Ransomware attacks have become a major security threat. It feels like each week a new variant is announced –Ransom32, 7ev3n. This malware may even be involved in the next big breach. New variants such as Chimera threaten to not just ransom your data, but also leak it online if you don’t pay up.
These cyber extortionists are not exactly the most scrupulous people, and so who’s to say they won’t sell your data online even if you pay the ransom? They don’t have to offer a Terms of Service agreement!
Let’s face it: they have a really good business model.
What’s the Signature?
Some have turned to endpoint security solutions in the hope that it will detect and stop crypto-malware. However, the industry is catching on to the fact that, as one observer put it, “signature-based antivirus software that most organizations still rely on to defend them can’t cope with modern attacks.”
A recent CIO article described the drawback best:
“… while a signature-based approach reduces the performance hit to the systems on which it runs, it also means somebody has to be the sacrificial sheep. Somebody has to get infected by a piece of malware so that it can be identified, analyzed and other folks protected against it. And in the meantime the malefactors can create new malware that signature-based defenses can’t defend against.”
Bottom line: endpoint security solutions can’t block unknown ransomware variants by, for example, blacklisting connections to a current (but outdated) list of C&C servers. They’re also bound to a device/user/process, and so don’t provide any anti-heuristics or debugging techniques.
Ransomware Prevention that Works
If endpoint security tools won’t help prevent ransomware, what will?
Northeastern University’s latest ransomware research paper, Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks, analyzed 1,359 ransomware samples and found that a “close examination on the file system activities of multiple ransomware samples suggests that by… protecting Master File Table (MFT) in the NTFS file system, it is possible to detect and prevent a significant number of zero-day ransomware attacks.”
Is there a technology that will protect your file systems based on this idea?
Answer: User Behavior Analytics (UBA). It’s an essential ransomware prevention measure.
UBA compares what users on a system are normally doing — their activities and file access patterns – against the non-normal activities of an attacker who’s stolen internal credentials. First, the UBA engine monitors normal user behavior, by logging each individual user’s actions – file access, logins, and network activities. And then over time, UBA derives a profile that describes what it means to be that user.
Identifying Ransomware with Varonis Automated UBA Threat Models
Without any configuration, Varonis UBA threat models spot the signs of ransomware activity — when files are being encrypted — and therefore can stop these attacks without having to rely on a static list of signatures.
Once detected, a combination of automated steps can be triggered to prevent the infection from spreading: for example, disabling the infected user, the infected computer, network drives on the infected machine, or the NIC.
Interested in seeing UBA in action? Let’s talk.