Bufferzone crypto mining malware defense solution
By BUFFERZONE Team, 13/03/2018
Recent events have shown that crypto mining malware is a serious threat to various industries all
over the world. From large to small businesses including critical infrastructure and government organizations in the United States, Australia,
Hong Kong, United Kingdom, India, Malaysia, Spain and others.
Crypto mining malware has become a significant challenge for today’s cyber protection mechanisms.
Organization that have fallen victim to such attacks expose themselves to significant financial loss.
Crypto mining malware are a double threat to the enterprise. While the software takes advantage of computer/server resources, it also leaks
data from the organization. The attacker aims to use the crypto mining malware to make money more efficiently than ransomware programs.
A layered solution
To address this phenomenon, Bufferzone offers a layered solution. The first layer of defense is to limit processes running in the BUFFERZONE agent. After installing the BUFFERZONE client, the files downloaded from the Internet are stopped and run inside the secure container. If and when the user runs an infected file, the container only allows predefined whitelist processes to run. The list includes processes that are signed by certificates from a certifying entity such as Microsoft or others. Therefore, processes of crypto mining malware which usually don’t include a legitimate certificate, will not run. The separation at runtime between legitimate and illegitimate processes significantly reduces the threat.
DLP as a second layer of protection
However, there are instances when an infected process succeeds in acting as legitimate. In that case, we developed at BUFFERZONE synchronization mechanism with the enterprise proxy server.
The solution behaves as a DLP solution which prevents the crypto mining malware from ‘transmitting’ the result of the calculation to the attacker virtual wallet address. While not transmitting, the crypto mining malware will continue to utilize system resources until Bufferzone cleans itself once a day.
In such a scenario, Bufferzone manages to hedge the damage. While the crypto mining malware will continue to utilize resources up to 24 hours from infection, it will not be able transmit data externally. Therefore, the attacker will switch to another, less protected target.
For SMB clients who do not implement a proxy server, there is a solution in the form of an independent firewall built into the Bufferzone client. In this scenario, the applications running on the client will go directly to the Internet, while applications running outside the client will pass through the firewall.
This way, the crypto mining malware communication with the attacker’s virtual wallet will be blocked.