Cracking the ransomware conundrum
The first salvo of shells in the conflict between Ukraine and Russia was launched on the 24th of February 2022. The first weapon deployed however, one familiar to many of us, was weeks before the first Russian soldier stepped onto Ukraine soil. Malware was at the centre of the intelligence war that began long before hostilities involving armour and artillery. A potent wiper named Whisper – a type of malware which masquerades as ransomware – was used in attacks on government, non-profit and IT organisations in Ukraine.
WhisperGate runs as a multi-stage attack. Targeting Windows machines, it begins by overwriting the Master Boot Record and displaying a fake ransomware note. Next, the malware retrieves a malicious payload from a discord link which it detonates on the endpoint. This results in file corruption against target file types causing irreversible loss of data. Despite behaving like ransomware to begin with, no encryption has been observed. Thus, the malware does not appear to have been intended for financial gain but rather the disruption of service of Ukraine’s government agencies, potentially affecting their operational efficiency and thus reducing Ukraine’s capability to protect its borders.
This is not the first time that malware has been weaponised by nation states nor is it likely to be the last. Whilst malware like WhisperGate is less likely to be used against corporations or individuals, its more commonly encountered cousin, the ever-present ransomware, still poses a very real threat to anyone storing valuable information in digital format. A quick search on the internet shows a plethora of statistics which describe in depressing detail the losses incurred by ransomware victims. This begs the question, how does one guard against ransomware? How does one prevent themselves from becoming the next statistic, the next subject of global press making headlines for all the wrong reasons?
I wish I could tell you that there IS a silver bullet, one action, one process, one policy that you could implement to provide one hundred percent protection. There is not. Layers of protection underpinned by a robust offline backup system is a good start. And prevention is still better than cure. An anti-malware solution that provides true Zero-day threat protection, that does not rely on cloud-based processing or signature-based updates, that can provide in-memory protection, protect against malicious scripts, process injection, and do all of this whilst offline without affecting the user experience on the endpoint is where I would start. Blackberry Cylance Protect uses a very light weight agent to protect your endpoints from malicious executables. The agent is in effect, a mathematical model developed using AI and Machine Learning, trained on billions of ‘good’ and ‘bad’ files, which can extremely accurately assess previously unseen files, pre-execution, and decide whether it is safe to allow or whether it is malicious and should be quarantined. The agent does not use signatures, so it is not immediately out of date which means even if the endpoint is not connected to the network for weeks or months, it is still protected for years against unknown threats. This makes it a great fit for OTand air-gapped networks. The fact that no signatures are used also alleviates every IT manager’s headache of constantly updating anti-malware definitions on endpoints which can never be up to date based purely on the nature of how signatures are created. Most importantly, because Blackberry Cylance Protect employs this method of detecting and quarantining malicious executables, it provides true Zero-day protection. In fact, the Blackberry Cylance Protect agent created in 2015 could successfully detect and prevent the WannaCry malware which was first identified in 2017. That’s over 20 months before the malware was first seen in the wild. That’s pretty emphatic zero-day protection.
Once you’ve decided which is the best anti-malware product for your environment (hint – its Blackberry Cylance Protect), you need to ensure it’s deployed on every endpoint. Afterall, you’re only as strong as your weakest link. So how do you achieve one hundred percent coverage of your estate? Well to begin with, you need a hyper accurate inventory. That’s easier said than done I hear you say…..or is it? Traditional asset management consists of network discoveries, agent-based systems and the ever-faithful Excel spreadsheet. But network scans are unreliable – ever heard of local firewalls or just not being on the network. And how do you know that your agents are deployed to every device if your inventory relies on agents being deployed to every device. Clearly, a new approach is needed. Enter Axonius. A new way of creating and maintaining a hyper accurate inventory of your estate. Axonius, which can be consumed as a virtual appliance or cloud solution, simply connects to your existing management tools and imports all the relevant information into its database. It then correlates that data, deduplicates it and provides you with the most accurate picture of your environment. And all in less than ten minutes. In fact, Axonius can connect to your Blackberry Cylance Protect management console, import all the information about agent versions on endpoints and allow you to compare it to say, your Active Directory or your vulnerability scanning tools or both…at the same time. You can even configure policies to generate alerts when a new machine is identified that is missing the Blackberry Cylance Protect agent and Axonius will also provide the tools to auto-remediate the offending endpoint.
Ransomware is unfortunately here to stay and malicious actors will continue to test our defences. Blackberry Cylance Protect and Axonius are the first two products I would want in my armoury in the war against cyber attackers.
Find out more:
Blackberry: https://www.ignition-technology.com/me/vendor/blackberry/
Axonius: https://www.ignition-technology.com/me/vendor/axonius/