A cybersecurity company claims to have developed a ransomware vaccine that can protect enterprises. How does the...
Bitdefender ransomware vaccine work, and do you think it has merit?
Ransomware is malware that prevents users from accessing their computers or files. Some prevent access to the operating system, others encrypt files or stop certain apps from running. Once a system has been infected, a lock screen appears, and to regain access the victim has to pay a ransom or perform a task such as completing a survey. Ransomware spreads through phishing campaigns, malicious links in emails and downloads, and is a problem for both consumers and enterprises, as many attacks are delivered by mass random emails. It occupies the number two spot of top malware varieties within crimeware in Verizon's 2016 Data Breach Investigations Report.
To try and prevent ransomware from encrypting a user's files, should they fall victim to a phishing email or malicious attachment, Bitdefender Labs has released a free Crypto-Ransomware Vaccine tool aimed at blocking the encryption process of certain strains of ransomware. It works by making the ransomware think that the device has already been infected.
To encourage victims to pay up, an attacker has to "gain a reputation" for decrypting files once the ransom has been paid. Things can get awkward if the ransomware keeps encrypting already encrypted files, so most ransomware runs checks to ensure that already infected devices are not attacked again. By making minor system modifications, the Bitdefender ransomware vaccine can make a device appear as if it's already infected to prevent the current variants of CTB-Locker, Locky and TeslaCrypt from trying to hold the user to ransom.
While this is a commendable attempt to tackle the growing problem of ransomware, the ransomware vaccine only works against certain ransomware families and won't work indefinitely, as malware writers will quickly update their code to circumvent this trick. For example, an earlier tool designed to prevent the CryptoWall ransomware from encrypting files no longer works, as those behind CryptoWall have changed the way it operates. Even if the Bitdefender ransomware vaccine tool is updated whenever a new variant of ransomware evades the existing ransomware vaccine, it should only be viewed as a short term solution. System administers are unlikely to want yet another app to test, deploy and constantly update, particularly as a ransomware vaccine only provides a short period of protection and relies on arbitrary changes to the Windows registry.
Instead, administrators should focus their efforts on other areas of security. A well-tested and thorough backup policy is the most reliable method for recovering infected systems. Backups should be stored offline because many ransomware variants will try to encrypt data on connected network shares and removable drives. Security awareness training programs should cover the latest tricks attackers are using to spread their malware, while antivirus and web filtering software should be kept right up-to-date. As the delivery of most ransomware payloads takes advantage of known vulnerabilities rather than using a zero-day exploit, keeping operating systems patched and up-to-date should prevent many attacks from succeeding. Finally, ensuring users only have minimum privileges will limit the ransomware's access to the device's resources.
Ask the Expert: Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)
Learn about a new ransomware variant that tricks victims into paying for deleted data
Find out how your enterprise can avoid ransomware attacks
Top methods for preventing ransomware attacks on healthcare data
Dig Deeper on Email and Messaging Threats-Information Security Threats
Related Q&A from Michael Cobb
An ad network used domain generation algorithms to bypass ad blockers and launch cryptomining malware. Expert Michael Cobb explains how and the best ... Continue Reading
Researchers at Duo Security discovered a SAML vulnerability that enabled attackers to dupe single sign-on systems. Expert Michael Cobb explains how ... Continue Reading
Hackers were able to exploit a Telegram vulnerability to launch cryptomining malware. Expert Michael Cobb explains how they were able to do so and ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.