Ransomware seems to be everywhere, and a good deal of cybersecurity-related forums are abuzz with discussions how to deal with it. Ransomware avoids signature detection, its encryption is almost always unbreakable, and it does not necessarily need administrative rights to cause damage. It affects files stored on the network shares, disables restore points, removes shadows copies, and tracks down and wipes your backups – in other words, all imaginable damage. Time to surrender? Not really.
At Kaspersky Lab, we have a great preventive solution that not only detects ransomware at the stage of infection, but also if someone runs the file, the tool can spot the malicious behavior and then block the action and roll back the changes. Some additional information can be found at the following links:
We have seen some scenarios where this would not work, though. Perhaps the worst one is when you have a network share and suddenly an infected machine on the network starts encrypting the files on the share drive. Even if you were to monitor the server, there’s nothing to detect – the server itself is not infected, so you can scan the memory and files and the share all you want – the malware will keep doing its job, probably laughing hysterically looking at your desperate attempts to prevent the damage.
This is the exact scenario that we tried to address with the new update of Kaspersky Security for Windows Server (ex. Kaspersky Security for Windows Server Enterprise Edition). The new version monitors the activity on the share, and in case it believes a machine is running malicious activity (read: encrypts your company data), it cuts the machine off the network for 30 minutes and notifies the administrator so you actually don’t have to unplug all the machines and plug them in one by one to identify the infected one.
Remember the multi-layered approach to security. Backup religiously. Stop phishing at your email server or web browser. Stop known malware (signatures are the cheapest way to do so, so show them some love, too). Check with cloud intelligence. Let it boil a little in a sandbox. Let your firewall do some jobs for you.
Make sure application privilege control stops applications from accessing your personal data unless explicitly allowed. Or go all the way and switch to Default Deny mode. Monitor the processes you’ve allowed to run for exploitation attempts and malicious activities. Roll back malicious changes if anything else failed. Make sure every node on the network is protected – be it proxy server, mail server, SharePoint server, storage device or a file server – you don’t want malicious payload sitting on your network waiting to be assembled and launched by a malware.