Hubungi Kami

PETYA : RANSOMWARE, OR SOMETHING WORSE?

Petya: Ransomware, or Something Worse?

If your organization has not been hit by Petya malware, you could be next. Petya, originally identified as ransomware, which locks organizations out of their own files and data with the aim of extorting a ransom, now appears to be either a disruptive attack on infrastructure or an attack that installs malware camouflaged to look like ransomware. Regardless of the final intent, Petya attacks begin and are most evident as ransomware.

Now a global epidemic, ransomware attacks targeting companies have escalated 300% since January 2016; attacks are occurring every 40 seconds. Check Point’s H2 2016 Global Threat Intelligence Trends showed that ransomware attacks doubled during the period July – December.

Here are some of the recent high-profile victims of Petya ransomware:

  • UKRAINE: Banks, airports, government offices, power grid including the monitoring system at Chernobyl

  • RUSSIA: Banks, an oil company, a steelmaker and notably Russia's state-run Rosneft energy company 

  • FRANCE: Saint-Gobain, a French construction-materials company

  • UK: WPP, the world's largest advertising company

  • Germany: Deutsche Post and wholesale retailer Metro

  • DENMARK: A.P Maersk, a global shipping company 

Check Point’s recent ransomware defense survey found that 36% of respondents said they had been a victim of ransomware, causing problems including system downtime, loss of productivity and data loss. Petya and the recent WannaCry ransomware are examples of the development and introduction of a new generation of stealthy ransomware variants, which are purpose-made to evade detection by conventional defences using new attack techniques. Furthermore we are seeing increasing levels of sophistication with ‘file-less’ variants of ransomware that utilise admin tools such as PowerShell to evade detection. These advances leave many organizations dangerously exposed to new and emerging types of ransomware.

In this document, we will examine the current, conventional approaches to ransomware prevention and the shortcomings of these traditional methods against new, zero-day variants. Then we will look at a new approach to detecting, blocking and mitigating the impact of even newly minted, unknown ransomware variants, to better protect your organization’s assets and minimize damage and disruption.

Conventional Ransomware Prevention

The risk of ransomware penetration by itself or in conjunction with other malware can be reduced by implementing several conventional best practices. These can be split into two categories, general good practice and security best practice; these baseline protections are strongly recommended to any organization.

GENERAL GOOD PRACTICE

  •  Education: Training users on how to identify and avoid potential ransomware attacks is crucial. As many of the current cyber-attacks start with a targeted email that does not even contain malware, but only a socially-engineered message that encourages the user to click on a malicious link, user education is often considered as one of the most important defenses an organization can deploy.

  • Continuous data backups: Maintaining regular backups of data as a routine process is a very important practice to prevent losing data, and to be able to recover it in the event of corruption or disk hardware malfunction. Functional backups can also help organizations to recover from ransomware attacks.

  • Patching: Patching is a critical component in defending against ransomware attacks as cyber-criminals will often look for the latest uncovered exploits in the patches made available and then target systems that are not yet patched. As such, it is critical that organizations ensure that all systems have the latest patches applied to them as this reduces the number of potential vulnerabilities within the business for an attacker to exploit.

SECURITY BEST PRACTICE

  • Endpoint protections: Conventional signature-based anti-virus is a highly efficient solution for preventing known attacks and should definitely be implemented in any organization, as it protects against a majority of the malware attacks an organization faces.

  • Network protections: Advanced protections in the enterprise network such as IPS, Network Anti-Virus and Anti- Bot are also crucial and efficient in preventing known attacks. Advanced technologies such as sandboxing have the capability to analyze new, unknown malware, execute it in real time, look for signs that it is malicious code and as a result block it and prevent it from infecting endpoints and spreading to other locations in the organization. As such, sandboxing is an important prevention mechanism that can protect against evasive or zero-day malware, and defend against many types of unknown attacks on the organization.

Analyzing the Gaps in Traditional Prevention Techniques

Unfortunately, despite the importance of conventional ransomware prevention best practices, even implementing them all does not guarantee protection. Many organizations that deployed some, or even all, of those best practices have fallen victim to ransomware mainly due to coverage gaps such as roaming users, removable media, failing to inspect SSL connections and usage of encrypted media. Let’s take a look at the shortcomings of these approaches in turn to understand why.

  • While education is critical, it lacks enforcement capabilities. Employees are only human, they make mistakes and they can be manipulated by fairly simple social engineering methods, even when educated about potentially malicious emails. All it takes is a moment’s inattention from a user, and an attack can be triggered.

