With the global rise in ransomware, multinationals and SMBs believe it is not a matter of if but when an attack will occur. Several companies expect requests for ransom payments (despite warnings from the FBI), while others are convinced their current technology or processes will prevent, or enable recovery within minutes or hours—a startling contradiction to statistics that show an average of 3 - 14 days recovery time. There is also the unsettling issue of fear expressed by IT teams and security providers who feel ill-equipped to combat a sophisticated adversary like Darkside.
ActZero provides content that educates and equips small to midsize enterprises (often without the resources required to combat these threats) with the proactive measures to roll out across a full lifecycle attack, including how Managed Detection and Response (MDR) can help. It is also pertinent to the remediation process to have in-depth knowledge of what happens in the final and critical stage of a ransomware attack: the encryption and exfiltration of data.
This blog post explains how to stop ransomware on your operating systems with our agent, and covers four tactics that disrupt ransomware, separate from the ongoing hygiene and hardening regimes we offer our customers. Whether with a security provider, or constructed internally, having an efficient Security Operations Center (SOC) behind these techniques is critical in deterring hackers. See here for more on an efficient SOC, and consult our eBook: Foundations for Incident Response Readiness for how to stop the attacker, beyond ransomware, on the endpoint.
What tools can stop Ransomware?
ActZero uses multiple tools on the endpoint and in addition, forward CrowdStrike’s NGAV and EDR logs to our cloud, which then find anomalies by leveraging machine learning (ML) models. Native to the EDR are several detections that, while not specific to ransomware, do a great job of preventing harmful trappings from launching on your endpoint in the first place (including ransomware). Some notable ones are Drive-by Download LOTL protection via Suspicious Processes Blocking, Suspicious Script, and Command Blocking, Suspicious Registry Operation Blocking and Code Injection Blocking. CrowdStrike Falcon is also a first-rate example of a service that provides automated ransomware prevention.
Let’s discuss the multiple ways these tools find and stop Ransomware with different detection techniques and responses. Each will be explored below with respect to the known unknowns of ransomware.
Combating the Known Unknowns
Ransomware-as-a-Service is advancing, but like other “polymorphic malware” changes in predictable ways to bypass detection. Our downloadable threat insight write-up: Signature-Based Antivirus Bypass Threats discusses this in more detail. For example, virtually all Ransomware variants will change the properties of files or languages used to script attacks to bypass traditional antivirus (AV). Below are examples that show how On-Sensor ML, Cloud-Based ML, Suspicious Process Blocking and Indicators of Attack (IoA) work together to block these types of changes and enable AV to remain effective.
On-sensor Machine Learning
Falcon can still protect systems not connected to the internet against Ransomware variants and other threats via the On-Sensor Machine Learning engine. This uses pattern detection technology which can identify Ransomware even with a change to the file type, or when the attack is completely fileless (and delivered via processes, or suspicious scripts, i.e., PowerShell). This tactic also prevents Zero-Day editions that change properties to bypass signature detection. Demo our MDR service to see it at work. This means avoiding the “round-trip time” to and from the cloud for analysis and blocking Ransomware, even those mounted with a USB, on an endpoint without an Internet connection.
Cloud-Based Machine Learning
The broadest and easiest way to prevent ransomware like Darkside, GrandCrab and Wannacry (some of the most prolific malware campaigns in North America) is by using Machine Learning. See here to learn more about the strategies behind ActZero’s Machine Learning algorithm.
These algorithms predict negative outcomes based on EDR data like on-sensor (local) algorithms but have much more compute to run detections/models. The cloud-based ML models operate together with those on the machine but require forwarded data to identify if the malware (or the activity) is malicious before updating a command to block it. Although CrowdStrike’s globally set data uses round trips and algorithms to identify new threats, the speed and automation of this process typically returns actions in less than a minute. This is even more impressive when combined with the immediacy of detection and corresponding response from the local sensor.
To preview the full-scale benefits of Machine Learning, request a demo to see the service in action. Or, to see how it compares to your current solution when faced with DarkWeb-sourced threats, request a free Ransomware Readiness Assessment.
Suspicious Process Blocking
Suspicious Process Blocking identifies the processes associated with variants of ransomware such as scripts like PowerShell, and vbscript running in Word (in which case Word itself is the process) as suspicious and blocks them. Also referred to as Exploit Blocking, it examines the techniques typically used in an exploit to take more control over the operating system by exploiting its flaws.
Most ransomware has some predictable behavior. We use this detection type to our advantage and provide other protection capabilities besides Machine Learning. An example is Indicators of Attack (IoA), which focused on detecting the intentions of the attack to prevent repeated chain intrusions such as stealing credentials, deleting local backups, and changing a substantial number of files and inscribing a note demanding bitcoin. It doesn’t matter if the source is a process, script, or other automated programs, the behavior or action taken will present the same. This type of behavior-based policy shows how ActZero’s ML compliments CrowdStrike in achieving broader detections beyond those that come “off the shelf” with Falcon.
RaaS is a global burden with agonizing impact. Though the four tactics discussed in this post offer sustainable ways to protect your organization and are easily adaptable, we understand the demand for customized optimal solutions. Our free eBook: Foundations for Incident Response Readiness outlines practical and responsive ways to help you achieve your goal of operationalizing your IR plans and strengthening your cybersecurity with improved reaction time to threat actors vying for your important business data assets.