Which solution will work well with the fight against ransomware?

Instant propagation of malicious software from the ransomware family is not an extraordinary security incident. It is estimated that within the first few days of launching a malicious campaign, WannaCry's ransomware has managed to encrypt over 200,000 end-users with a Windows operating system, including many public and private sector companies from around the world. Users from Poland only ricocheted - CERT Polska estimates that it was about 0.65% of all infections, or about 1235 unique IP addresses belonging to the Polish address pool. In turn, Anonymous Check Point statistics from devices from this manufacturer speak about several hundred attacks on unique IP addresses in Poland.

The map is available at: https://attacks.mgmt.cloud

The attack was not as advanced as some "non-technical" media paint it. He used the known vulnerability in the SMB 1.0 (Server Message Block) protocol. This allowed the virus to spread to more computers in the internal network and beyond, but provided that port 445 was redirected to the public IP address - in other words, it was accessible from the outside. Trap machines, i.e. honeypots, which are very useful in collecting virus samples for testing, learning malware analysis and analyzing network attacks, work in a similar way.

The described scale of the WannaCry ransomware incident was not due to a sublime attack, but ignoring (for months or even years) golden security rules. Routine took precedence over common sense:

  • you have forgotten or ignored the need to update the software (not just this antivirus),
  • operating systems were not updated: due to costs, specific work environment requirements, necessary certifications, lack of support from the manufacturer for specialized software for Windows XP,
  • unnecessary "outside" protocols were made intentionally or unknowingly.

In the network you can come across the fake decrypters of encrypted files by WannaCry. They are fake - the next malware. So far, no one has found the wrong implementation of ciphers in WannaCry code, so all such information should be treated as untrue and approach them with common sense.

The only WannaWiki is a proven and working decrypter . To decrypt files, you must meet two conditions, which you can read in the article: "Decrypting files after WannaCry ransomware attack is possible, see how to do it".

A duel of developers

In terms of protection against ransomware, we asked several security software providers what they have to offer to their clients. Here are the questions:

1. When the victim becomes the target of an attack that uses a previously unknown sample of ransomware, why do security solutions still have a problem detecting the threat before it begins the encryption process? Our great test for ransomware protection proved

that the assurance of producers with excellent protection against this type of pest often misses the truth. They also verify everyday incidents, which we learn from our readers and partners - even the biggest players in the antivirus industry do not block a new ransomware sample.

2. As a company providing security solutions to the consumer and business market, what can you offer your clients? Are you sure about your software in terms of ransomware?

3. Backup is very important not only because of ransomware attacks. Do you already have a product or do you plan to create a complete solution that will consolidate the process of creating copies of files and / or systems with antivirus protection? Will such a product make any sense?

4. WannaCry ransomware has infected many systems older than Windows 7. In this case, do customers of obsolete Windows XP, Vista and unsupported Windows Server systems, double themselves? (First of all: Microsoft does not support these systems anymore, secondly: is anti-virus software outdated? - the virus databases are not everything).

5. What are the biggest challenges facing your software engineers today? What plans do you have for the development of your products?

On the last page we recommend specific products to protect against ransomware.

Kaspersky Lab

1. When the victim becomes the target of an attack that uses a previously unknown sample of ransomware, why do security solutions still have a problem detecting the threat before it begins the encryption process?

In the case of new malicious programs (which have not yet been analyzed in the antivirus laboratory) the effectiveness of a given security solution will depend in a straight line on the quality of proactive mechanisms (heuristics, detection based on behavior in the system, emulation of suspicious objects, etc.). If these mechanisms are effective and supported by the work of analysts, there is a very good chance of detecting a previously unknown threat. This efficiency can be further enhanced by using a cloud that allows for faster response. Why do some security solution manufacturers have bigger problems with it than others? Perhaps it is a matter of insufficient investment in research and development departments.

 

2. As a company providing security solutions to the consumer and business market, what can you offer your clients? Are you sure about your software in terms of ransomware?

Our consumer and business products are equipped with the constantly developed System Control module, which allows detection of unknown threats (including ransomware), as well as the withdrawal of actions performed by malware, if it occurs. This module was able to detect WanchCry threat, for example, before anti-virus databases were updated. Generally speaking, our technologies effectively protect clients from ransomware threats, which is confirmed by professional tests, including a recent study carried out by AVLab.pl.