  • While backups are critical to recovering after a ransomware attack, they can fail at the moment of truth. The
    backup may not always be up to date and the process to restore the files from the repository can be long and tedious – introducing delays and loss of productivity while data is being restored. New generations of ransomware are
    also specifically targeting backups and try to encrypt or delete them to maximize the ability to collect a ransom.
    In addition, backing up central file servers may be a relatively easy task but backing up all of the organization’s endpoints is much more challenging: a great deal of valuable data is actually distributed on endpoint machines, and may not be regularly copied to a central data repository.

  • While regularly patching systems goes a long way to reducing the number of potential exploits, many operating systems and application security vulnerabilities are being discovered every day. The OS and application vendors are releasing patches and updates to fix those vulnerabilities but many times users are failing to install those in a timely manner. Moreover, when those patches are released, attackers are made aware of those vulnerabilities and deliberately exploit those systems that are yet to be patched. And while organizations should strive to have their systems 100% patched, in real life there will always be a gap between the release of the patch and its deployment. This time window is the attackers chance to attack. This time window is the attackers' chance to attack.

  • For all the protection that endpoint signature-based defenses provide, they are easily bypassed by obfuscated malware and ransomware and are highly dependent on regular updates. Despite blocking many basic attacks, AV solutions are bypassed every day by advanced attacks.

  • While they are a crucial component of an organization’s defenses, network-based protections, such as sandboxes, can only beneficial when users are connected to the network, and can also be occasionally evaded by malwares using sophisticated evasion techniques.

With ransomware becoming ever more sophisticated and only requiring a single weakness in an organization’s defenses to take hold of the IT infrastructure, these gaps clearly need to be closed. Ransomware protection needs a new approach to prevent more businesses from suffering the disruption and damage of rapidly proliferating attacks like Petya.

Taking Ransomware and Malware Head-On

Ransomware has a lot in common with other malware: It infiltrates an organization through email attachments, web downloads or removable media, uses social engineering tricks, and leverages vulnerability exploitation tactics to gain a foothold on its target systems.

But ransomware also has unique characteristics. As the SANS Institute pointed out in its 2016 Incident Response survey, ransomware attacks highlights the need for rapid response, with minimum delay. With other types of malware, the criminals’ objective is stay hidden from detection for as long as possible to enable lateral movement on the target network over periods of days or weeks.

In contrast, the objective of a ransomware attack is to quickly prevent users’ access to files, and then encrypt as many files as possible, in the shortest possible time. The faster that ransomware can infect and spread through the target network, the greater the chance that the organization will agree to pay the ransom.

So an effective anti-ransomware solution has to be able to detect the earliest possible signs of infection and indicators of compromise, and then block the infection at source (whether on the endpoint or on the corporate network) before it can start to spread.

Check Point’s malware analysis and threat research teams thoroughly studied thousands of real-world ransomware variants, from hundreds of different ransomware families, all collected in the wild with a simple goal in mind: to understand their fundamental characteristics, such as deleting shadow copies, preparing and displaying ransom notes, the dynamics of file encryption and many more. Building on this understanding, we have defined and developed a dedicated solution that tackles ransomware head-on.

Here are the underlying principles of the solution:

  • Implemented on the endpoint: The endpoint – whether a desktop, laptop or server – is the first target in ransomware attacks. By compromising a single endpoint, the ransomware can spread to network shares, online backups and other resources. Also, as mentioned earlier, the endpoint is often where valuable user data resides. So it is critical that the anti-ransomware solution protects the endpoint itself, to identify the first indicators of compromise and block the spread of ransomware.
  •  Built on behavior analysis: Many new ransomware variants found in the wild have not yet been classified. No signatures have been developed or published for them. These variants can bypass signature-based methods of detection and may not even be detected by sandboxing due to various anti-sandbox evasion techniques such as virtual machine detection, delayed execution and human behavior sensors. However, those evasions will not be used on the target system, hence, the endpoint, as this is where attack should run. Code that is suspected of being ransomware should be detected and blocked by tracing its steps in runtime and by looking for signs of suspicious behavior.

  • Can remediate attacks: It is never enough to merely detect and deliver an alert about an attack or infection attempt – ransomware is designed to operate quickly, and could encrypt thousands of files before the alert is noticed and acted on. The anti-ransomware solution should have the capability to detect the attack at the earliest possible stage, ideally before any files are encrypted, completely remove all elements of the infection and remediate the attack.

