Let’s face it. Ransomware is everywhere. Everyone has a story about it. We all know someone who has been impacted by it, we hear about it constantly in the news and Manged Service providers like us won’t shut up about it.
But what are the security vendors doing about it?
We have been investing a lot of time and effort in to testing and deploying solutions that will avoid Ransomware as much as possible, by adding various layers of protection to avoid users from being able to launch a Ransomware infection, whether it be through email attachments or infected web sites. Unfortunately these techniques only avoid it as best as we can – Once the malware has had it’s chance to run and lock up your data, then we are forced in to a situation where we need to recover the locked up data from your backup system, which can take time and cause interruption to the efficiency of your business.
The backup companies love it. They are busy developing new features dubbed as ‘Cryptolocker Protection’ or pushing solutions with automated off-site backups as a fix for the Ransomware problem, however no matter what feature they come up with, it is not stopping Ransomware in any way, shape or form. It’s only giving you better insurance policies against when it happens. I attended a conference about backup where one vendor happily spoke about ‘Cryptolocker and Ransomware to be the biggest money making opportunity in computing since the Y2K bug’.
When Sophos announced what they were working on to protect Servers and Workstations against the Ransomware problem, it was a breath of fresh air to us here at RODIN and the product could not come soon enough. While we can put as many layers in as possible to avoid it, there can still be ways in and for those companies we meet who have lost time or data due to an infection, despite what some people may think, we don’t like hearing those stories.
Intercept X, the Sophos product for workstations that includes Cryptoguard, was the first to be released. This new product (which can sit along side other Sophos products or even other vendors anti-virus protection) does not use signatures, but rather behavior-based screening to detect malware like Ransomware. By doing this, it avoids the scenario of attacks that the vendor has yet released an update for, or the bad guys modifying the signatures on an existing piece of malware, causing the cat and mouse game that exists today.
Cryptoguard is a feature designed specifically for the Ransomware problem we all know and love. It monitors the system for processes that begins encrypting files, creating copies of the files as the process opens the files, in the event it is a Ransomware attack. Once it determines it is not a legitimate encryption process and is malware (normally within 3 files being encrypted), it kills the process and automatically restores the encrypted files back to their original state leaving Ransomware dead in its tracks before it wipes out all data this user has access to.
Once malware has been stopped by Intercept X, it performs a root-cause analysis of the attack to identify exactly how the process started. How often have you been able to identify a problem back to a user for them to say “I didn’t click on anything!” and end up in a too and fro about what they ‘may have clicked on’. No longer will this be the case, by showing you exactly what program started the whole chain of events, which file it was that started going pear shaped and what else it touched along the way. Think Outlook, with this zip file attachment, with this file inside it, that then did x, y & z. It’s recording the processes constantly in the background, so when something happened at 2:54pm, you know exactly what happened in the minutes leading up to it.
With this analysis, another part of Intercept X called ‘Sophos Clean’ can kick in and remove everything the malware left behind. Unlike a traditional virus scanner that will quarantine or remove the infected file, this will remove the file, the 10 other files it dropped around the place and the 50 or so registry keys it modified along the way, leaving the system exactly as it was, pre-attack.
While this is great for workstations that have Intercept X installed, what about file servers that are minding their own business with the latest anti-virus protection installed that end up having all of their files encrypted by another machine on the network? Think John’s personal laptop that he brought in to the office without Anti-Virus or Intercept X installed and connected to the network without permission? We now have an answer for that too, as Sophos have included Cryptoguard with their Server Protection Advanced license (Sophos Central). We think this is a game changer, as servers can now protect themselves against remote Ransomware attacks from machines that may or may not be protected in the same way that Cryptoguard protects workstations within Intercept X. Monitoring the local files on the server, if a remote process begins encrypting files on the local server, Cryptoguard will kill access from that machine and automatically restore the files to their state before the encryption started.
This one feature just stopped potentially tens of thousands of files on your server from being encrypted, never needing to restore files from your backup system, allowing you to get on with your day without interruption – After we deal with John and his personal laptop of course!
To see Cryptoguard in action on a server, take a look at this video.
To see Cryptoguard in action through Intercept X on a workstation, take a look at this video.
If you are interested in making sure you have Cryptoguard protection on your servers or workstations or want more information on the products, click here.