 

3. Backup is very important not only because of ransomware attacks. Do you already have a product or do you plan to create a complete solution that will consolidate the process of creating copies of files and / or systems with antivirus protection? Will such a product make any sense?

At the moment, our consumer product Kaspersky Total Security has a built-in backup function. It is fully integrated with the product - it is one of the additional modules, complementing the protection.

 

4. WannaCry ransomware has infected many systems older than Windows 7. In this case, customers of obsolete Windows XP, Vista and unsupported Windows Server systems are doubly affected? (First of all: Microsoft does not support these systems anymore, secondly: is anti-virus software outdated? - the virus databases are not everything).

No official support for Windows XP means that its users are left to themselves in terms of security. Although Microsoft stood up to the task and made available for this system a patch that removes the vulnerability used by WannaCry, there is no guarantee that this will be the case in the future. Therefore, we recommend abandoning this system and switching to newer solutions, and if there is no way out (when using Windows XP is necessary in given circumstances), it is necessary to apply a modern security solution that this system supports. Our current versions of products for home users continue to fully support this system. In the context of WannaCry, it is worth noting that patching the vulnerability will not allow you to infect your computer, but the lack of vulnerability does not mean that you can not run the encryption tool provided in a different way - when a user makes a mistake, eg by clicking a suspicious link, launching an attachment from an unreliable e-mail, etc.

 

5. What are the biggest challenges facing your software engineers today? What plans do you have for the development of your products?

An ideal security solution is one that detects all threats, does not generate any false alarms and does not burden the protected system in any way. Of course, today's technology does not exist, but our biggest challenge is to approach this ideal as much as we can. In addition, we face the challenge of providing critical infrastructure protection, the Internet of Things, modern cars, financial organizations, and we actively fight APT and DDoS attacks. It is difficult to identify one aspect that is the biggest challenge.

Arcabit

1. When the victim becomes the target of an attack that uses a previously unknown sample of ransomware, why do security solutions still have a problem detecting the threat before it begins the encryption process?

The problem of less than 100% effectiveness in detection of various types of threats by protective software is very extensive and can be considered from various points of view: commercial, marketing, strategic and, above all, technical. Focusing on the technical level, we must separate separate issues limiting the effectiveness of protective solutions:

  • Cybercriminals and malware writers have access to protection solutions operating on the market and may, as part of the process of creating and propagating malicious applications, modify the code and mechanisms used so that protective solutions do not detect them and (while they are in operation) do not classify operations performed by them as harmful. There is a colossal number of "obscuring" mechanisms, both the code itself and the mechanisms of malware functioning in the system.
  • The necessity to work out a reasonable compromise between the effectiveness of detection (especially the so-called behavioral one) and the level of the threat of false alarms and their possible negative consequences. An example in the context of krypto-ransomware is blocking the operation of applications that change the format of files on the disk (of course, applies to files that have a defined, recognizable format). For example, a JPEG file stops being a JPEG file. However, it is necessary to exclude intentional operations, that is:
    • changing the JPEG format to PNG,
    • or file encryption with legitimate data encryption applications.

The risk of false alarms is significant in this case, and losses caused by false indication of malicious activity and blocking operations can be very severe.

  • The need to maintain a reasonable level of use of resources by security software - users will reject a solution that will require additional tens of percent of the processor's power for an additional several percent of effectiveness. This is especially true for older machines.
  • The scale of the phenomenon - one must be aware that even the detection efficiency in any test at the level of eg 99% (abstracting of the method of demonstrating such a level of detection, which is a separate issue) means that for a set of 100,000 malware samples (and it is not at all this is a large number of samples), the antivirus will not be able to statistically block 1000 samples. In the context of krypto-ransomware, one sample is enough to encrypt or destroy data.

The conclusion here is natural: you need to look for other solutions that will complement the detection mechanisms, even the most advanced ones.

 

2. As a company providing security solutions to the consumer and business market, what can you offer your clients? Are you sure about your software in terms of ransomware?