  • Restores encrypted data: Although the behavioral analysis capability is capable of detecting ransomware attacks at a very early stage, as more sophisticated and complex attacks are developed, detection may well take more time. During that time, ransomware may already begin encrypting a number of files on the machine it first infects. The optimal solution should be able to automatically restore any encrypted data and “roll back” the infection to the exact status the endpoint was before it.

  • Connectivity independent: When dealing with ransomware, it is not safe to assume that the endpoint device will be connected to the corporate network. The optimal anti-ransomware solution should work effectively in the very likely event that the endpoint is not connected to the network, which means that it cannot use a sandbox inspection and is not receiving regular updates from a centralized threat intelligence feed.

How Check Point Anti-Ransomware Works

SandBlast Anti-Ransomware protects organizations against all types of ransomware attacks, not only blocking infections at the first contact, but also quickly remediating their actions.

The Anti-Ransomware technology utilizes an advanced security engine and algorithms to automatically detect, block and remove the most sophisticated and evasive ransomware infections. By using predictive behavior-based technologies which do not rely on signature updates, Anti-Ransomware is able to identify and remediate zero-day ransomware, and to restore any data or files encrypted during an attack almost immediately, minimizing business disruption.

Anti-Ransomware utilizes a multi-layered architecture to provide a comprehensive solution in the fight against ransomware:

 
 

Anti-Ransomware Effectiveness

Using cutting-edge research and dedicated advanced technology is obviously a must in order to combat modern sophisticated ransomware. But how effective is the final product? Answering this question requires constant and rigorous testing with an ongoing stream of current real world ransomware samples.

Anti-Ransomware technology is being rigorously tested in Check Point daily against a continually-updated, extensive range of fresh, real-world ransomware samples found in the wild.

We have devised the following methodology in order to continuously validate the effectiveness of our anti-ransomware solution. Each day, a set of new ransomware samples are gathered from the Internet, and are executed in our research laboratory on a virtualized endpoint that imitates a typical end-user’s physical PC. The only security technology installed and activated on this endpoint is Check Point’s Anti-Ransomware technology; all other endpoint and network security technologies (such as firewalling, IPS, anti-virus, anti-bot, threat emulation, etc.) are disabled. We monitor the malware’s execution to see whether our Anti-Ransomware technology was able to detect the infection and quarantine it before it could start encrypting files. If the ransomware was an advanced, sophisticated variant that was able to start encrypting files before it was identified and blocked, we check that the solution was able to successfully restore the encrypted files to their original state.

Using this process, we test an average of 250 ransomware samples daily. During the 6 months since we started testing, the malware catch rate has exceeded 99%, and is improving every day as the behavioral analysis detection engine is enhanced based on testing. In addition, the false positive rate we are seeing is negligible when compared to the impact of an undetected ransomware attack on the organization and also in terms of the impact of everyday operation on the organization. In real life scenarios, where the security protections that were disabled for this testing would have been enabled, the catch rate will be even higher, reaching as close as you can get to full protection.

Summary

Ransomware like Petya is evolving into increasingly dangerous forms that are a major threat to businesses around the world. The inability to effectively counter ransomware attacks can cause significant losses and major disruptions to organizations. Implementing conventional best-practices and anti-malware protections can defend against some well- known, older variants of ransomware, but given the sophistication and ongoing evolution of modern ransomware, are not enough on their own to identify and block new, zero-day attacks.

Check Point’s Anti-Ransomware technology uses a purpose-built engine that defends against the most sophisticated, evasive zero-day variants of ransomware and safely recovers encrypted data ensuring business continuity and productivity. The effectiveness of this technology is being verified every day by our research team, and consistently demonstrating excellent results in identifying and mitigating attacks.

SandBlast Agent, Check Point’s leading endpoint prevention and response product, includes Anti-Ransomware technology and provides protection to web browsers and endpoints, leveraging Check Point’s industry-leading network protections. SandBlast Agent delivers complete, real-time threat prevention and remediation across all malware threat vectors, enabling employees to work safely no matter where they are, without compromising on productivity.

To learn more about threat prevention and how Check Point Anti-Ransomware, SandBlast Zero-Day Protection and SandBlast Agent can help protect your company against ransomware, please visit our website at www.checkpoint.com/sandblast.

Frequently Asked Questions on Anti-Ransomware

Our AV has successfully stopped ransomware previously, why do I need Anti-Ransomware?

