Vectra Networks has announced at Infosecurity Europe that its X-series platform is capable of stopping ransomware attacks. The company claims that it is able to detect HydraCrypt, CTB Locker, CryptoWall. CryptoLocker, Locky and several other ransomware variants.
According to Oliver Tavakoli, CTO of Vectra Networks “With ransomware, everyone’s data is fair game and this makes it a very insidious attack. Unlike other crimeware models, attackers don’t need to worry about exfiltrating and reselling stolen data on the black market; they just need the data to be valuable to the victim For organizations that have not implemented a perfect data backup strategy, this means they must pay up to get their data back or face the consequences, which could very well include risk to the operational livelihood of their business.”
Using behavioural analytics to stop an attack
According to the press release this new functionality in the X-series platform uses behavioural analytics to detect files being systematically encrypted. On its own, this is not enough as it would mean any attempt to legitimately encrypt data would trigger a false positive. To ensure that only ransomware attacks are detected Vectra Networks uses two other methods.
The first is to identify encryption keys being sent to known command and control (C&C) servers on the Internet. On its own this presupposes that Vectra Networks has a complete list of all C&C servers in use. As has been recently reported, this is not simple given the number of malicious domains that are being created to act as C&C servers. The ransomware creators are also adept at generating new domains as has been seen with Locky.
The second method is to spot network reconnaissance scans that indicate that an attack may be imminent. It will be interesting to see how well this works in environments where multiple security products. For example, how does Vectra Networks determine between a legitimate network scan from a security product and one from ransomware? There is no data available about that on the Vectra Networks website at the moment.
Only network shares protected?
One odd statement in the press release which we are waiting for clarification from Vectra Network on is the claim that this only works with network file shares. It would imply that local machines could still be infected. With end-users still storing large amounts of data locally and not synchronising that with the network, this means that this is far from a complete protection against ransomware.
Another concern will be how the ransomware is stopped. The press release simply says: “Vectra then automatically identifies, prioritizes and alerts on these early signs within moments of infection, enabling timely remediation before the ransomware has a chance to take critical assets and files hostage.” This implies that the remediation is a manual rather than an automated process. The fact that it needs to see the attack in progress before it acts means that some files will already be encrypted. The issue here is how many and how quickly can the attack be shut down?
Reading around the website it seems that part of the solution is designed to be automated such as disconnecting the user whose credentials are in use from the network. It sounds easy but what if that user is legitimately working on sensitive files or time critical data? What happens if this is a false positive and your Chief Executive Officer is using his machine to give a presentation to investors? There needs to be a more flexible approach to doing this.
Canary file shares
One of the techniques that Vectra Networks suggest companies could use to help detect a ransomware attack and minimise risk is to create a canary file share. This is a file share with a lot of files that may attract a hacker but which, in reality, have little to no value to a company. While the ransomware is busy encrypting those files it allows the security software to recognise what is going on and sound the alert. This enables the security teams to take preventative action to stop the threat spreading.
It would be interesting to know how many of Vectra Networks customers are doing this and how many files are recommended in order to provide a given amount of response time. This would provide IT security teams with the opportunity to look at creating throw away data. The only challenge would be ensuring that users don’t start putting new data in those directories but at the same time keeping the data/time stamps fresh enough to make the data look current rather than expired.
The use of behavioural analytics to detect ransomware makes sense. What is odd here is that Vectra Networks only seem to be focused on network shares rather than all data locations. There is also a need for more information about how the remediation will take place. For example, is this about alerting the IT security team and letting them take action?