The range of functions implemented by our solutions is huge. By limiting ourselves to threats focusing on file encryption, we are currently developing our mechanisms in several projects:

  • heuristic and signature detection blocking the possibility of running malicious code as the most classic approach,
  • mechanisms based on cloud resources as a complement to local (operating within the user's system) detection mechanisms,
  • behavioral mechanisms activated already after launching any application: simplifying, motors control what processes are running, they "do" and in case of exceeding the assumed "safe" threshold, the application is blocked,
  • SafeStorage mechanism for recovering encrypted and damaged files if the security methods cited above fail.

The sum of the above mechanisms allows us to say that our security solutions guarantee the highest level of user data security. This is confirmed in our everyday practice and cooperation with clients.

 

3. Backup is very important not only because of ransomware attacks. Do you already have a product or do you plan to create a complete solution that will consolidate the process of creating copies of files and / or systems with antivirus protection? Will such a product make any sense?

Arcabit packages contain a backup module. This module allows you to create multiple backup profiles that include various resources and different settings. The user can specify which folders and what types of files are to be archived. It can also choose full or incremental copies. For this we also give you the option of defining a schedule for making copies.

 

4. Ransomware WannaCry has infected many systems older than Windows 7. In this case, customers of obsolete Windows XP, Vista and unsupported Windows Server systems are doubly affected?

It must be remembered that the decision of users to use older versions of operating systems can give different arguments - from financial to technical. Developing security applications that include both new systems (Windows 10, Server 2016) and old systems (Windows XP / Vista) is an increasing challenge for security software manufacturers. We are aware that there are still many machines operating on the market based on Windows XP and Vista. We in our offer have solutions for these systems and we make every effort to ensure that users of older versions of Windows have the highest level of security guaranteed thanks to our solutions.

 

5. What are the biggest challenges facing your software engineers today? What plans do you have for the development of your products?

It is a constant challenge to keep up with the new ideas of cybercriminals and new attack vectors. Anticipating the development of malware is also not an easy task. As I have already mentioned, we develop our applications as part of many projects including both classic methods of detection and - more broadly - protection against threats as well as "atypical" mechanisms exploring other protection areas (such as the mentioned SafeStorage or SafeBrowser). Often the situation on the cyber threats market is changing from day to day and the application development scenario must also be changed quickly. It sometimes happens that we adapt our solutions to the specific requirements of individual clients.

Quick Heal

1. When a victim becomes the target of an attack that uses a previously unknown sample of ransomware, why do security solutions still have a problem detecting the threat before it begins the encryption process?

Quick Heal Total Security for home users and enterprise class software Seqrite Endpoint Security successfully detected and blocked new ransomware attacks. During these first few days, more than 48,000 users were attacked in the same way. The "Anti-ransomware" function, like the "DNAScan" that are implemented in both our products, received the "Best +++" rating in the tests carried out by your laboratory. In our products, it is these components that are crucial in protecting against such threats.

 

2. As a company providing security solutions to the consumer and business market, what can you offer your clients? Are you sure about your software in terms of ransomware?

Our products provide multi-layered protection against new threats. We also noticed that the latest variants of various ransomaware use force attacks to log into servers through a remote desktop. Our firmware software has successfully blocked unauthorized login attempts.

What's more, the solutions developed by our engineers offer a multi-threaded approach to protection and have, among others:

  • Intrusion Prevention System (IPS)
  • Behavioral detection
  • Advanced DNAScan mechanism
  • The mentioned Anti-Ransomware & nbsp;
  • Protection based on heuristics and signatures
  • Email protection
  • Backup and restore mechanism.

 

3. Backup is very important not only because of ransomware attacks. Do you already have a product or do you plan to create a complete solution that will consolidate the process of creating copies of files and / or systems with antivirus protection? Will such a product make any sense?

As already mentioned, we offer products that contain modules for backup and restore. Thanks to them, we have often been able to restore key data to our clients.

 

4. Ransomware WannaCry has infected many systems older than Windows 7. In this case, customers of obsolete Windows XP, Vista and unsupported Windows Server systems are doubly affected?

Using unpublished and unsupported software increases the risk of infection and makes organizations vulnerable to various attacks. Although it is recommended to use the latest operating systems and update the installed software, - in fact - for economic and operational reasons, organizations are forced to use older versions of the systems. Unfortunately, but life verifies that the importance of system modernization is simply ignored.