Traditional AV can be effective in detecting attacks by known ransomware. However, ransomware is constantly evolving, mutating and incorporating new evasion tricks. Many ransomware attacks are capable of evading AV detection, as evident by the numerous infections suffered by businesses globally – virtually all of which are utilizing conventional
AV solutions. Moreover, signature-less and behavioral-analysis based Anti-Ransomware can automatically recover encrypted files from infected users’ endpoints, even if those machines are offline.

If I use Anti-Ransomware, do I still need my endpoint AV?

We recommend using endpoint AV on all endpoints – it is still an important part of an effective, multi-layered approach to security, and it is still an effective means for preventing basic malware attacks that are still very prevalent. SandBlast Agent can be deployed alongside any third party AV solution, or as a single unified product with Check Point Anti- Malware or with Check Point’s full endpoint suite for an integrated solution with a single agent and management.

How much storage is required for Anti-Ransomware’s file snapshots?

We recommend allocating 1GB of storage for file snapshots. The storage capacity can be custom-configured by the customer.

Do I still need my conventional backups if I use the Anti-Ransomware feature?

Yes. Anti-Ransomware focuses only on recovering data and files that have been encrypted by ransomware in the first stages of infection, not on general purpose backup. In order to ensure data recovery in the event of other situations, such as disk failure, a conventional backup is always highly recommended.

How are file snapshots protected?

File snapshots are protected by the SandBlast Agent self-protection kernel driver, which prevents any attempt to access the data by processes that are not part of SandBlast Agent and signed by Check Point.

What is an IT organization required to do when Anti-Ransomware detects an event?

An IT organization is usually not required to be involved when Anti Ransomware treats an incident. Anti-Ransomware automatically recovers files affected by the attack. It keeps user notified at all steps. The self-service interactive process enables users to independently review and restore files.

Share to:

Kategori Vendor

Cloud Security
Network Management
Data Center Solutions
Video Intelligent Collaboration
Comprehensive Security
Security Operations Center (SOC)
Next-Gen Endpoint Protection
Edge Network Solutions

Insight

Berita & Artikel
Konten Digital

Perusahaan

Karir

Tentang Kami

Hubungi Kami

Instagram Linkedin Youtube Facebook

Berlanggananlah Berita Kami

Check Our Digital Activities

Virtus Review (VIEW)

 

Aktivitas digital mengenai manfaat produk yang ditawarkan oleh Virtus Technology Indonesia disiarkan di saluran YouTube Virtus.

Virtus Talks

 

Podcast yang membahas tren IT terbaru, juga ditayangkan di saluran YouTube Virtus.

Virtus Highlight

 

Seri reel di Instagram Virtus @virtusid tentang tren dan solusi IT terbaru.

Virtus Life

 

Aktivitas digital yang menampilkan kehidupan karyawan terkait Virtus Technology Indonesia, berdasarkan tren terbaru saat ini.

VIRTUS PARTNER ACADEMY

Program benefit terbaru Virtus untuk Mitra Bisnis. Virtus Partner Academy adalah kursus pelatihan IT online dengan kurikulum lengkap yang dapat diakses kapan saja dan dari mana saja.

