Ransomware kill switch may save 99% of files from encryption


Managed and extended detection and response (MDR and XDR) specialist Adlumin is attempting to help midmarket end-users lessen the impact of ransomware attacks by detecting and stopping them much earlier in the process, with the addition of a new Ransomware Prevention feature to its Adlumin for MDR platform.

The Washington DC-based firm – which conducts the bulk of its business through managed security service providers (MSSPs) – claims that in benchmark tests against some of the most notorious ransomware lockers of recent times, including the likes of Black Basta, Conti and Ryuk, the feature was able to save an average of 99% of the file system from encryption. Protection against more ransomwares is being added over time.

It said that the speed with which it can now detect and kill ransomware will offer an additional layer of automated protection, and save customers the time, effort and money of addressing a successful attack.

The firm’s co-founder and CEO, Robert Johnston, said the tool had a significant advantage over traditional endpoint and antivirus solutions.

“Antivirus solutions today are predominantly focused on detection mechanisms, but what we found was that while they may detect, they detect very late in the ransomware attack lifecycle, so they may kill the ransomware but it’s encrypted 50% [or more] of the file system by the time they get to it,” said Johnston.

“We’ve developed a methodology that is effective at monitoring the roots of the file system, being the first thing that is encrypted in that path – we can now identify ransomware very quickly with no false positives, and kill it.”

The feature does not guarantee it will successfully frustrate a ransomware attack, and traditional solutions still have their role to play.

“This is very much post-execution detection. The ransomware is already executing, we’re just detecting and mitigating it very quickly,” said Johnston.

Detecting ransomware pre-execution remains a challenge for many reasons, and nor does the presence of Adlumin’s tool abrogate the need to pay attention to the basics of cyber security hygiene; for example, an arguably far more effective defence than intervening in an in-progress attack would be to stop the phishing email containing the malware from reaching an employee’s inbox in the first place.

Midmarket targeting

The addition of the tool to Adlumin’s arsenal comes amid an apparent ramp up of ransomware gangs targeting midmarket businesses that are both more likely to pay, as opposed to large corporations and regulated organisations that are subject to more oversight, and more likely to run a significant chunk of their IT through MSPs.

“They [threat actors] are finding ways to compromise remote monitoring and management services like ConnectWise ScreenConnect. And MSPs use these utilities to essentially manage their customer networks remotely, so they get instantaneous access to all those endpoints,” said Johnston.

“If you monitor your RMM, defend your RMM, and defend your VPN and your cloud email successfully, you can take probably 98% of ransomware attacks out of the picture,” said Johnston.

In addition to its ‘kill switch’, Adlumin has also recently unveiled a complementary ransomware simulation service that enables users to launch a ransomware attack against mocked-up data and test how well their cyber defences perform. The synthetic attack is entirely limited to the fake files, which are cleansed from the system post-simulation.

Both services are now available on a global basis.



Source link