TECHNICAL BRIEF

Ransomware Prevention is the only option

The news is full of reports of the latest data breach, in spite of the
fact that most organizations have signature-based solutions like Whats new?
anti-virus deployed broadly. So why are data breaches still so
Like the technologies designed
prevalent? Modern threats are often designed to bypass existing to battle malware, ransomware
security measures or to inflict damage that is virtually impossible to is constantly evolving:
clean up after the fact. Simply detecting these advanced threats is
challenging enough, but with ransomware and other advanced To further complicate the
recovery process, some
malware it is critical to prevent the threat before the damage is
ransomware variants dont
done. just encrypt data they
encrypt the entire hard drive.3

What is Ransomware? In March 2016 the FBI issued

a warning that hackers were
disguising ransomware as a
Ransomware is a category of malware that encrypts the victims message from the FBI.4
data and then requests payment in exchange for a key that allows
Ransomware like PowerWare
the victim to regain access their data. Not only are the payment infects via a semi-fileless
methods often risky, but if you pay the ransom once, whats to stop attack that exploits
the attacker from targeting your systems again? There is also no PowerShell scripting, thus
guarantee that youll get access to your data once you pay the making it even harder for
traditional solutions to identify
ransom. Unfortunately, few end users have a current backup of the malware.
their data that disconnected from their computers so regaining
access to data being held hostage is a priority. Even if you have a Peyta is a ransomware variant
that crashes the system and
backup, it takes hours or even days to reimage, restore data, and then prevents it from booting
move back in to your computer, which translates to lost into Safe Mode.
productivity for IT and the end user.

Locky, CryptoLocker and CryptoWall are three well know ransomware variants. CryptoLocker alone
brought in an estimated $3 million1 before authorities acted to take it down. CryptoWall was estimated
to have extorted over $18 million2 from unfortunate victims by June 2015. Not only are these thieves
hard to catch, but they typically ask for ransom amounts that represent less of a loss to the impacted
organization than the loss of their data.

The ultimate goal for the attacker is to install a malicious executable, sometimes even with a valid
digital signature. The ransomware is then run on the target system, the data is encrypted and the
ransom demand is displayed. If the attacker already has access into an organization via previously
distributed malware this is fairly trivial. If there is no existing access or the hacker wants to impact a
large number of victims, JavaScript is a common mechanism to accomplish this. For example, an
apparently legitimate online advertisement can include hidden code that redirects visitors to one of
several different exploit kit-backed sites, thus infecting a computer the attacker had no previous
access to.

Find out More: www.sanitysolutions.com/solutions/security | 720.570.1668 | 1720 S. Bellaire #550 Denver CO 80222
 Ransomware spreads in a variety of ways, including:

Sneaker-net is a simple way to distribute malware via USB flash drives and other media that is
typically used for data sharing. Hackers have been known to drop infected media in parking
lots and lobbies of companies they wish to target or at a big conference. There are even
reports of manufacturers delivering new USB media that is infected with malware.
Drive-by-download where the attacker places an advertisement with hidden, malicious
JavaScript on a legitimate website. Often all the user has to do to get infected is to load the
web page or scroll past the advertisement, without ever clicking on anything.

Vulnerabilities in known good applications like Adobe Flash are another ransomware
distribution mechanism. Attackers leverage these vulnerabilities to deliver malware to
unfortunate victims. Software like this is widely used and often left unpatched, thus allowing
even previously identified and fixed vulnerabilities to be used for many years after the vendor
updates their software.

Summary
FBI recommendations for avoiding ransomware include using anti-virus software from a reputable
source, but anti-virus is widely deployed in most organizations and ransomware still continues to
spread. This might be understandable if this was a brand new type of attack, but ransomware has been
around for over a decade. Many ransomware victims have been infected through malicious
advertisements on legitimate websites. This is especially hard to avoid when ransomware is delivered
via drive-by-downloads that don't even require user interaction simply browse a web page without
clicking on anything and you are infected. Some CryptoWall attacks take advantage of previously-
known Adobe Flash vulnerabilities, which means whitelisting known good applications like Adobe
Flash also isnt enough to stop this threat. In all these cases its entirely possible the victim is just doing
their job and not participating in high risk activities. While education is helpful, it is important to find a
solution that frees end users to work as they need to, without fear of compromise.

Dells revolutionary advanced threat prevention addresses all these attack vectors to stop ransomware
before it can run, without signature updates or a constant cloud connection. Contact us to see how
we can help you prevent 99% of malware, far above the average 50% of threats identified by the top
anti-virus solutions.5 or visit us at Dell.com/DataSecurity to learn more about Dell Data Protection |
Endpoint Security Suite Enterprise with Dells revolutionary advanced threat prevention.

1 http://www.bbc.com/news/technology-28661463
2 http://arstechnica.com/security/2015/06/fbi-says-crypto-ransomware-has-raked-in-18-million-for-
cybercriminals/
3 http://www.securityweek.com/petya-ramsomware-performs-two-step-encryption
4 https://www.fbi.gov/sanjuan/press-releases/2016/fbi-warns-the-public-about-ransomware-

internet-scam
5 Results from Cylance Unbelievable Demo Tour, Austin, Dallas and Houston, Texas, May 2015

Page |2
Find out More: www.sanitysolutions.com/solutions/security | 720.570.1668 | 1720 S. Bellaire #550 Denver CO 80222