Our Quick Heal and Seqrite products offer support for many Windows operating systems: from Windows 2000, Windows XP to Windows Server 2016 (including operating systems for desktops and servers).

 

5. What are the biggest challenges facing your software engineers today? What plans do you have for the development of your products?

Last year at the "World Economic Forum" (WEF), the theme was the so-called "fourth industrial revolution" characterized by a series of new technologies combining physical, digital and biological worlds. The speed of change is unprecedented. We see the issue of digitization, which becomes more aggressive and sophisticated. Technologies are constantly evolving, so our engineers have to adapt quickly and face them. That's why we got involved in developing NexGen protection for endpoints.

Emsisoft

1. When a victim becomes the target of an attack that uses a previously unknown sample of ransomware, why do security solutions still have a problem detecting the threat before it begins the encryption process?

No software can detect 100% of threats. We believe in a multi-layered approach: if one particular layer fails to stop the threat, more will have to be done before the malware infects the user's system.

 

2. As a company providing security solutions to the consumer and business market, what can you offer your clients? Are you sure about your software in terms of ransomware?

When it comes to protecting private and business clients from ransomware and other malicious programs, Emsisoft products are characterized by multi-layered protection. We believe that no technology in itself will be 100% effective. However, with the use of many different technologies, a very high level of protection can be achieved. In the case of WannaCry ransomware, Emsisoft customers are protected in the following way:

  • If someone is using Emsisoft Internet Security, the firewall inside the network may prevent outsiders from accessing the ports.
  • File Anti-Virus: just before the malware activity on the system, the File Guard mechanism checks the basic information about the file in our signature database. Our general signatures, which we created in conjunction with WannaCry spread patterns (the first attack took place in February 2017), covered most of the pests used in this particular attack. A few variants of the backdoor components that were not yet known to us were added within 30 minutes.
  • Behavior Blocking is a behavior blocking technology that detects an attempt to infect a system by malicious software. Likewise, when a ransomware component becomes active, Behavior Blocker from Emsisoft detects the ransomware behavior and stops it from continuing.

 

3. Backup is very important not only because of ransomware attacks. Do you already have a product or do you plan to create a complete solution that will consolidate the process of creating copies of files and / or systems with antivirus protection? Will such a product make any sense?

Emsisoft currently does not offer a stand-alone or combined backup solution. We prefer to focus on what we do best: protect users against all types of malware.

 

4. Ransomware WannaCry has infected many systems older than Windows 7. In this case, customers of obsolete Windows XP, Vista and unsupported Windows Server systems are doubly affected? (First of all: Microsoft does not support these systems anymore, secondly: is anti-virus software outdated? - the virus databases are not everything).

We are aware of the need to maintain safe and therefore updated environments. This is one of the reasons why we stopped supporting operating systems older than Windows 7. We also know that there are situations when the need to use older versions is not discussed, but the lack of security updates means that these systems are very vulnerable to external threats.

 

5. What are the biggest challenges facing your software engineers today? What plans do you have for the development of your products?

Usually, we do not share plans for the development of our product.

Comodo

1. When a victim becomes the target of an attack that uses a previously unknown sample of ransomware, why do security solutions still have a problem detecting the threat before it begins the encryption process?

WannaCry ransomware does not cause any problems for our product. In the attached video you can see the proof, where we even turned off the antivirus component and we still have great efficiency:

The above video demonstrates a preventive approach to protection (which we use), which is why malicious software like 0-day has no chance against Comodo Security products.

 

2. As a company providing security solutions to the consumer and business market, what can you offer your clients? Are you sure about your software in terms of ransomware?

Yes, we are very confident. We use the so-called "default-deny" protection model in solutions for clients and enterprises in which the unknown threat always operates within the container - access to all key elements is virtualized, and therefore PCs in which Comodo products are installed do not have to contain patterns for the detection of new virus variants, including ransomware.

 

3. Backup is very important not only because of ransomware attacks. Do you already have a product or do you plan to create a complete solution that will consolidate the process of creating copies of files and / or systems with antivirus protection? Will such a product make any sense?

We provide a backup solution using our most extensive Comodo Internet Security Complete software. In today's world, cloud backup is very important, not just for malicious ransomware.

