This blog post was written by Teresa Wingfield.
One of the biggest threats to businesses today is crypto ransomware, where critical data is encrypted so that users cannot access it and a ransom is demanded to provide access. Easy availability of open-source code and drag and drop platforms to create ransomware have accelerated creation of new ransomware variants and help script novices create their own ransomware. Use of anonymous currency for payment such as Bitcoin makes it difficult to follow the money trail and track down criminals.
Anatomy of Ransomware
Malware needs an attack vector to establish its presence on an endpoint. Attack vectors for ransomware are standard techniques used by other malware including watering hole attacks, zero-day exploits and spear-phishing.
After a successful exploit, ransomware drops and executes a malicious binary on the system. This binary then searches and encrypts valuable files. Once files are encrypted, ransomware prompts the user for a ransom payment to decrypt files, or they will be lost forever if a data backup is unavailable.
Preventing Ransomware Infection with McAfee Application Control
Typically, cutting-edge malware like ransomware are polymorphic by design which allows it to easily bypass traditional signature-based security based on a file hash. However, ransomware can be prevented by creating a list of trusted applications and allowing only these to run. This technology is exemplified by McAfee Application Control and its two-layered defense mechanism:
- Memory protection: Protects from memory exploits used to drop the malware binary. This helps provide protection from zero-day exploits.
- Whitelisting: Prevents execution of binaries coming from an untrusted source. This protects against social attacks such as spear phishing when a user manually downloads malware and executes it or when a payload is dropped on a system after a user visits a compromised site or opens a compromised file.
McAfee Application Control stops file-based malware from execution and has a configurable framework to prevent execution of scripts by interpreters such as Python, Perl, and Ruby. New binaries or scripts are prevented from execution unless they arrive through a trusted mechanism.
Because McAfee Application Control does not depend on a signature, it is a reliable option to block file malware without daily signature-based updates. Using signature-less technology, McAfee Application Control can also block polymorphic and advanced persistent threats.
How McAfee Application Control Works
During installation, McAfee Application Control scans the entire system to identify executables, such as .exes, installed applications and scripts. These executables are whitelisted locally so that each system has its own unique local whitelist. When new ransomware enters the system and tries to execute, it will be unable to do so since it’s not part of the local whitelist.
During installation, McAfee Application Control identifies executables and reports them back to McAfee ePO as inventory items. You can analyze these executables centrally from ePO and view their reputation based on McAfee® Threat Intelligence Exchange and McAfee® Global Threat Intelligence to ban execution of bad binaries across your environment. You can use a file hash to find further information about unknown binaries from other reputation sources as well.
For more information on McAfee Application Control, visit http://www.mcafee.com/in/products/application-control.aspx.