Can you really stop ransomware?

Ransomware is one of the most worrisome types of malware.

It doesn’t steal your data; it threatens to cripple your business — to tie up the resources that you need to service your customers, produce your products, send invoices, pay your bills. And even paying the ransom does not guarantee that you’ll regain control of your systems. In fact, it encourages the perpetrators to continue using their tools to attack other organizations and maybe even come back your way.

The cautions routinely offered to keep you from being victimized include backing up your data to multiple locations, being more cautious online, using tools to detect intrusions and the presence of malware, limiting access privileges, etc.

But what if you could disable malware before it ever had a chance to touch your files? What if ransomware couldn’t “see” your files at all, never mind leave them encrypted and inaccessible?

I recently had a chance to discuss this possibility with some reps from a company that claims it can do just that, so I thought that I should bring this option into focus for those of us who worry a lot about the ransomware threat.

The product is called “SES-RDe” — not exactly a name that’s going to easily stick in your mind but, since it stands for “Stormshield Endpoint Security-Ransomware Defense edition,” I’m happy to have an acronym available. And its basic claim to fame is that it stops ransomware from being able to access — even “see” — files on your systems. It does this using “extension whitelisting.” In other words, it controls what applications have access to files based on their file extensions.

RDe limits access to files to the known (validated by executable signed certificate or checksum) and authorized applications. For example, only Microsoft Office applications can access Word documents and Excel spreadsheets. As a result, ransomware applications are not given any privileges at all.

Managing the app

Fortunately for those of us who manage systems — especially thousands of them, the SES-RDe application is set up to be centrally managed. There are options for granting specific users or groups some level of control, but generally all management is done by an admin group.

The initial template includes 30 commonly used applications — Microsoft Office, Gimp, etc. Administrators can add others. They just need to capture the certificates or checksums of the applications they want to allow access to files. And getting the required information is fairly easy. It can be retrieved from a log file (if the agent is running in warning mode) or by scanning systems using the RDe signing tool.

End users can be left completely unaware of all of the tool’s activities or be permitted to see customized pop-ups whenever the application is doing something on their systems.

In addition, admins can provide AD user accounts with various access privileges — including view only.

RDe also provides reports that can be delivered to upper management to display overviews of the application’s activities — something that I’ve found to be important whenever budgets need to be reviewed. Management is likely to want to know what kind of value is being derived from the deployed security tools before they approve continued funding.

Supported systems

I imagine that you’ve noticed the heavy Windows bias in everything I’ve said so far. SES-RDe currently only works on Windows systems — granted that’s lots of versions of Windows, but only Windows. However, they are at least looking into broadening the OS coverage.

Other features

While my focus has been on the file extension whitelisting aspect of SES-RDe, this feature is actually just one element in the suite of tools. It’s also important to note that:

• In addition to the protection against encryption, when RDe detects unauthorized attempts to encrypt files, it automatically initiates alerts, alarms, logging, and ransomware quarantining and it initiates notification and protection of the other computers in the organization.
• Templates are provided for quick and easy startup.
• Extension whitelisting is just one part of the suite of ransomware protections that are part of RDe and should probably be thought of as the unique last line of defense.
• The product is scalable. I’m told that the largest installed site is currently supporting 120,000 seats.
• Recent announcements claim prices at less than $10/seat.

Wrap up

While I’m disappointed that Unix/Linux systems aren’t (yet) supported, I’m excited to see technology taking a new and seemingly very effective route to disabling ransomware. The threat it poses to nearly all of us — business, schools, hospitals, etc. — is very real, is very worrisome, and is getting worse.