The makers of endpoint security solutions must deal with a constantly changing threat landscape and new attack types, but ransomware has evolved beyond nearly any threat we’ve seen before. It’s the next generation of malicious code, and it’s pandemic. An organization that fails to establish a plan of defense against ransomware is essentially leaving its front door wide open amid a crime wave. It’s only a matter of time before an intruder gets in.

This threat isn’t going away anytime soon. Ransomware has become a massive problem because of the multibillion-dollar Platform as a Service market for malicious code. Ten years ago, only a relatively savvy hacker could create malware, particularly something advanced enough to use encryption algorithms the way ransomware does. But now, anyone with Bitcoin, the Tor Browser (to access the dark web) and sufficient nerve to risk getting caught can deploy ransomware. Scores of sites can help would-be hackers create malicious payloads.

On Guard Against Ransomware

The first layer of defense is the ability to recognize ransomware. Nearly all of its payloads are in the form of an attachment delivered via email. Most are spear phishing attacks, which means they target a specific individual or organization. This kind of attack might address a specific individual by name (such as a superintendent of schools) and reference an attached document (perhaps a memo pertaining to an upcoming budget hearing).

If the recipient opens the attachment, it launches an executable file that silently targets and encrypts data. Once it’s done, a message pops up indicating that the machine is being held for ransom, and to get out of this predicament, the victim must either call a number or go to a website and deposit Bitcoin into an account to get the decryption key.

New Security Approaches Needed

Traditional endpoint security relies on signature-based protection, which functions like a mug shot to describe what each attacker looks like. But mug shots don’t work with ransomware, because it’s almost always tailor-made; since each one is slightly different from the one before it, it’s likely that no one has seen that particular attack in the wild before.

However, security solutions providers are developing new defenses. For example, Sophos Intercept X, released last year, uses a new security capability developed specifically for ransomware. Its CryptoGuard feature looks for the telltale signs of ransomware, rather than signatures that identify attackers.

CryptoGuard is software that monitors the file system. When it sees a file being encrypted, it takes a snapshot of that file, then watches to see if any others are encrypted. Once three or four files are encrypted, CryptoGuard recognizes the activity as malicious, stops the attack, then rolls back the encrypted files to their safe, original states from the snapshots it took before they were encrypted.

After Intercept X successfully foils the attack, another feature called Root Cause Analysis takes charge. It gives an administrator a play-by-play breakdown of how the executable started, which files it touched and a graphical threat map of what happened.

Historically, endpoint security has done an excellent job as a police officer subduing a burglar, but it hasn’t been particularly effective at determining how he got in. Root Cause Analysis handles the forensics, sweeping for fingerprints to determine whether the burglar came in from the fire escape, through the upstairs bathroom window or down the steps.

Root Cause Analysis is the crime scene investigator to CryptoGuard’s police officer. Together, they help organizations lock out the bad guys.

To learn more about how organizations can protect their IT devices from sophisticated threats, read the CDW article “Next-Generation Defense for Endpoints.”

This blog post brought to you by:

One thought on “How Sophos Intercept X Slams the Door on Ransomware

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>