Cybereason Blog | Cybersecurity News and Analysis

Shields Up: Is Your Ransomware Protection What It Should Be?

Written by Dan Verton | Feb 18, 2022 8:13:33 PM

The recent ‘Shields Up’ initiative from the Cybersecurity and Infrastructure Security Agency (CISA), an effort to warn businesses and critical infrastructure operators to prepare for cyberattacks coinciding with the imminent Russian invasion of Ukraine, may have one critical weak spot: ransomware protection.

CISA, the FBI, and an assortment of other federal agencies have spent the last several weeks wargaming the likely cyber scenarios stemming from the conflict in Ukraine. Among the top concerns is a series of sophisticated, state-supported ransomware attacks like those that took down Colonial Pipeline , JBS Foods and Kaseya in 2021.

However, organizations that are still running legacy antivirus technology, or even those who have deployed more mature technologies (including from several Cybereason top competitors) are not protected from sophisticated, multi-stage ransomware.

Complex RansomOps have evolved to better evade standard defenses. Targeted attacks stand a high chance of success against underprepared environments, making a behavior-based approach to prevention, detection, and response required for success. 

A critical component to ending ransomware is time. Cybereason addresses this challenge by approaching ransomware as a big data problem. A ransomware operation should result in a single notification.

Attackers exploit the time security operations centers (SOCs) spend triaging alerts to advance their attack. We built our solution to cut down on this triage time with the MalOp™ (malicious operations) approach.

In addition, ransomware attacks occur in stages, and encryption is the final stage. The MalOp will show you the initial stages of an attack, so you can act before it’s too late. The Cybereason XDR Platform provides multiple layers of defense against modern ransomware, including:

  • Machine Learning and Behavioral Analytic Driven Malware Protection
  • Fileless Attack Monitoring, Behavioral Document Protection & Deception Technology
  • Threat Intelligence from Cybereason’s world-class Nocturnus research team

These are significant advantages that organizations concerned with ransomware should look at closely.

Many of our competitors don’t check for malicious behaviors in all document types, they only check in executables (leaving out non-executable files like .pdf). In addition, some leverage what they call ‘smart filtering,’ which means their dataset is limited and unable to catch the early stages of ransomware.

Other vendors can’t protect against attacks delivered via scripts or malicious documents across operating systems and instead rely on a rollback feature, which should be your last line of defense, not your main line of defense.

Let’s take a look at how Cybereason defeated one of the most notorious ransomware attacks in recent history - Conti Ransomware. And as you will see, we also have powerful rollback capability, but that’s strictly for the unlikely situation that the attack ever gets that far.

Cybereason Ransomware Detection and Rollback

Since first emerging in May 2020, the Conti ransomware operators claim over 150 successful attacks, which equates to millions of dollars in extortion fees. Similar to other ransomware variants that have emerged recently, the Conti gang follows the growing trend of double extortion. They steal sensitive files and information from their victims, and later use it to extort the victims by threatening to publish the data unless the ransom is paid.

 

Conti is a very destructive threat. Besides the double extortion that puts information and reputation at risk, the Conti operators equip it with a spreading capability, which means that Conti not only encrypts the files on the infected host but also spreads via SMB and encrypts files on different hosts, potentially compromising the entire network. The rapid encryption routine takes just a few seconds to minutes due to its use of multithreading, which also makes it very difficult to stop once the encryption routine starts.

Cybereason is the only security provider that remains undefeated in the fight against ransomware, protecting organizations from threats like the DarkSide Ransomware that shut down Colonial Pipeline, the REvil Ransomware that disrupted meatpacking giant JBS and IT services provider Kaseya, the LockBit Ransomware that struck Accenture, and every other known ransomware family.

Cybereason is dedicated to teaming with Defenders to end ransomware attacks on the endpoint, across the enterprise, to everywhere the battle is taking place. Learn more about the Cybereason Predictive Ransomware Protection solution, browse our ransomware defense resources, or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.