Protecting Against Ransomware Requires Three Layers of Defense

Protecting Against Ransomware Requires Three Layers of Defense

Ransomware is a form of malware where the attacker encrypts a user’s data and demands a ransom from the victim to restore access to their files. It is a pervasive and still growing threat. Ransomware attacks on businesses have increased by 500% from Q1 2018 to Q1 2019, and are expected to cost businesses upwards of $15 billion dollars over the next year.


How Ransomware Works

  • A user is tricked into downloading a file and providing enough privileges for it to perform follow-on actions, such as downloading additional payloads.
  • Once downloaded, the malicious program does one of 2 things, or in some cases both:
    1. Encrypts data files, which locks these files from access even by an administrator. If a business’ critical data is not properly backed up, it is at severe risk in this case.
    2. Moves laterally on an internal network, finding other victim machines including file servers and database servers.
  • Once these files are encrypted, business execution may get crippled, especially if you have customer data that is now locked up. At this point the attacker displays a ransom note explaining what the victim must do in order to regain access to the data.

Some Preventive Techniques

The most important precaution to take against ransomware is backing up your data. If you fall victim to a ransomware attack and don’t have a backup of the files that are encrypted, the only remediation is to pay the ransom, which on average costs nearly a hundred thousand dollars and is rising quickly. To understand how best to prevent this from happening, first understand how ransomware is delivered.

Ransomware is delivered from the outside to the victim’s machine by:

  • Email – Usually an email attachment or a URL in the email content that triggers download of the malware when clicked.
  • Drive-by Download – A compromised website that downloads malware when unsuspecting users visit the site.

Then the more deadly ransomware have modules that allow them to move laterally to infect other systems on the same network.

Given these factors, the best strategy for avoiding getting into this situation is to take the following preventive measures:

  • Identify and block ransomware in emails and file downloads through web browser
  • Prevent lateral movement within the internal network

Detecting ransomware can be challenging because there are thousands of varieties and most are able to evade the basic anti-malware protection offered by email providers.

How Lastline Protects You From Ransomware

Lastline offers the only solution that builds 3 layers of defense against ransomware.

  • The 1st layer looks at the file itself. Our unique file analysis capabilities not only look at the malicious behaviors exhibited by the file but also look at the evasion techniques. This is the foundation and DNA of the company – understanding all aspects of malicious behavior engineered into a piece of malware.
  • The 2nd layer is to analyze network traffic and identify suspicious and malicious network activity based on the reputation of where the traffic is coming from, protocol anomalies, and known exploits on the network.
  • The 3rd layer is understanding behaviors of each and every machine on the network including endpoints, servers, and IoT devices. At Lastline we use network data to build deep profiles of every machine based on their actual network interaction and identify anomalies from either their individual profile or cohort profile.

Given these capabilities, Lastline will categorically stop ransomware attacks by:

  • Examining files in email and web downloads, stopping the attack at the 1st layer of defense
  • If a user’s or partner’s machine got infected offsite and attempts to spread once connected to your network, we will see the lateral movement using our 2nd and 3rd layer of defense. So, even if we did not have an opportunity to see and block the file, we can recognize the fingerprint of the ransomware attack and can stop it.

Most Network Traffic Analysis (NTA) vendors try to find ransomware based only on anomalies, many of which are benign and it’s often after the malware has already taken hold. It’s like trying to identify an intruder only when they have entered your house and you see unusual movement at 2am – it’s probably too late by then.

Lastline Defender combines examining the intruder at the doorstep and correctly recognizing the malware to prevent access. As a safety net, it also uses anomaly detection and real-time network traffic analysis to identify ransomware’s lateral movement.

To learn more about how Lastline Defender protects against ransomware, request a demo.

Mustafa Rassiwala

Mustafa Rassiwala

Rassiwala has more than 10 years of experience in security product management, building DLP, SIEM, security analytics, fraud management and network security products. He has proven success at many companies including RSA, Symantec, HPE (ArcSight) and startups such as ThreatMetrix, Platfora and JASK. He has also held engineering roles at EMC/Documentum.
Mustafa Rassiwala