Defenses Against Ransomware

Effective ransomware solutions to protect your critical data

Ransomware is a common method of cyber extortion for financial gain. It’s a type of attack that instantly prevents users from interacting with their files, applications or systems until the victim pays the ransom and the attacker restores access with a decryption key.

Advanced detection and prevention supported by actionable threat intelligence is the best defense against ransomware and other advanced attacks. The FireEye solution defends against the growing and ever-changing ransomware threat. It provides real-time, inline ransomware protection for multiple attack vectors to prevent or interfere with the activation of ransomware and protect you from financial loss and business disruption.

Ransomware: Methods for Endpoint Protection

Learn how your organization can proactively monitor, inspect and contain endpoint activitives that indicate a ransomware attack. (video - 3:15 min)

How does the FireEye ransomware solution work?

Every component of the FireEye solution is a step toward stronger cyber security. Combining the following components contributes to the strongest possible defense against ransomware:

FireEye Email Security

Offline and cloud-based analysis are often too slow to stop ransomware from encrypting your systems and data. FireEye Email Security deployed inline, either on premise (EX) or cloud based (ETP), operates as a mail transfer agent (MTA) and quarantines, analyzes and blocks ransomware emails before they reach the recipient.

Enhanced email security with a store and forward architecture and near-real time speed effectively stops many attacks before they occur with minimal business lag.

FireEye Endpoint Security

Endpoints and their users are the starting point for ransomware attacks. An attack often uses hard-to-detect discreet processes that exploit a vulnerability in a common application. FireEye Endpoint Security detects and analyzes these processes to determine if an exploit is taking place, giving analysts the information needed to stop an incident. And it provides needed visibility into endpoints so analysts can conduct detailed investigations to curtail damage and adapt the defense against further attack.

FireEye Network Security

Ransomware intrusion involves three main stages: initial infection, file encryption and command-and-control (CnC) server access. FireEye Network Security identifies the attack process and detects and blocks communication between the servers that deliver encrypted malicious code to the victim and for callback.

Where sandbox solutions consistently fail, FireEye Network Security succeeds because the Multi-Vector Virtual Execution™ (MVX) engine at its heart can readily analyze traffic and detect attacks that span multiple phases, including those with encrypted malware.

FireEye Threat Intelligence

All FireEye customer appliances can help detect existing, evolving and new ransomware techniques with the help of FireEye Dynamic Threat Intelligence (DTI), a deep, codified analysis of malware trends and ransomware campaigns updated every 60 minutes.

FireEye also offers iSIGHT Intelligence to provide actionable tactical, operational and strategic intelligence that helps organizations better manage their risk and response to ransomware and other current threats. This threat intelligence is derived from attackers’ development environments, from a strong understanding of attacker tools, tactics and procedures (TTPs) and from hundreds of incident response engagements. These continually updated, shared, context-rich sources of insight create an industry-leading intelligence network that helps security teams predict, detect and respond to ransomware attacks.



Air Academy Federal Credit Union (AAFCU)

Air Academy Federal Credit Union stays ahead of the cyber security curve with FireEye.

Read Customer Story


“FireEye is keeping us out of the news, and this is a really good thing!”

- Jeremy Taylor, Network Manager, AAFCU


The growing ransomware threat

Ransomware activities targeting large and small organizations have been rising steadily since mid-2015. Small and midsize enterprises – with their limited budgets and expertise – that rely on or work heavily with data are prime targets for attackers.

How does ransomware work?

Most reported ransomware infections are introduced via email attachments or embedded links. Attackers often target key personnel and high-value computers with social engineering tactics and spear phishing to maximize their gains.

Web-based ransomware attacks tend to use “drive-by-download” exploit kits that take advantage of browser, application and system vulnerabilities in a multi-stage process:

Stage 1: Infect a legitimate website or hacks an advertising network to insert code.

Stage 2: Profile the user system and redirect them to another web page with an exploit kit that detects vulnerable software such as older versions of Java or Flash on their computer.

Stage 3: Deliver an encrypted, obfuscated or encoded malicious payload to the user’s system. Ransomware takes effect once the payload is decrypted.

Stage 4: Establish a connection to a callback server so the attacker can set up the unique keys to encrypt the victim’s data.

Why are you vulnerable?

Sophisticated attackers test conventional defenses (antivirus software, next-generation firewalls, secure email and web gateways, intrusion prevention systems) and adjust their tactics to defeat them. The static analysis and signatures used by these defenses cannot:

  • Update fast enough to keep pace with evolving attacks
  • Optimize and automate operations to detect unknown, never-before-seen threats in real time
  • Detect custom and encrypted communication between an external command-and-control server (CnC) and infected host
  • Protect against multistage web- or email-based ransomware attacks that traditional sandboxes miss

 

 

HOW RANSOMWARE INFECTS VICTIMS VIA EMAIL

HOW RANSOMWARE INFECTS VICTIMS VIA EMAIL

 

HOW RANSOMWARE INFECTS VICTIMS VIA THE WEB

HOW RANSOMWARE INFECTS VICTIMS VIA THE WEB


 

“We recently blocked several serious targeted attempts sourced from both email and websites – including ransomware and credential stealing – where FireEye more than proved its worth.”

- Stephen Schommer, IT director, Northshore Utility District

Case Study: Northshore Utility District

Northshore Utility District protects it's critical infrastructure with FireEye Network, Email and Forensics Security Solutions.

Read Customer Story

Effective Ransomware Response Strategies

Learn how to build a cyber security solution that offers strong, resilient protection against ransomware.

Download White Paper

The Rise of Ransomware

Examine new ransomware trends and learn how to respond to these attacks and what you can do to improve your defenses.

Watch Recording

Use Threat Intelligence to Mitigate Ransomware in Healthcare

Get strategies to avoid being crippled by ransomware.

Watch Recording


Latest Ransomware Updates

  • 17 Aug 2016

    Locky Ransomware Distributed Via DOCM Attachments in Latest Email Campaigns

    Locky ransomware downloaders are becoming more prevalent, and attackers are constantly changing the tools and techniques they use in their cyber campaigns. FireEye has recently observed attackers shifting from JavaScript-based downloaders to using the DOCM format.

  • 18 Jul 2016

    Cerber: Analyzing a Ransomware Attack Methodology To Enable Protection

    A new feature of the FireEye Endpoint Security platform detected a Cerber ransomware campaign and alerted customers in the field. The campaign distributed a malicious Microsoft Word document that could contact an attacker-congrolled website to download and install the Cerber family of ransomware.

  • 24 Jun 2016

    Locky is Back Asking for Unpaid Debts

    FireEye Dynamic Threat Intelligence has identified an increase in JavaScript contained within spam emails, due to a new Locky ranswomware spam campaign that uses an added evasion technique.

  • 10 Jun 2016

    Connected Cars: The Open Road for Hackers

    Cyber attackers will likely turn their attention to vehicles for their illicit activity, using the car's own high-tech features and connectivity against itself for advanced attacks.

Build a Business Case