Since CryptoLocker (the first widespread crypto-ransomware) came out in September 2013, the amount of variants/new families has grown at a staggering rate. CryptoLocker, CTB-Locker, CryptoWall, TorrentLocker, VaultCrypt, TeslaCrypt and many others have been wreaking havoc on computers worldwide by encrypting photos, documents and other personal/business data.
It is not because antivirus solutions suddenly became bad at preventing ransomware specifically. The thing is, compared to other malware, ransomware is just more visible to the end user … Let that sink in for a moment …
At SurfRight we anticipated that crypto-ransomware was poised to grow exponentially. Simply because the approach of holding personal files for ransom works. People are paying the ransom fees. Businesses, hospitals and even the police are paying the ransom to get their files back. Sure you should backup your files frequently, but even losing a day of work means that for example X-ray scans at a hospital result in that patients have to re-visit the hospital and re-do their X-rays.
World’s First Anti-Ransomware, since 2013
After CryptoLocker struck, we released the world’s first anti-ransomware solution on November 6th, 2013 as part of HitmanPro.Alert; just one-and-a-half months after CryptoLocker took stage.
Our anti-ransomware technology is called CryptoGuard and works dead simple: prevent mass encryption of files. The technology works without signatures or cloud connection and makes no assumption about who is encrypting what, as mass encryption can happen by any process or (remote) computer. Legitimate processes like explorer.exe or svchost.exe can be compromised via code injection and even .bat files that run trusted tools (that bypass application whitelisting) are abused by ransomware to perform mass encryption.
CryptoGuard simply works by monitoring the file system at the kernel level and deems the encryption of files as suspicious. If encryption of content happens en masse the process is blocked and the files touched are restored. Nothing is lost. Disaster averted.
Check out the following video, showing how HitmanPro.Alert with CryptoGuard protects your documents and other files against the Locky crypto-ransomware, that hit many protected computers that were deemed secure:
If you got Locky this week, a lot of cyber-security defences failed and victims were successfully enticed to follow the instructions of the attacker. Not only CryptoGuard but also our Application Lockdown (part of our Exploit Mitigations) would have saved your day as all of HitmanPro.Alert’s technologies do not rely on prior knowledge to offer solid protection:
Image: Typical attack flow for Locky Ransomware (filenames may differ with each variant)
Third generation anti-ransomware
After its first release in November 2013 we improved the CryptoGuard technology by adding support for file shares (network drives) so that these are protected against rogue endpoints. Then the 3rd generation of CryptoGuard was released in 2014 and keeps track of files being renamed by the ransomware so that when ransomware strikes, not only the content but also the filenames are protected. Currently work is done on the 4th generation.
The best advice is to back up your files frequently, as this also helps against a drive/hardware failure. But even backing up your files daily means that when ransomware strikes, you lose a day worth or work. And with hundreds of employees, the cost of losing work could add up quickly.
CryptoGuard is part of HitmanPro.Alert and the entire solution is just 5 MB (megabytes). If you don’t want to stay up all night after the next ransomware strikes, give our Alert a spin. Having a spam filter, web filter and an antivirus program is apparently not enough to keep your files save.
Download now: hmpalert31.exe
(HitmanPro.Alert supports Windows XP as well as 32-bit and 64-bit versions of Windows Vista, Windows 7, Windows 8, Windows 8.1 and Windows 10. Requires only 5 MB of free disk space).