 

4. Ransomware WannaCry has infected many systems older than Windows 7. In this case, customers of obsolete Windows XP, Vista and unsupported Windows Server systems are doubly affected? (First of all: Microsoft does not support these systems anymore, secondly: is anti-virus software outdated? - the virus databases are not everything).

It is important for users to be able to use the latest security software to ensure better security. Updating the system to the latest version has always been associated with some random events and financial costs. If someone thinks that Windows XP is sufficient for him, we can not prohibit him from using this system. Our products continue to support Windows XP users and will also be in the future.

 

5. What are the biggest challenges facing your software engineers today? What plans do you have for the development of your products?

We always focus on the main problem, which is malware. We have been able to prevent 0-day pests for years. If we look at reports of antivirus tests investigating the effectiveness of detecting 0-day threats, Comodo ranks among the top. This is our hallmark.

Unfortunately, testing companies are still focusing on assessing the detection of known threats using traditional protection technologies, and should focus on checking protection against 0-day viruses. In the end, this is the most important thing.

Sophos

1. When a victim becomes the target of an attack that uses a previously unknown sample of ransomware, why do security solutions still have a problem detecting the threat before it begins the encryption process?

Most end-to-end protection products, including Sophos Endpoint Protection, focus on preventing the launch of malicious executable files. High-quality products also stop malicious scripts and documents because the ransomware does not always use executable files. This is usually more effective because it stops the software before it has a chance to harm it. Unfortunately, hackers are becoming more and more effective by trying to bypass endpoint protection by constant, automatically changing code, packing it and encrypting it in various ways and searching for new infection techniques, such as using legitimate software and running scripts without using ransomware.

The best endpoint protection products, such as Sophos Endpoint Protection, use many techniques to block malware, including ransomware. They do this, for example, by blocking URLs, preventing access to already known websites that have been infected or malicious sites that are an attack tool. Using static scanning techniques that analyze malicious behaviors within the code, they stop the ransomware 'families', not the pure 'malware' signatures. However, none of them can be 100% effective.

Sophos also has a new generation endpoint protection product in its portfolio, called Intercept X, which works in parallel with traditional endpoint protection. The great advantage of this product is, among other things, that it stops processes related to ransomware behaviors and encrypts files thanks to the technique that we call CryptoGuard. Thus, it provides an additional layer of protection and complements the traditional products to protect the tips stopping unknown malware, which was omitted by classic tools.

No provider of security programs can claim that its product is 100% effective. Intercept X is, however, very close. The measure of CryptoGuard's effectiveness is that it has stopped every WannaCry variant we have seen so far without even requiring an update.

 

2. As a company providing security solutions to the consumer and business market, what can you offer your clients? Are you sure about your software in terms of ransomware?

We introduced Sophos Intercept X to the market in September last year and it had a big impact on the fight against ransomware. Intercept X detects and stops unauthorized data encryption on the workstation, which classic security tools can not. Our Advanced Protection Server license includes the same CryptoGuard technology for Windows servers. We are also in beta testing for the premium version of our free product Sophos Home. The premium version will include CryptoGuard. Now, our customers can buy and install our product HitmanPro Alert, which also includes CryptoGuard: www.hitmanpro.com;

 

3.Backup is very important not only because of ransomware attacks. Do you already have a product or do you plan to create a complete solution that will consolidate the process of creating copies of files and / or systems with antivirus protection? Will such a product make any sense?

No. We agree that backing up is important. As Sophos, we do not offer dedicated backup products, we focus on security, and especially on identifying and terminating attacks. Our CryptoGuard technology, as mentioned above, stores shadow copies that we can use if we identify a ransomware attack. However, this does not replace the need for regular backups.

Customers should run both automatic backups and security for new generation terminals, but we are not convinced that their integration is essential.

 

4. Ransomware WannaCry has infected many systems older than Windows 7. In this case, customers of obsolete Windows XP, Vista and unsupported Windows Server systems are doubly affected?

Customers should make every effort to keep their systems up-to-date, which means updating XP and 2003, which are no longer supported by Microsoft for a newer version. In some cases, when a company operating in older software systems is not upgradeable, there is the option of extending its protection. In such cases, we offer customers support for Windows XP / 2003 updates in Endpoint Protection at an additional cost.

