In the last couple of years, we have witnessed the rise of ransomware taking users’ and organizations’ valuable files hostage. An example for such ransomware are the notorious Cryptowall, CTB-Locker and more recent VaultCrypt.
Ransomware attacks are usually carried out when the victim opens an email containing a malicious attachment or browses to a site controlled by an attacker. After the initial foothold is achieved, the ransomware unpacks and executes its ultimate payload, encrypting one’s most valuable files – documents, archives, and databases.
Once the files are encrypted attempts to decrypt or restore the files are usually useless. This is a result of the asymmetric encryption scheme implemented by the creators which is infeasible to break.
In this scheme there are two different keys – one for encrypting and a different one for decrypting. While the attacker attaches the first to the malware, the second stays safe in the attacker’s remote servers, and only returns to the victim once a ransom payment has been made.
Prevention
In the video bellow we execute a live CTB-Locker sample on a windows machine with and without Minerva:
You can witness how on the right side Minerva protected machine is unharmed while on the left side the ransomware encrypts files successfully.
Detection based security products will seek for an unusual behavior of suspicious programs and will halt their execution if they suspect that they are performing malicious activity. In the case of ransomware – detecting this suspicious behavior means that some critical assets were already encrypted for good and it is simply too late.
Minerva Anti-Evasion Platform prevents ransomware before encryption takes place and any damage is done.
Want to see Minerva in action? Request a demo!
Minerva – don’t chase, PREVENT!