This blog post was written by Teresa Wingfield.
New server-side ransomware such as SamSam and Maktub are on the hunt for victims. Unlike older ransomware techniques, ransomware now gets installed without user actions such as clicking on links or opening files. Instead, today’s ransomware targets vulnerable servers like those with unpatched software and out-of-date applications. For example, SamSam has spread primarily by attacking unpatched JBoss application servers.
The new breed of ransomware encrypts files on the compromised server and penetrates the network to attack additional systems. Once their data has been hijacked, victims are asked to make payments, typically in Bitcoins, in order to get a copy of decryption software along with a private key.
So, now you have a high-level overview of how newer ransomware methods work. For more details, you can check out McAfee’s whitepaper, Targeted Ransomware, No Longer a Future Threat, for an in-depth discussion on these attacks.
Would you just as soon hold onto your Bitcoins instead of handing them over to cybercriminals? Since I feel fairly confident that you are going to say yes, I’d like to share some details on how McAfee’s server security solutions can help prevent ransomware from hijacking your servers.
Ransomware Prevention for Servers
Blacklisting – McAfee’s antivirus software for physical and virtual servers is backed by a massive database that tracks the reputation of files, messages and senders in real-time using millions of sensors worldwide. After scanning your server, it will quarantine and delete files that match known ransomware or malware.
Host Intrusion Prevention System (HIPS) – Hackers are increasingly using unique malware samples to target organizations. This is easy to do. Hackers just change a small bit and, viola, brand new malware. HIPS solves this issue by monitoring the behavior of code on your server, looking for suspicious activity by analyzing events.
Whitelisting – Since whitelisting allows only known good software to run, it’s highly effective at preventing ransomware from executing on your server.
Change Control – Attackers often hide their ransomware’s activity by modifying the configuration of detection tools. Proactive file integrity monitoring available in McAfee’s change control can either notify you as soon as the changes occurs to contain the spread of ransomware encryption or can stop the changes from taking place to prevent ransomware.
Plus, McAfee’s antivirus for physical servers and whitelisting are integrated with McAfee Threat Intelligence Exchange (TIE) to leverage local intelligence for ransomware and malware protection, detection and correction. Using TIE, our antivirus and whitelisting can coordinate with McAfee Advanced Threat Defense to dynamically analyze the behavior of unknown applications in a sandbox and automatically immunize endpoints from newly detected malware and ransomware.
The more protection you have against ransomware the more likely you’ll be able to avoid attacks on your servers. Our server security suites include comprehensive protection. McAfee Server Security Suite Essentials will get you started with antivirus and host intrusion prevention while McAfee Server Security Suite Advanced and MCafee Public Cloud Server Security add additional whitelisting and change control protection.