Ransomware 2.0: New Paradigm, Same Old Purpose
By BUFFERZONE Team, 10/09/2017
Until now, the path of ransomware — whether it has targeted hospitals, government agencies, law enforcement, businesses or individual end users — has typically been the same: aim for data files (e.g. .docx, .pptx., .pdf, etc.). It does not matter whether the ransomware has used advanced encryption methods, or simply locked victims out of their operating system altogether. In the vast majority of cases, the end game has been the same: corrupt files and extort a payment.
Considering this, it is not surprising — in fact, some experts say it is rather overdue — that Microsoft is set to introduce new anti-ransomware features in its Windows 10 Creator Update (a.k.a. RedStone 3), which is expected to launch in September or October 2017. Among other security enhancements, the new OS will have a “Controlled Folder Access” feature integrated within Windows Defender, which will block unauthorized applications from modifying key files located in protected folders (unless they are whitelisted).
The good news is that Microsoft is so confident in its strategy, that is has boldly declared: “No known ransomware works against Windows 10 S – our latest and most hardened operating system”. The bad news is that it is unlikely that cyber criminals are shaking in their boots. Unfortunately, they are more likely shaking their heads.
This is because cyber criminals throughout history have demonstrated an unnerving capacity to adapt. And in our view, that is precisely what will happen, as they shift their ransomware attacks away from files and towards system components. It is a new paradigm, but achieves the same old purpose: lock victims out until they pay up.
In fact, we have already seen a glimpse of what is in store with the recent NotPetya ransomware, which attacked the boot sector and prevented victims from starting their computers. This campaign illustrated just one of the hundreds of ways that cyber criminals can bypass all ransomware protection schemes and effectively “break” a computer system or user profile. And if they wish, cyber criminals can write ransomware in advance, wait for new vulnerabilities to emerge, and then leverage it to spread within a couple of days, thereby catching security and patching systems off guard. There is simply no practical way to stop this from happening.
Now that the ransomware paradigm is changing from files to system components, corporate InfoSec strategy must also evolve from one that relies on inspection-based products that try — and inevitably fail — to identify all existing threats, to one that applies isolation and containment technology like BUFFERZONE.
BUFFERZONE creates a virtual container on corporate endpoints that isolates all processes that can access external, untrusted sources such as the internet, along with any data that end users download or save. At the same time, only uncontained processes can access valuable native endpoint, corporate files and other resources. As a result, even if ransomware does reach an endpoint, it can only encrypt recently-downloaded files for a limited time, and cannot inflict any major damage.