Don’t be held ransom by your anti-malware software.

The rapidly changing landscape for business has changed cybersecurity dramatically. The shift to remote and cloud-based work has meant that employee identities and devices are no longer behind the locked and monitored perimeter, providing the perfect beachhead for attacks. This is a key reason ransomware attacks have grown exponentially, and it’s now estimated that a new ransomware attack takes place every 11 seconds in 2021. (FBI)

While ransomware has gained everyone’s attention, these types of malware only represent between 5% to 21% of all malware attacks. Malware, or malicious software, is any piece of software that was written with the intent of harming systems, organizations, or people. Types of malware include computer viruses, trojans, spyware, ransomware, adware, worms, file-less malware, or hybrids of the above.

Ransomware has managed to achieve our attention and celebrity status among malware because it represents the modern-day bank heist. Ransomware encrypts a victim’s files, and the attacker then demands a ransom from the victim to restore access to the data upon payment. The costs can range from a few hundred dollars to thousands and are usually payable to cybercriminals in Bitcoin to avoid detection. The estimated cost of ransomware to business in 2021 is $6 Trillion annually.

There are many vectors ransomware can take to access a computer. One of the most common delivery systems is phishing spam, where attachments come to the victim in an email, masquerading as a file they should trust. Once downloaded and opened, they can take over the victim’s computer, especially if they can gain administrative access through social engineering or an abundance of system exploits. From there, the ransomware gang will continue to hack your systems and applications until they take control over mission-critical systems and data.

Ransomware authors have been getting increasingly sophisticated in their ability to collect ransoms. They do not rely on automated pieces of code but manually hack systems and networks until they get the right level of access and the data. They will impersonate law enforcement, suppliers, and software vendors. They will delete or infect your backups. They even have support channels to “help” the victim purchase bitcoins and pay the ransom to release the system or regain access to critical data.

How to avoid Ransomware?

The sophisticated nature of malware evolution creates a pervasive sense that it’s somewhat hard to prevent attacks. Two standard anti-malware solutions tend to be deployed as a defense. The first is the old-fashioned 90’s Norton Antivirus style of software that uses signature-based detection.

In other words, we know about this particular virus or malware, so we add it to the signature database, and we keep adding new signatures every time a new virus crops up. Sometimes different signatures will expire because they become old, and sometimes, expired viruses come back in a more dangerous configuration.

These signature style detections are fine, except they only detect things that have already been discovered and analyzed by the anti-malware vendor. In other words, somebody else got infected, and their whole network was destroyed before we learned to add that virus signature into our signature database. It is built on the vaccine model to a large degree, and it relies on you not being the first to get it in order for it to work effectively for you. The problem with this strategy is that there are at least 560,000 instances of new malware being created and detected each day, making anti-malware a weak defense strategy alone.

The second approach is more defensive by nature and has two variations. The first works on protecting the technical environment so that a malware detonation doesn’t impact everything, typically by sandboxing systems internally. This approach separates systems by compartmentalizing everything so that your system can’t be severely damaged when malware goes off.

This approach does work in many cases, but it is challenging to compartmentalize everything, and there are often compatibility and execution issues during implementation and management with this approach. It is akin to trying to reach into the core of Windows or macOS and changing how the operating system behaves, which is very risky because it may lead to compatibility issues, performance implications and operational challenges.

The second category is a more advanced anti-malware solution based on behavioral detection heuristics algorithms that identify behaviors that likely indicate malware activity in general. This is a pure heuristic behavioral detection approach where the anti-malware software is looking for things that malware would do, like attempt to gain kernel access or system privilege, write data in a certain way, or execute processes. It will proceed to terminate the suspected malware before it can do any damage. The problem with that is a lot of our regular applications also do those things, but only occasionally, so it’s challenging to fingerprint what activity is legitimate and what is malicious.

In other words, the anti-malware software needs to recognize a potential threat that is trying to take control of your system from existing software that is simply trying to do an update every few months after it was initially installed. The last thing you want is to have your software stop working because the anti-malware blocks its’ update packages. Suppose the anti-malware is constantly blocking off valid updates. In that case, it could reach a point where the users eventually turn it off, ultimately defeating the implementation of the anti-malware in the first place.

