A cybersecurity company claims to have developed a ransomware vaccine that can protect enterprises. How does the...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
Bitdefender ransomware vaccine work, and do you think it has merit?
Ransomware is malware that prevents users from accessing their computers or files. Some prevent access to the operating system, others encrypt files or stop certain apps from running. Once a system has been infected, a lock screen appears, and to regain access the victim has to pay a ransom or perform a task such as completing a survey. Ransomware spreads through phishing campaigns, malicious links in emails and downloads, and is a problem for both consumers and enterprises, as many attacks are delivered by mass random emails. It occupies the number two spot of top malware varieties within crimeware in Verizon's 2016 Data Breach Investigations Report.
To try and prevent ransomware from encrypting a user's files, should they fall victim to a phishing email or malicious attachment, Bitdefender Labs has released a free Crypto-Ransomware Vaccine tool aimed at blocking the encryption process of certain strains of ransomware. It works by making the ransomware think that the device has already been infected.
To encourage victims to pay up, an attacker has to "gain a reputation" for decrypting files once the ransom has been paid. Things can get awkward if the ransomware keeps encrypting already encrypted files, so most ransomware runs checks to ensure that already infected devices are not attacked again. By making minor system modifications, the Bitdefender ransomware vaccine can make a device appear as if it's already infected to prevent the current variants of CTB-Locker, Locky and TeslaCrypt from trying to hold the user to ransom.
While this is a commendable attempt to tackle the growing problem of ransomware, the ransomware vaccine only works against certain ransomware families and won't work indefinitely, as malware writers will quickly update their code to circumvent this trick. For example, an earlier tool designed to prevent the CryptoWall ransomware from encrypting files no longer works, as those behind CryptoWall have changed the way it operates. Even if the Bitdefender ransomware vaccine tool is updated whenever a new variant of ransomware evades the existing ransomware vaccine, it should only be viewed as a short term solution. System administers are unlikely to want yet another app to test, deploy and constantly update, particularly as a ransomware vaccine only provides a short period of protection and relies on arbitrary changes to the Windows registry.
Instead, administrators should focus their efforts on other areas of security. A well-tested and thorough backup policy is the most reliable method for recovering infected systems. Backups should be stored offline because many ransomware variants will try to encrypt data on connected network shares and removable drives. Security awareness training programs should cover the latest tricks attackers are using to spread their malware, while antivirus and web filtering software should be kept right up-to-date. As the delivery of most ransomware payloads takes advantage of known vulnerabilities rather than using a zero-day exploit, keeping operating systems patched and up-to-date should prevent many attacks from succeeding. Finally, ensuring users only have minimum privileges will limit the ransomware's access to the device's resources.
Ask the Expert: Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)
Learn about a new ransomware variant that tricks victims into paying for deleted data
Find out how your enterprise can avoid ransomware attacks
Top methods for preventing ransomware attacks on healthcare data
Dig Deeper on Email and Messaging Threats-Information Security Threats
Related Q&A from Michael Cobb
A technique known as the GhostHook attack can get around PatchGuard, but Microsoft hasn't patched the flaw. Expert Michael Cobb explains why, as well...continue reading
Software developed by the hacking group Platinum takes advantage of Intel AMT to bypass the built-in Windows firewall. Expert Michael Cobb explains ...continue reading
Tensions between the U.S. and Russia have led to source code reviews on security products, but the process isn't new. Expert Michael Cobb explains ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.