 

5. What are the biggest challenges facing your software engineers today? What plans do you have for the development of your products?

We are still developing the product's capabilities to protect the next-generation endpoint - Intercept X and our XG firewall. We focus in particular on developing the capabilities of both products to synchronize their knowledge of the state of environmental safety in which they work to obtain more pro-active protection. We're working on increasing machine learning for Intercept X using the leading technology from Invincea, the company we bought last year. We will also add new, interesting features aimed at preventing typical techniques used by hackers to spread malware from a compromised computer and techniques that will expand our ability to analyze and block new threats across the entire network.

Summary

Sometimes we get queries with a request to indicate effective protection against ransomware. If for the reader the choice of this "only" solution is still difficult, we indicate a few specific security programs that are characterized by a different approach to protection in the context of the information contained in the article (the order of the list below is accidental):

1. SecureAPlus

We can write a lot about the SecureAPlus solution from the SecureAge Technology company with headquarters in Singapore.

  • UniversalAV scanning technology works fantastically as a mechanism for effectively detecting a variety of threats, including intrusive and annoying Adware.
  • Protection that refers to antivirus engines in the cloud is one of the identification elements of SecureAPlus software.
  • SecureAPlus can be a powerful tool in the fight against malicious software in the right hands. The program works briskly and does not cause performance problems.

More about advanced model of protection based on "white lists of files" , we wrote in a review dedicated to SecureAPlus .

2. Comodo

The strong point of the Comodo Internet Security and Comodo Cloud Antivirus package is the module automatic sandbox, which can not stop but run "malware" outside the operating system. Of course, this works automatically on the default settings, so the reader does not have to worry about additional configuration.

3. Arcabit

The issue of the SafeStorage module developed by the Polish Arcabit company has arisen many times and inspires confidence in the home and company solutions of this manufacturer. In addition to many proprietary technologies for detecting malicious software, in the Arcabit software we encounter the SafeStorage module, which creates backup copies of files from the time of encryption, deletion or damage. Restoring lost data in this way takes literally several seconds.

The practical application of Arcabit Internet Security in the clash with WannaCry ransomware is possible to view on the posted video in this article.

4. SpyShelter Firewall

SpyShelter Firewall is not an anti-virus. There is a stronghold, which will be able to replace anti-viruses. It can provide detection of much more sophisticated threats than traditional antivirus software. It contains, among others:

  • protecting system and system files from modification, rootkit installation, code injection,
  • system protection against keyloggers running from the kernel level,
  • protection against image capture from webcam and sound from the built-in laptop speaker,
  • protection against screenshots.

It also provides increased resistance of selected applications to manipulation through exploits by limiting their access to files and registry, capturing keys and increasing permissions.

Detailed review pt. " SpyShelter Firewall - a stronghold that can replace anti-viruses " describes all these aspects.

5. Kaspersky

The software of this manufacturer has never failed in antivirus tests. Zoltan Balazs from MRG Effitas published a short test & nbsp; with detection of an exploit developed by the NSA. It was armed with a dropper carrying the WannaCry ransomware and via Metasploit (the ready exploit is publicly available ) an attack simulation was carried out.

Many popular packages still fail. Kaspersky Lab software - & nbsp; no. Although the EternalBlue exploit from WannaCry ransomware was first used in the attack in February 2017, after three months some antivirus programs still have a problem blocking it.

A similar test, in which we checked protection against very dangerous drive-by downloads, we will publish in June.

6. Emsisoft

Emsisoft provides software that has a very good behavioral locking mechanism . Behavior similar to backdoors, spyware, hijack programs, as well as injecting code into other processes, is achieved by very good results in many antivirus tests . Emsisoft writes on her blog that their application has detected WannaCry before the signature was developed.

Encrypted files, what to do?

Metoda 1. The reader can use the id-ransomware portal, which in most cases correctly verifies the type of encryption virus and searches for the decryptor on its own.

Method 2. The reader can restore data from a backup copy, first making sure that the threat has been completely removed.

Method 3. If the free methods do not bring the expected results, the reader may ask us for help in decrypting the files. Such a service is payable.



Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.