Part one in this series described the threat of ransomware and looked at user education and cloud-based file sync and backup solutions as possible defenses. In this post, I’ll provide some analysis and opinions about antivirus software as well as other, stronger defenses against this growing threat.
Traditional antivirus software
Many organizations rely upon traditional antivirus software to protect against malware, including ransomware. This is an effective method to protect against ransomware instances already detected by an organization’s chosen antivirus vendor or vendors.
However, today’s malware world is highly dynamic, allowing ransomware to change itself before or after each attack. The Verizon 2015 Data Breach Investigations Report found that 70 to 90 percent of malware samples are unique to a single organization.
This dynamism makes it highly likely that antivirus software alone will not be able to detect and block the ransomware that attacks your organization.
Advanced antivirus software
Newer antivirus solutions use so-called heuristic techniques—based on decision rules or weighting criteria—to analyze and defend previously unknown instances and variants of malware, including ransomware.
Numerous startups and younger vendors, such as SentinelOne, provide offerings based on powerful algorithms that can detect and block users from invoking ransomware and other malware. However, not even these advanced antivirus alternatives are entirely bulletproof, as developers of ransomware and other malware can determine and bypass specific heuristic techniques.
Can containers contain malware?
So-called container solutions ensure that applications running on network endpoints are isolated from the rest of the OS and corporate network. If a user succumbs to a ransomware attack, the ransomware will only run inside the application’s designated container, infecting it but leaving the rest of the system unharmed.
The container can then be wiped and restored so the user can continue to work with only minimal interruption. Bufferzone, a leading provider of container solutions, is both a LANDESK One technology partner and Shavlik partner.
The main purpose of every type of ransomware is to encrypt files, especially Microsoft Office documents. (Ransomware is often designed to target specific file types.) A good method to protect against ransomware is, therefore, to protect those documents from been encrypted in the first place.
Solutions such as LANDESK Security Suite (LDSS) enable IT and security admins to ensure that designated documents or file types simply cannot be encrypted, whether by ransomware or even by legitimate encryption tools.
For example, a simple rule can be defined within LDSS to allow only Microsoft Word to modify.doc or .docx files. Even if ransomware infects a user endpoint, the ransomware will not be able to encrypt those Word documents. The most recent versions of the user’s Word documents remain unharmed. The user remains productive, since she can continue to work on her latest versions of her Word documents, without the need to restore an older version from backup.
The best method to protect against any malware—and specifically ransomware—is to embrace a whitelisting solution. With whitelisting, users can only run authorized applications that are on the list. This eliminates the possibility of running any executable ransomware, since no ransomware will appear on a list of authorized applications.
Creating the list of authorized applications may be time-consuming, but the right tools can make the task easier and faster to complete. With LANDESK Security Suite, for example, IT or security administrators can create whitelists automatically by using the included application reputation database, or by using so-called gold images of legitimate applications.
But even if you must create your whitelists manually, the protections they can provide are worth the effort.
Whatever you do, do it now!
Ransomware is growing in popularity and increasingly infecting organizations large and small. It is not a question of if ransomware will infect your organization; it is a question of when.
The sooner you and your colleagues take effective steps to defend against this potent threat, the less likely your organization will become a ransomware victim. Start today by evaluating the protection tools you already have and activating as much protection as possible, using the selections above as a guide.