Most people think ransomware is some new attack that has only recently come to the forefront of the cyber defense space. Not so. In truth, ransomware dates back to an original piece of malicious code, known as AIDS, written in 1989 by Joseph Popp. That’s right, 1989. 30 years ago. This original ransomware would replace AUTOEXEC.BAT on infected systems, and would allow for 90 reboots of the system before it hid all of the directories and claimed to encrypt the files. So, in reality we have been collectively operating in a world with ransomware in effect for over 3 decades, wow.
Today’s ransomware is usually malicious software that either copies your data, or encrypts your data, or possibly even changes key system passwords, this software essentially holds the infected systems ransom until a payment is made. Once the ransomware has been executed on your system. The attacker will either encrypt or lock you out of your system. Or copy your data.
Most people think this attack will only target valuable data, but the attack can be much more malicious in nature. Thanks to the power that the attackers can wield in unprotected systems they could leverage embarrassing data as part of an extortion agenda. The attacker can use your web history, recording your camera, or customer data such as healthcare information against you as part of this extortion operation.
Ultimately, the attacker will make a demand. Pay a large amount of money if you want the decryption keys to your data, otherwise they will destroy or permanently encrypt your data; rendering it unusable. Or if you don’t pay they may threaten to post your customer data on a social media site such as Twitter or Facebook. All of which can be very, very bad.
Ransomware can technically execute in a variety of methods. Some of the common methods include:
Email attachment that could contain an embedded piece of malware.
A file downloaded from the internet.
A malicious actor logging into your server using weak password and executing some kind of software.installing,
Breaking into your I.T. management tools.
A vulnerability on a system, that allows malware to run. Basically, via bad patch management.
Code hidden inside of aAn executable document that runs existing software on your computer to encrypt or copy your data.
The main problem that we have collectively accepted is the reality when it comes to combating ransomware is that normal Anti-Virus solutions are “built” to stop this threat. This is wrong. Anti-Virus tries to stop ransomware by blocking its execution based on known ransomware or tracking previous patterns and leveraging those signatures to stop the threat upon its execution. That works fine for “normal” or “known” samples of ransomware but in many cases, as has been shown by all the ransomware exploits in the news, the specifics of the ransomware aren’t ever known. Or in the other cases that were mentioned above there is no way for Anti-Virus to stop the malicious software because the software itself is being executed by an authenticated user, so the system doesn’t pick up on the attack.
ThreatLocker approaches stopping the problem that ransomware presents in an entirely different, and more elegant manner. First ThreatLocker blocks everything that is not trusted by your I.T department, period. Everything that is not authorized specifically by your IT team is not allowed to execute. This stops all ransomware that does not use tools that are built directly into your operating system.
The second method ThreatLocker uses to stop ransomware is Ringfencing. This approach is where ThreatLocker controls access to databases and resources based on an application approved access, but again ThreatLocker does not allow default operations or accesses to connect or execute on any asset unless specifically authorized by the IT department. Our approach stops an application from spawning in the first place, so malicious software cannot execute and therefore never has the chance to cause a ransomware event. Added to that, ThreatLocker stops applications from accessing critical assets or infrastructure accessing the internet, unless they are specifically authorized by the IT department or determined to be a required function of a built-in application. .
Anti-Virus companies want to sell you a great big bag of fail when it comes to ransomware. Can Anti-Virus help stop malware from running? But no matter what the Anti-Virus approach is contingent upon there being some previously known or observed piece of code from a prior event. That’s like only being able to stop an infection if the human body had seen every possible iteration of every infectious agent across all of history, sooner or later the immune system would miss one and that’s all it takes. Why not simply eliminate the threat from ever causing the infection in the first place? If only approved safe software can execute, and only approved and safe connections can take place, there is no possibility of an exploitation. Problem solved.
ThreatLocker, a simple solution to the ransomware epidemic.
Have a look at a recent interview ThreatLocker did related to this problem.