Highlighted
Posted by Remote Management Staff
Remote Management Staff

ITbrain Anti-Malware - Active Ransomware Protection

WannaCry, NotPetya, Locky and BadRabbit – just four of many infamous ransomware attacks in 2017 that have affected public institutions and businesses around the world. Falling victim to a ransomware attack can be very time  consuming, costly, and all-around damaging for your business. With ITbrain Anti-Malware you are now even better protected against this kind of attacks!

What is Ransomware?

Ransomware is a type of malicious software used by cyber-criminals to encrypt files on a device. It can limit or even prevent users from accessing their files until a certain ransom is paid. 

Infected systems get notified that files have been encrypted and are given instructions how to obtain the decryption key. Payment is often demanded in a virtual currency, such as bitcoin, to not reveal the cyber criminal’s identity. Ransomware attacks and malware complexity of these type of attacks have increased since 2011. Every year we see an upward trend in Ransomware distribution and attacks.

How ITbrain Anti-Malware protects your managed systems from these attacks?

While engineering our Active Ransomware protection system we took a step back and analyzed what is the core need for Ransomware to succeed on a system.

  • First was the entry point in the system or initial infection process.
    • On-Access scanning protects the system of all known malicious content with hourly signatures updates.
  • In case an unknown Ransomware application will bypass the On-Access scanning engines then it needs to search important file types and encrypt them.
    • This is where we knew we needed to find a solution to stop this process from happening.

Active Ransomware Protection will protect specified folders to be read or written to by Unknown applications such as Ransomware or other malicious Software. We have an intelligent system which will check read/write attempts by applications and will grants access or deny access to those folders.  

The system is designed to be simple to use and powerful at the same time.

  1. Activate and set Protected folders

draft 2_community.png

Add protected folders paths to the Policy and any unknown application will be blocked to modify files, thus preventing unauthorized encryption or manipulation from Ransomware or any other malicious Software.

Protected Folders.PNG

Hint: In Manage protected folders you can add any folder paths you think are important to protect.

Note: Do not include Application Folders or Important operating system folders as they can cause issues.

  1. Add Trusted Applications

If you have applications which need to have read/write permission add them to the list, so they can access the protected files when needed. Applications such as Microsoft Word, Adobe Acrobat Dropbox and many other trusted applications will be allowed by the system to access protected files.

Manage Protected Folders.PNG

Hint: If you use older(Legacy) applications in your networks we recommend adding them Trusted applications list.

At this Point, you are all set. Save the policy and all settings will be pushed to your devices in seconds.

  1. Blocked Applications

If an application will be prevented to write or modify files in the protected folders, it will be shown in the Blocked application list,  you can take the appropriate decision to add it to the Trusted application or to investigate further.

blocked applications.PNG

If a blocked application is trusted in your environment, add it to the Trusted Applications list. Use the copy to clipboard icon to get the full Application path and then add it to the Trusted applications list in the Anti-Malware policy.

 

Do not hesitate to comment on this post or contact our support(support@itbrain.com) if you have any questions or issues related to Active Ransomware Protection.

 

Product Owner, Remote Management services.
6 Replies
6 Replies
Posted by trasky
Digon

Re: ITbrain Anti-Malware - Active Ransomware Protection

You wrote an amazing guide but you missed some of the points. I recently went through some safety tips to protect yourself from ransomware attack. It may add value to your guide.

Thanks.

Posted by perarzhur
Digon

Re: ITbrain Anti-Malware - Active Ransomware Protection

Good explanation. Thank you.

Posted by brelandr
Henagon

Re: ITbrain Anti-Malware - Active Ransomware Protection

Can wildcards be used in the path.. for example in the policy   c:\users\%\MyDocuments\%

Posted by Remote Management Staff
Remote Management Staff

Re: ITbrain Anti-Malware - Active Ransomware Protection

Hi @brelandr

 

For better protection,  the wildcards "*" for Active Ransomware protection are not working. 

You will need to add specific file paths to be protected. This was a decision we took based on the recommendation from our Malware researchers and how Ransomware works. 

Our priority is to make sure folders are protected even if it creates a bit more work to set them up. We will try to see in the future if we can add secure wildcards to the protected paths. 

Product Owner, Remote Management services.
Posted by Rich_Richardson
Photon

Re: ITbrain Anti-Malware - Active Ransomware Protection

I'm curious,

Would it be security wise to create TViewer in a virtual setting? 

If a VM of sorts were generated per session. What are your thoughts on this? As the session opens a (VM) computer is present. Once the session is closed, the computer literally does not exist anymore. 

Posted by Remote Management Staff
Remote Management Staff

Re: ITbrain Anti-Malware - Active Ransomware Protection

Hi @Rich_Richardson

 

In the presented situation, I am not sure TeamViewer can help here if at every "creation" of the VM a new ID will be generated.  I think this setup is secure as it is if it is sandboxed properly.

Product Owner, Remote Management services.