©2019 Security Unleashed | New Delhi

  • Animesh Gupta

Protecting Against New Strains of Ransomware



The below will help you proactively protect your Business/Home systems against Ransomware including new strains that Antivirus Solutions do not currently have signatures for and so can not protect you against.

Due to the speed in which Malware mutates it is important to realize that Antivirus Solutions alone can not be relied upon to protect your organisation.


Why Antivirus (AV) is Ineffective


Antivirus (AV) Signature Based Detection


AV Signature based detection is flawed and can be bypassed simply by splitting a Malware binary into multiple parts, finding which part flags Antivirus and then opening this part in a Hex editor such as Hex Workshop and zeroing out the signature.

Note: Occasionally this can destroy a critical function rendering the Malware corrupt so it will no longer execute.

A smarter alternative to hex editing binaries is using a runtime Crypter (That encrypts the binary and decrypts it in memory) as it will mask any signatures created by AV solutions.

Note: Some Crypters are flagged by AV due to them being used in the past to encrypt malware. UPX anyone?


AV Advanced Heuristics


Advanced Heuristics are good at flagging malware by monitoring binaries making calls to APIs generally used for malicious purposes, dropping to System32 and adding startup registry entries, but injection into processes is not flagged.

Note: Common processes to inject into include iexplorer.exe, chrome.exe, firefox.exe, explorer.exe and svchost.exe

AV fails when it comes to detecting fileless malware such as the commonly used Meterpreter; the techniques used by Advanced Heuristics can not be utilized and so AV is forced to use Signature based detection which as I have previously stated can be defeated by runtime Crypters.


Solution


Invest in an Endpoint Security Solution as they provide far greater protection than traditional AV by monitoring for process injection and using other honeypotting techniques.


Business Users


Rule 1: Antivirus Solutions are ineffective.


Rule 2. Invest in a Endpoint Security Solution such as Cybereason Total Endpoint Protection that uses Advanced Heuristics in order to perform behavioral analysis and honeypotting techniques to detect new strains of Ransomware.


Rule 3. Create a SOC to monitor your Endpoint Security software.


Home Users


A free solution for home users running Windows 7/8/10 called RansomFree (created by Cybereason) can be used to prevent infection by new strains of Ransomware. RansomFree will suspend any process it detects starting to encrypt files.



Cryptowall Payload:



Cryptowall Payload Dropped:



RansomFree Cleanup Message:



0 views