Defenses Against Ransomware
Effective ransomware solutions to protect your critical data
Ransomware is a common method of cyber extortion for financial gain.
It’s a type of attack that instantly prevents users from interacting
with their files, applications or systems until the victim pays the
ransom and the attacker restores access with a decryption key.
Advanced detection and prevention supported by actionable threat intelligence is the best defense against ransomware and other advanced attacks. The FireEye solution defends against the growing and ever-changing ransomware threat. It provides real-time, inline ransomware protection for multiple attack vectors to prevent or interfere with the activation of ransomware and protect you from financial loss and business disruption.
Ransomware: Methods for Endpoint Protection
Learn how your organization can proactively monitor, inspect and contain endpoint activitives that indicate a ransomware attack. (video - 3:15 min)
How does the FireEye ransomware solution work?
Every component of the FireEye solution is a step toward stronger cyber security. Combining the following components contributes to the strongest possible defense against ransomware:
Offline and cloud-based analysis are often too slow to stop ransomware from encrypting your systems and data. FireEye Email Security deployed inline, either on premise (EX) or cloud based (ETP), operates as a mail transfer agent (MTA) and quarantines, analyzes and blocks ransomware emails before they reach the recipient.
Enhanced email security with a store and forward architecture and near-real time speed effectively stops many attacks before they occur with minimal business lag.
Endpoints and their users are the starting point for ransomware attacks. An attack often uses hard-to-detect discreet processes that exploit a vulnerability in a common application. FireEye Endpoint Security detects and analyzes these processes to determine if an exploit is taking place, giving analysts the information needed to stop an incident. And it provides needed visibility into endpoints so analysts can conduct detailed investigations to curtail damage and adapt the defense against further attack.
Ransomware intrusion involves three main stages: initial infection, file encryption and command-and-control (CnC) server access. FireEye Network Security identifies the attack process and detects and blocks communication between the servers that deliver encrypted malicious code to the victim and for callback.
Where sandbox solutions consistently fail, FireEye Network Security succeeds because the Multi-Vector Virtual Execution™ (MVX) engine at its heart can readily analyze traffic and detect attacks that span multiple phases, including those with encrypted malware.
All FireEye customer appliances can help detect existing, evolving and new ransomware techniques with the help of FireEye Dynamic Threat Intelligence (DTI), a deep, codified analysis of malware trends and ransomware campaigns updated every 60 minutes.
FireEye also offers iSIGHT Intelligence to provide actionable tactical, operational and strategic intelligence that helps organizations better manage their risk and response to ransomware and other current threats. This threat intelligence is derived from attackers’ development environments, from a strong understanding of attacker tools, tactics and procedures (TTPs) and from hundreds of incident response engagements. These continually updated, shared, context-rich sources of insight create an industry-leading intelligence network that helps security teams predict, detect and respond to ransomware attacks.
“FireEye is keeping us out of the news, and this is a really good thing!”
- Jeremy Taylor, Network Manager, AAFCU
The growing ransomware threat
Ransomware activities targeting large and small organizations have been rising steadily since mid-2015. Small and midsize enterprises – with their limited budgets and expertise – that rely on or work heavily with data are prime targets for attackers.
How does ransomware work?
Most reported ransomware infections are introduced via email attachments or embedded links. Attackers often target key personnel and high-value computers with social engineering tactics and spear phishing to maximize their gains.
Web-based ransomware attacks tend to use “drive-by-download” exploit kits that take advantage of browser, application and system vulnerabilities in a multi-stage process:
Stage 1: Infect a legitimate website or hacks an advertising network to insert code.
Stage 2: Profile the user system and redirect them to another web page with an exploit kit that detects vulnerable software such as older versions of Java or Flash on their computer.
Stage 3: Deliver an encrypted, obfuscated or encoded malicious payload to the user’s system. Ransomware takes effect once the payload is decrypted.
Stage 4: Establish a connection to a callback server so the attacker can set up the unique keys to encrypt the victim’s data.
Why are you vulnerable?
Sophisticated attackers test conventional defenses (antivirus software, next-generation firewalls, secure email and web gateways, intrusion prevention systems) and adjust their tactics to defeat them. The static analysis and signatures used by these defenses cannot:
- Update fast enough to keep pace with evolving attacks
- Optimize and automate operations to detect unknown, never-before-seen threats in real time
- Detect custom and encrypted communication between an external command-and-control server (CnC) and infected host
- Protect against multistage web- or email-based ransomware attacks that traditional sandboxes miss
HOW RANSOMWARE INFECTS VICTIMS VIA EMAIL
HOW RANSOMWARE INFECTS VICTIMS VIA THE WEB
“We recently blocked several serious targeted attempts sourced from both email and websites – including ransomware and credential stealing – where FireEye more than proved its worth.”
- Stephen Schommer, IT director, Northshore Utility District
Northshore Utility District protects it's critical infrastructure with FireEye Network, Email and Forensics Security Solutions.
Examine new ransomware trends and learn how to respond to these attacks and what you can do to improve your defenses.
Latest Ransomware Updates
17 Aug 2016Locky Ransomware Distributed Via DOCM Attachments in Latest Email Campaigns
18 Jul 2016Cerber: Analyzing a Ransomware Attack Methodology To Enable Protection
A new feature of the FireEye Endpoint Security platform detected a Cerber ransomware campaign and alerted customers in the field. The campaign distributed a malicious Microsoft Word document that could contact an attacker-congrolled website to download and install the Cerber family of ransomware.
24 Jun 2016Locky is Back Asking for Unpaid Debts
10 Jun 2016Connected Cars: The Open Road for Hackers
Cyber attackers will likely turn their attention to vehicles for their illicit activity, using the car's own high-tech features and connectivity against itself for advanced attacks.
Build a Business Case
- How Secure Do You Want to Be? Learn how a security program assessment can help identify gaps to improve your security posture and reduce risk.
- Closing the Security Expertise Gap Learn how you can bring together technology, intelligence and expertise to help monitor threats, find attackers and respond before damage can be done.
- Handling Too Many Alerts vs. Managing Risks Understand the true costs of ineffective security and how to quantify the operational benefits for reducing alert volume.
- Calculate Your Cyber Security Costs Use the total cost of ownership calculator to compare your current security solution versus what you would spend with FireEye.