Jackie Groark





Jackie Groark
Director, Security / CISO

Ransomware attacks are now a fact of life that all businesses must deal with. While the recent global mega-attacks may make some think it’s a relatively new problem, it’s been around for nearly 30 years. But recently, ransomware has transformed into a very lucrative business for criminals. And that means it’s game on for all you IT and security professionals.

What’s the best way to solve the risks and protect your digital assets? Implement multiple layers of protection—from the gateway and network to the servers and endpoints. In this article, we take a look at endpoint security, your last line of defense when it comes to keeping ransomware on the outside looking in.

The network endpoints include desktops, laptops, smartphones, tablets, thin clients, printers – and other specialized hardware such as POS terminals, medical devices and smart meters. IT needs to keep a sharp eye because cybercriminals have expanded their target base to include the endpoints within businesses of all sizes and industry sectors:

  • SMBs are a prime target because they usually have limited resources to deploy robust security. Many simply don’t have the capital to invest in proactive, protective measures. If ransomware hits, they are compelled to pay the ransom or spend a lot more money trying to get their digital assets back up and running. Rock, meet hard place.
  • Large enterprises are also not immune, even those with multiple layers of security. Ironically, they often face threats coming through known and trusted sources. Even when third-partypartners, vendors and employees do not act with malicious intent, they may still unknowingly open the door for an attack. Not cool.

Just like other criminal enterprises, the ransomware business is nasty. Even if you pay the ransom, there’s no guarantee the crooks will give you back your data or your access. And once they get through the first time, they know exactly how to hit you again with a new strain of ransomware. They might even do it first thing the next morning.

That’s why it’s vital to protect your endpoints right now. And that’s why we’ll look at two technologies that can help solve this security challenge.

Behavior monitoring…because end users sometimes don’t know when ransomware hits

Endpoint behavior monitoring plays a key role because users may not immediately know if their devices have suffered a ransomware infection. Our team of security experts has found this is especially true when malicious code is injected into a normal process like <explorer.exe> to take over the taskbar, the file manager or other desktop functions.

Behavior monitoring comes to the rescue by flagging and blocking malicious system behaviors and anomalies such as injection and hooking routines. This enables IT security teams to spot patterns of unusual activity and watch for unknown processes that attempt to encrypt or modify files. The leading tools are continually updated with intelligence on new behavioral patterns in order to improve ransomware detection rates over time.

Gaining these capabilities allows IT to proactively detect and block the execution of these info-stealing ransomware and crypto-ransomware variants:

  • Encryption
  • Process manipulation
  • File dropping
  • Command-and-control (C&C) server communication
  • Trojan horses

Armed with behavior monitoring tools, IT security teams can terminate programs that encrypt specific files stored in systems. If a program is not on a whitelist (we’ll talk more about this below) or known to be associated with ransomware, for example, its execution is immediately thwarted. Security teams can also detect and block scripts that attempt to bypass email scanners and inject malicious code—such as Cerber, Locky, CRYPSTELA, CRYPTWALL and JScript.

Another thing to watch out for are the ransomware families that delete shadow copies. This is particularly troublesome because if this activity could be considered normal behavior in certain operating systems; they won’t be immediately blocked. But advanced behavior monitoring tags this type of routine as an indicator of a possible ransomware infection.

Other ransomware variants can abuse legitimate programs, services and frameworks to avoid detection and removal. One example is Windows PowerShell, which is installed on Windows computers by default. This makes PowerShell an ideal target for ransomware criminals, and once they take control, they can download sensitive documents. Behavior monitoring looks out for and prevents such events from occurring by enabling IT to apply policies that indicate which files should not be executed on a system.

Application control…to make sure safe routines, files and processes can execute

Another important component of endpoint security is application control, also known as application whitelisting. This tactic prevents ransomware from executing on systems and causing damage to back-ups. It allows only non-malicious routines, files and processes to run on systems.

But it’s also important to ensure safe activities can be executed. Otherwise, business users may not be able to access applications they need to do their jobs. As security professionals, we don’t want to get in the way of productivity. We just want to be sure business gets done safely.

Application control tools empower IT teams to solve this challenge by proactively determining the whitelist of programs, files and processes that can run on each system. IT can create lists based on an inventory of existing endpoints—by category, vendor, app or other reputation attributes. Once an application is allowed, its succeeding versions/updates will automatically be permitted to run too.

In addition to whitelisting, IT teams can create blacklists to deny programs, files and processes from running on certain file paths. Blocking rules for specific directories can also be applied.

Some ransomware variants drop copies into temporary user directories—the paths that most malware uses— while ransomware like JIGSAW uses file paths, such as <Application Data> and <AppDataLocal>. But with application control capabilities, blocking rules can be applied for specific variants like these—knowing the paths they commonly use.

Additional layers of defense are still required

Leveraging behavior monitoring and application control technologies is critical because once threats reach the endpoint level and then start encrypting files and data, recovering without any backup is difficult. Matters get worse when ransomware deletes shadow copies or exhibit other routines beyond encryption—leaving businesses no other choice but to pay the ransom.

As you consider various endpoint security solutions, it’s important to remember that with so many different means by which ransomware can reach systems across an infrastructure, architecting a multi-layered defense is required to secure the network and the servers. Behavior monitoring and application control should be considered as an additional layer of protection, just in case ransomware gets through the gateway level. But they’re your last, not your only, line of defense.

To discover additional measures that can further secure your business, check out our blog on network protection.