What you want to find is a middle ground where you have software that is easy to implement and maintain and detects the things that are most likely to be extremely evasive and dangerous. You also need that solution to be affordable.

What are the best defensive strategies?

There are a lot of anti-malware solutions out there, and everybody’s questioning what the best option is. At Parabellyx, we believe that education is the best form of prevention, which is why we maintain an operating philosophy that everyone should “trust but verify” everything. This includes anti-malware vendors, some of whom have some pretty extraordinary claims about preventing things that aren’t necessarily true. A lot of the malware detection and prevention software have specific areas that they’re very effective in and other areas where they aren’t as effective.

Anti-malware tools are generally evaluated based on cost, effectiveness and complexity. For most companies, significantly more expensive tools might do the job slightly better, but they also bring many mixed challenges on several different fronts. Generally speaking, the more expensive software systems tend to be more complicated to execute as they break down your infrastructures in a way that makes it difficult for malware to be effective. This makes managing your infrastructure more expensive and challenging as well.

For instance, some behavioral profiling solutions are tough to manage because you end up with hundreds of behavior profiles across different systems. You have to approve each of them manually on a daily basis. This means that somebody has to log in and spend an hour approving behavior analytics packages, and, in the meantime, the user that’s trying to do these business activities is stalled as they wait for you.

Other solutions require advanced file fingerprinting, which changes how your company will work and is also not very practical to manage internally. These types of solutions can be done, but they’re labor-intensive, and you must manage the lifecycle of the product very carefully to maintain the product’s effectiveness.

So, while these systems can be more effective at preventing malware, you need to evaluate “less effective” solutions that can be more effectively implemented and managed. The objective evaluation is understanding how much effective is the more expensive solution versus cheaper solutions that are easier to manage. Is the increased efficacy of more expensive systems enough to justify the complexity and increased cost to maintain the infrastructure running smoothly?

Keep in mind that no single solution is right for everyone, which is why the Parabellyx team has always maintained a software agnostic stance. We prefer to find the right solution for each customer, but we have also found some solutions that work well for many of our clients. One of the solutions that Parabellyx has adopted was a solution that actually detected and stopped the “SolarWinds” attack when their behavior detection tool caught behaviors that were suspicious very early in the lifecycle of that attack.

The software detected and stopped it because the system was able to flag suspicious behavior, and the suspicious behavior was simply blocked and added to a list of hundreds of other pieces of suspicious behavior. We were able to look back at the logs and could see that the software blocked this very pernicious and widespread attack without the client even realizing they were threatened. This has been a piece of software that we can recommend for a large number of clients due to its’ efficacy in the actual environment.

How should you determine the best anti-malware solution for your company?

It starts by outlining the risk and then finding practical solutions that are viable to implement and manage within your budget. You want to understand if you can afford more expensive solutions without having to cut corners in other cybersecurity areas. The last thing you want is to budget and then fully implement the solution only to have to cut corners in different areas that potentially create opportunities for other breaches and threats to affect the business. You’ve spent X amount of dollars and time, but you’re significantly disadvantaged compared to somebody who maybe bought a less expensive solution.

When you are determining your cybersecurity strategy, it needs to be well thought out and holistic to maximize the overall protection of the entire company. True protection will require a broader integrated strategy, otherwise, you’re creating the best front door defense that you can, but you’re neglecting the backdoor and all the windows. The fact is that an effective malware solution that requires 100% of your cybersecurity budget isn’t feasible. But what if you could get a 90% or 95% solution for 10% or 15% of your cybersecurity budget, allowing you to protect the rest of the house more effectively with the remaining budget.

The best type of anti-malware is based on behavioral detection, given the fact that most social engineering attacks create similar behaviors. If you can detect the behavior and prevent that behavior from progressing to an attack, you can defeat the attacker before they get to your door.

Unfortunately, an anti-malware solution by itself is never 100% effective in preventing ransomware, simply because ransomware is not a piece of code but a set of actions executed by a professional hacker that includes multiple tools and software packages. Therefore, ransomware prevention depends on security hygiene (patching, security hardening, identity and access management) and user education, something that anti-malware does not offer.

Parabellyx offers an 18-point Ransomware Impact Assessment service that provides companies with technical intelligence and a strategic plan to achieve ransomware resilience as part of security and IT operations.