The destructive nature of the Shamoon malware has my team concerned about data-destroying malware that targets...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
enterprises. How does data-destroying malware differ from other strands, and are there any unique detection mechanisms that can be implemented, specifically around how the malware may interact with data?
Ask the Expert
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
One of the last-resort options for recovering from most security incidents is to restore from a known, good backup. Unfortunately, not every enterprise takes the necessary steps to be prepared for restoring from a backup.
The Shamoon malware clearly highlights why a good data backup and recovery plan is necessary for information security. Regardless of how the malware infiltrated the endpoint and what data is stored there, the data should be backed up. The Shamoon malware deletes data and then overwrites it to make it difficult to recover the data. This is an uncommon, but not unique, attack method meant to disrupt an organization's operations.
Shamoon is not reported to send the deleted data to the attacker so they can use the data for profit or encrypt the data for ransom, but it uses the same overall methods as most other malware: dropper, payload and remote communication. Detecting Shamoon after its execution does not help remediate the situation, because data is already deleted. It is necessary to proactively block the malware or prevent it from running. A behavioral-based antimalware tool that looks for a large number of delete file systems calls from a nonstandard binary that could flag the behavior for review before data is deleted, but the binary could still potentially delete data depending on how the antimalware tool works. Storing data in a remote location, such as a roaming profile or mapped drive, might make it more difficult for the malware to delete data, but if the malware searches for an environment variable pointing to the home directory or profile storage, it could still potentially be able to delete the files.
Dig Deeper on Malware, Viruses, Trojans and Spyware
Related Q&A from Nick Lewis
IoT botnet DDoS attacks have been growing in volume and impact. Expert Nick Lewis explains how you can ensure your internet-connected devices are ...continue reading
A new type of macro malware has the ability to evade the detection of virtual machines and sandbox environments. Expert Nick Lewis explains how to ...continue reading
The BENIGNCERTAIN exploit affects certain versions of Cisco systems using the IKEv1 protocol. Expert Nick Lewis explains what the protocol does and ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.