A Different Approach to Anti-Ransomware

Over the past few years, many endpoint security products have popped up. However, when it comes to Anti-Ransomware solutions there are typically only three ways that these products attempt to protect a device. Some products use only one of these techniques while other products use two or even all three of these techniques.


Detection and blocking


The first way that these products protect you is through detection. They use different techniques, such as signatures, machine learning, heuristics, behavior analysis, or other means to detect the ransomware and then block it. Detecting and blocking ransomware is the typical way that Anti-Ransomware with antivirus software works. This is very effective for known ransomware and other malware types. However, Fully Undetectable (FUD) ransomware cannot be blocked with these solutions. To make matters worse, ransomware authors will routinely check their ransomware against services like VirusTotal to ensure that their ransomware cannot be detected by existing solutions before releasing them into the wild. Relying on detection alone is not an adequate way to protect your device from ransomware.


Backing up files

Another technique that some anti-ransomware solutions use is to backup files to another location on disk before they are modified. This way once ransomware is detected they can revert these files back to a pre-encrypted state. Backing up files works pretty good for typical ransomware, however there several problems with this approach.

First, backing up files doubles the disk activity (I/O) because each file that is modified needs to be backed up one-by-one, meaning it causes a performance hit. Secondly, many ransomware programs will start out by attempting to delete all backups before encrypting the original file. In this case there is no way to recover since the backup has been destroyed. Finally, we see more advanced ransomware programs, such as NotPetya and Shamoon, do full disk encryption or simply wipe the disk of all data. For these cases backing up the files won’t help since the disk itself, including the backup, is overwritten.


Protecting specified folders

A third approach to Anti-Ransomware is to block unknown programs from writing to protected folders so that only approved applications have access to these folders. This way ransomware, which is typically unknown, would be blocked from encrypting files in protected folders.

At first glance, this sounds like a good approach. However, enabling a feature like this can be problematic since it is difficult for users to figure out which applications need to be approved. For managed environments, this can cause continuous complaints from users who have different third-party applications that need specific access to these folders. Also, a potentially worse problem is that allowing an application, even a known good application, opens a backdoor to allow ransomware in. Ransomware can use these approved applications to encrypt data. For example, there are ransomware programs that use Microsoft Word macros to encrypt files. In addition, just like backing up files, this does not help against ransomware that encrypts or wipes the full disk of all data. Controlling access to folders does not fully protect you from ransomware.


A different way

NeuShield Data Sentinel takes a completely different approach to Anti-Ransomware by creating a protective shield between your files and applications. When ransomware or other application tries to make changes, the original files stay intact allowing users to revert any unwanted change that has been made.

While other products create backup copies of your files which, can dramatically increase disk usage and cause a significant performance overhead, NeuShield’s revolutionary Mirror Shielding Technology can preserve the original file without requiring a backup, which allows Data Sentinel to protect files with virtually no additional disk activity (I/O).

In addition, the boot portion (MBR) of your drive is monitored to prevent aggressive types of ransomware and disk wiper malware from overwriting the boot record or leaving the device unable to boot. Raw disk access is also monitored to prevent wipers and malicious ransomware programs from destroying or encrypting your drive.

Finally, NeuShield Data Sentinel offers extensive compatibility with most existing antivirus and endpoint security products. This allows you to run NeuShield alongside your existing security products to fortify your computer and protect important data.

Comments

Popular posts from this blog

Ransomware Analysis & Protection