Register Now

BELANJA LEBIH, DAPATKAN LEBIH

PROGRAM INSENTIF VIRTUS

untuk Mitra Bisnis

Privacy Policy

PT Virtus Technology Indonesia (“VTI” atau “kami”) sangat berkomitmen untuk memastikan bahwa privasi Anda dilindungi sebagai hal yang sangat penting bagi kami. Pada https://www.virtusindonesia.com/, kami akan mengatur penggunaan Anda terhadap situs web ini, termasuk semua halaman di dalamnya (secara kolektif disebut sebagai “Situs Web ini” di bawah ini), kami ingin berkontribusi untuk menyediakan lingkungan yang aman dan terjamin bagi pengunjung.Berikut adalah ketentuan kebijakan privasi (“Kebijakan Privasi”) antara Anda (“Anda” atau “Anda”) dan VTI. Dengan mengakses situs web ini, Anda mengakui bahwa Anda telah membaca, memahami, dan setuju untuk terikat oleh Kebijakan Privasi ini.
Penggunaan Layanan Langganan oleh VTI dan Pelanggan Kami
Ketika Anda meminta informasi dari VTI dan memberikan informasi yang secara pribadi mengidentifikasi Anda atau memungkinkan kami menghubungi Anda, Anda setuju untuk mengungkapkan informasi tersebut kepada kami. VTI dapat mengungkap informasi tersebut hanya untuk keperluan pemasaran, promosi, dan aktivitas semata-mata untuk kepentingan VTI dan Situs Web.
Pengumpulan Informasi
Anda bebas menjelajahi Situs Web tanpa memberikan informasi pribadi tentang diri Anda. Ketika Anda mengunjungi Situs Web atau mendaftar untuk layanan langganan, kami menyediakan beberapa informasi navigasional agar Anda mengisi informasi pribadi Anda untuk mengakses beberapa konten yang kami tawarkan. VTI dapat mengumpulkan data pribadi Anda seperti nama, alamat email, nama perusahaan, nomor telepon, dan informasi lainnya tentang diri Anda atau bisnis Anda. Kami mengumpulkan data Anda secara online dan offline. VTI mengumpulkan data Anda secara online menggunakan fitur media sosial, pemasaran melalui email, situs web, dan teknologi cookies. Kami mungkin mengumpulkan data Anda offline dalam acara seperti konferensi, pertemuan, lokakarya, dll. Namun, kami tidak akan menggunakan atau mengungkap informasi tersebut kepada pihak ketiga atau mengirim email yang tidak diminta ke alamat yang kami kumpulkan, tanpa izin eksplisit Anda. Kami memastikan bahwa identitas pribadi Anda hanya akan digunakan sesuai dengan Kebijakan Privasi ini.
Cara VTI Menggunakan Informasi yang Dikumpulkan
VTI menggunakan informasi yang dikumpulkan hanya sesuai dengan kebijakan privasi ini. Pelanggan yang berlangganan layanan langganan kami diwajibkan melalui perjanjian dengan mereka untuk mematuhi Kebijakan Privasi ini.
Selain penggunaan informasi Anda, kami dapat menggunakan informasi pribadi Anda untuk:
Meningkatkan pengalaman penjelajahan Anda dengan mempersonalisasi situs web dan meningkatkan layanan langganan.
Mengirim informasi tentang VTI.
Mempromosikan layanan kami kepada Anda dan berbagi konten promosi dan informatif dengan Anda sesuai dengan preferensi komunikasi Anda. Mengirim informasi kepada Anda mengenai perubahan pada ketentuan layanan pelanggan kami, Kebijakan Privasi (termasuk kebijakan cookie), atau perjanjian hukum lainnya.
Teknologi Cookies
Cookies adalah potongan kecil data yang situs web transfer ke hard drive komputer pengguna ketika pengguna mengunjungi situs web. Cookies dapat mencatat preferensi Anda saat mengunjungi situs tertentu dan memberikan keuntungan mengidentifikasi minat pengunjung kami untuk analisis statistik situs kami. Informasi ini dapat memungkinkan kami untuk meningkatkan konten, memodifikasi, dan membuat situs kami lebih ramah pengguna. Cookies digunakan untuk beberapa alasan seperti alasan teknis agar situs web kami beroperasi. Cookies juga memungkinkan kami untuk melacak dan mengarahkan minat pengguna kami untuk meningkatkan pengalaman situs web dan layanan langganan kami. Data ini digunakan untuk memberikan konten dan promosi yang disesuaikan dalam VTI kepada pelanggan yang memiliki minat pada subjek tertentu.Anda memiliki hak untuk memutuskan apakah menerima atau menolak cookies. Anda dapat mengedit preferensi cookies Anda pada pengaturan browser. Jika Anda memilih untuk menolak cookies, Anda masih dapat menggunakan situs web kami meskipun akses Anda ke beberapa fungsi dan area situs web kami mungkin dibatasi.Situs Web ini juga dapat menampilkan iklan dari pihak ketiga yang berisi tautan ke situs web lain yang menarik. Setelah Anda menggunakan tautan ini untuk meninggalkan situs kami, harap dicatat bahwa kami tidak memiliki kendali atas situs tersebut. VTI tidak dapat bertanggung jawab atas perlindungan dan privasi informasi apa pun yang Anda berikan saat mengunjungi situs web tersebut, dan Kebijakan Privasi ini tidak mengatur situs web tersebut.
Kendalikan Data Pribadi Anda
VTI memberikan kontrol kepada Anda untuk mengelola data pribadi Anda. Anda dapat meminta akses, koreksi, pembaruan, atau penghapusan informasi pribadi Anda. Anda dapat berhenti berlangganan dari aktivitas pemasaran kami dengan mengklik berhenti berlangganan dari bagian bawah email kami atau menghubungi kami langsung untuk menghapus Anda dari daftar langganan kami. Kami akan menjaga informasi pribadi Anda agar akurat, dan kami memungkinkan Anda untuk memperbaiki atau mengubah informasi pribadi Anda melalui marketing@virtusindonesia.com.