Ransomware attacks continue to proliferate, and organisations continue to pay to get their data back. In the last week, the UK National Cyber Security Centre (NCSC) has warned of increasing ransomware attacks on universities, colleges and schools. Among its advice to deal with an attack is to use exercises to practice an organisations response.
Enter automated Endpoint Detection and Response (EDR) vendor Nyotron. It has released a free tool called ransomwiz. It is designed to test how security products detect and handle ransomware.
Nir Gaist, Founder and CTO of Nyotron said: “The battle against ransomware can only be faced head-on by giving enterprises the awareness and tools to first understand and then properly defend against these types of attacks.
“Before we announced RIPlace last year, we informed many vendors of the potential disaster that could occur. Unfortunately, almost a year after, most security products are still exposed to RIPlace, as well as to endless other techniques – which is why we felt the need to launch Ransomwiz and give security teams a way to do their own diligence and simulate attacks.”
How does it prove I’m safe from ransomware?
There is no silver bullet to be safe from ransomware. What Nytron is offering is a way to test that the endpoint software you are using can detect ransomware attacks. It doesn’t mean that devices are protected against new variants or whole new families of ransomware.
Nytron has designed it to be simple. The company claims that it can be deployed by the most junior member of a security team. It can be used by anyone who has access to the tool, something that has far-reaching benefits.
The process is:
- Install ransomwiz
- Choose a directory to encrypt, one that is supposedly protected by your endpoint security software
- Choose your ransomware sample
- Attempt to encrypt the directory
Before you go rushing in
It’s hard to see how it could be much easier. However, before rushing out to grab a copy and start testing all your devices, there is a major caveat. On the ransomwiz page, Nytron writes:
“ransomwiz is an experimental ransomware simulation platform that allows generating dozens of non-greedy samples using a simple wizard.
“This platform was designed for the use of IT and security professionals, who are looking to evaluate and improve their security posture, as well as for educational purposes.
“The techniques used aren’t new or unknown; they are all either documented online or have been used in the past, and most of them have references within the wizard itself. The samples use a basic XOR encryption, meaning the operation is reversible by simply re-running the sample.
“Please be aware there is no guarantee that the samples would be bug-free. Remember to act with caution and make sure to avoid targeting important files. Regardless, we strongly encourage you to have a valid backup of your critical data.”
Despite its “launch” status, this appears to be a beta or even alpha version of the tool judging by the hedging Nytron are doing.
A gamification option?
Simple to use is always good, and that simplicity offers other ways to use the tool outside of security teams testing servers. For example, it could be used internally as part of a gamification process. Security teams are already using phishing tests to see if users can detect an attack. It also allows them to determine the reckless from the careful.
With ransomwiz, this can be stepped up. IT security can push an update to end-user devices which creates a test directory. This can be followed by a test email with a script that would execute ransomwiz. It would test the email and the endpoint security software packages used by the user. A complete fail would be the email getting through, the user clicking on it and the test directory being encrypted with the user getting an alert.
A secondary factor here would be to test how the user reacts to such a situation. Few, if any, gamification solutions actually test post-attack user behaviour. Do they report it? Do they look for ways to reverse the problem? In this case, would they respond to the alert and send an email looking to pay the ransom?
Another example would be to use ransomwiz as part of a larger disaster recovery/business continuity testing exercise. It is an opportunity to deploy a threat under controlled circumstances (the above caveat notwithstanding) that would bring the risk home to senior management.
All of this will help understand the behaviours of individuals and corporate processes and help create a safer, more secure and robust security.
Enterprise Times: What does this mean?
Anything that improves security testing is welcome. Organisations are beginning to make better use of external services such as penetration testing or building their own red teams. Many red teams are focused on finding vulnerabilities, although there has been a move to adding support for phishing and social engineering.
Adding ransomwiz to that red team toolkit makes sense. It not only allows gamification, but the results of an encrypted directory will make users more aware of their behaviour.
At the moment, however, Enterprise Times is concerned about the caveat on the ransomwiz page. We have asked Nyotron why they would release a product like this so early in its lifecycle. So far, however, we have had no reply. We will update this article when we get one.
