Zero-Day Ransomware Detection is a Necessity, Not a Luxury

No one is a stranger to the notion of security. We protect our homes and physical assets with locks and cameras and are vigilant when we encounter abnormal behavior. But for some reason, the data entrusted to us is not always given the same type of protection. That data has become a prime target for cybercriminals which is manifested in the form of ransomware attacks, which are increasingly prevalent.

To be fair, enterprise data can’t be secured simply by restricting access. The whole point is to make data usable and available for people who can use it, contribute to it, and transact with it. The nature of data is that it changes; assets are created on the fly, collaboration improves the value of content, and sharing it increases its value. Priority often lies with productivity, giving users free access to data, without implementing equally strong protection.

The key to protecting content from ransomware is to understand how it penetrates files and the relationships among files, repositories, and users. To be effective, all attackers need is access to files, and it can achieve this through fairly rudimentary tactics. But with purposeful, automated analysis and alerting, ransomware attempts can be quickly detected, shut down, and remediated.

‍Ransomware and the damage done

‍Ransomware can be spread through phishing emails that contain malicious attachments. Hackers can also use social engineering to gain access to account credentials, and from there, it’s easy to plant ransomware anywhere that account has access to, including cloud repositories. The most common form of ransomware is crypto ransomware, which is a malware variant that encrypts files, and is spread through similar methods and has been spread through social media and Web-based messaging.

Ransomware variants have been around for years and often attempt to extort money from victims by displaying an on-screen alert. Typically, user’s systems and files have been locked or encrypted. Unless the ransom is paid, access to the files will not be granted. Generally, payment is demanded in the form of Bitcoin.

The sad reality that attackers are able to extort victims, and their financial success, has led to a proliferation of ransomware variants. In 2013, destructive and lucrative ransomware variants were introduced, including Xorist, CryptorBit, and CryptoLocker. Some variants encrypt not just the files on the infected device, but also the contents of shared or networked drives. These variants are considered destructive because they encrypt users’ and organizations’ files, and render them useless until criminals receive a ransom.

In early 2016, a destructive ransomware variant, Locky, was observed infecting computers belonging to healthcare facilities and hospitals in the United States, New Zealand, and Germany. It propagates through spam emails that include malicious Microsoft Office documents or compressed attachments (e.g., .rar, .zip). The malicious attachments contain macros or JavaScript files to download Ransomware-Locky files.

Samas, another variant of destructive ransomware, was used to compromise the networks of healthcare facilities in 2016. Unlike Locky, Samas propagates through vulnerable Web servers. After the Web server was compromised, uploaded Ransomware-Samas files were used to infect the organization’s networks. (us-cert.gov)

‍Egnyte provides an extra layer of protection:

‍Most companies house hundreds of thousands, even millions, of files. Imagine all of them locked and potentially gone forever. These types of attacks routinely cripple businesses and often result in huge financial losses.

We architected Egnyte with this in mind, by enabling customers to simply roll back their environment to a pre-attack state, and restore files to the last unaffected version. But if ransomware is not contained and mitigated successfully, encryption of files happens again. That’s why we’ve made it easier to discover and contain ransomware so it can be eradicated from your system before you go through the process of data restoration.

Most endpoint and Windows systems with anti-malware work on signature-based solutions and files with known hashes and malware file extensions. Egnyte has long had this capability, and even extends it to connected Windows File Servers. Although signature-based solutions work, they are not one-hundred percent effective.

Signature matches are based on previously known threats: if the hash matches the same signature, there is malware present. This also means someone else reported it, thus a signature was created. What happens when there isn’t a signature match? Administrators can’t stop a threat they can’t see.

In addition to a signature-based approach to detect known malware, Egnyte is introducing behavior-based detection to stop previously unseen ransomware, or zero-day attacks. Behavior-based detection uses AI to detect suspicious actions in near-real time.  Analyzing file operation behaviors, such as file encryption, mass deletion, and mass renaming, Egnyte’s content intelligence engine can provide evidence of a ransomware attack in process.

Enterprise content is an invaluable resource, and even with strong security practices in place, ransomware is a top threat. Zero-day protection should be high on the priority list of any CISO, which is why Egnyte built it directly into our secure content platform.

Read the Egnyte Security Framework to learn more about Egnyte’s approach to content governance and data security.