly looking for holes and backdoors to exploit. You’ll minimise your exposure to known vulnerabilities by vigilantly updating your systems. Ransomware like WannaCry and Petya relied on unpatched vulnerabilities to spread around the globe. The Locky and Cerber ransomware attacks used a flaw in Adobe Flash to distribute themselves to victim workstations.

You can prevent many attacks by ensuring that operating systems and third-party applications are updated and patched. It is essential to patch early and  patch often, at least once a month, for
critical vulnerabilities.

 

Anti-phishing protection

Phishing via email is one of the most common methods for starting a ransomware attack. Blocking phishing URLs will help reduce the likelihood that a user clicks a link they shouldn’t.

 

Threat Hunting service

Even a robust EDR solution can’t rely on prevention technologies for all detections …sometimes it just takes a human brain to spot a hacker, especially since the advent of fileless living-off-the-land attacks.

Our Threat Hunting Service identifies abnormal behavior and suspicious activity and their categorisation as indicators of attack (IoAs) with a high degree of confidence and without false positives. Usually, they are attacks at an early or at the exploitation stage that does not use malware.

We recommend that you contain or remediate them as soon as possible.

 

Broad Platform Support

Your security is as strong as the weakest point in your organisation’s security infrastructure, so it is critical to keep every single endpoint protected.

We support legacy systems starting in Windows XP, and we support systems based on Intel and ARM-based processors.

In addition to Windows, we support macOS and a broad set of distributions in Linux, Android and iOS devices.

 

Isolate your endpoints to contain the attack

In the event of ransomware infection, the attacker tries to infect the entire network. You can contain the attack by isolating the endpoints affected and avoiding lateral movements from one machine to another by exploiting the vulnerability, using stolen credentials, copying itself and using the SMB protocol, etc.

It would help if you patched as quickly as possible to minimise the impact of the attack and decrease the number of files encrypted in your organisation.

Isolated computers can communicate with our servers so you can still manage the security of all the endpoints. You can even add some exceptions and allow them to communicate with specific processes that you need for remediation purposes.

 

Activate all the prevention technologies

Ensure all the protection layers mentioned before are active and the Lock mode is activated in the advanced protection so as not to allow any unknown applications being executed regardless of where they come from.

 

Apply remediation actions with ‘shadow copies’

Many ransomware attacks go one step further, and apart from encrypting files, they try to destroy all kinds of backups created by the customers.

With our endpoint security solution, you can create shadow copies leveraging the operating system technology, and we will protect them using our anti-tampering technology so you will be
able to recover the information after a ransomware infection.

IT professionals use the shadow copies to recover files from critical system failures, but it is also an excellent technology for recovering files encrypted by ransomware.

Contrary to other solutions that make copies of each encrypted file consuming a lot of disk space, shadow copies are optimised only to save the differences. So, the chances of running out of disk space are minimal. Our solution allows you to configure the percentage of disk space dedicated to shadow copies, although the 10% allocated by default should be sufficient in most cases.

 

Ransomware attacks are growing and more sophisticated than ever. They are a sustainable and lucrative business model for cybercriminals. In some cases, it is easier and cheaper to pay the ransom than to recover from backup, but paying the ransom also does not guarantee that a victim’s files will be recovered, or the system will be accessible, and the endpoint will still be infected.

Traditional protection methods relying on malware signatures are not enough against ransomware threats. Indeed, attackers design their ransomware to bypass conventional protection layers. These threats should be managed with a comprehensive security solution that responds to the latest threats.

 

Comments are closed.