Ransomware attackers meet their match

BrandPost By CIO Middle East
Nov 25, 2019

Endpoint-protection specialist SentinelOne shows us how to stand up to the virtual highwaymen and sidestep the dreaded digital stickup

Ransomware  >  A coin-operated lock ransoming an encrypted system.
Credit: The Lightwriter / Getty Images

The Middle East has long been a playground for cyber-miscreants. In the Arab Gulf, for example, digital bandits can see more devices per capita, larger penetration rates in fixed-line and mobile Internet subscriptions, and an enticing abundance of high-net-worth individuals from a slew of different cultures.

Ransomware attackers, given their modus operandi, are particularly drawn to this attack surface. The illicit encryption of vital files on a victim’s machine that locks it until they pay for a decryption key quickly became the stuff of nightmares for CIOs, CISOs and other executives, when a spate of ransomware incidents became headlines in the mainstream media.

SentinelOne, a frontline combatant in the daily war against ransomware pedlars, believes the scourge has become the preeminent concern in cybersecurity circles.

“Ransomware dominates today’s cyberthreat landscape, claiming more than US$1 billion in extorted funds from organisations of all sizes,” said Tamer Odeh, Regional Sales Director for SentinelOne in the Middle East.

Odeh decried an escalation in the number of ransomware attacks regionally in the previous year, with both private and public sector organisations in the firing line. Meanwhile the number of strains found worldwide has doubled.

“NotPetya and WannaCry were among the most damaging attacks we’ve seen so far,” he said. “Both exploited the [Microsoft Windows] EternalBlue backdoor to infect a vast number of machines – almost a quarter of a million in more than 150 countries, in the case of WannaCry.”

Putting the squeeze on victims has also been honed to an artform. The Jigsaw ransomware strain, for example, not only locks machines but deletes files over time, applying further psychological pressure to pay.

Tamer Odeh, Regional Sales Director for SentinelOne in the Middle East SentinelOne

Tamer Odeh, Regional Sales Director at SentinelOne in the Middle East

Ransomware is notoriously easy to code and relies on native encryption functions on Windows and Unix-based machines. Attackers even have access to Ransomware-as-a-Service, where they can buy the malware as needed. And by building their own encryption frameworks, attackers can circumvent anti-malware systems.

To add further headaches for security personnel, effective ransomware defences cannot rely solely on business continuity suites, because these will also be infected if they are online when the attack comes. And attackers rely on a victim’s need to recover data quickly as an incentive to pay. Deciding whether to pay can, in some instances, be exceedingly complex, with organisations having to weigh up a host of issues, such as ethics, reputation and the fear that paying out may not have the desired effect.

“In some cases, decryption keys are not even available, and in others, the ransomware authors simply didn’t respond once they were paid,” said Odeh. “We saw this to some degree with WannaCry.”

He said victims now have access to www.nomoreransom.org, an initiative delivered jointly by the Netherlands’ National High Tech Crime Unit, Europol’s European Cybercrime Centre and technology vendors. The organisation helps victims of ransomware retrieve encrypted data without having to pay criminals.

SentinelOne employs a single-agent technology with a Static AI engine to provide pre-execution protection against ransomware. The Static AI engine replaces traditional signatures, meaning an end to traditional recurring scans that negatively affect end-user productivity. The company’s Behavioural AI engines monitor processes throughout their lifetime, to detect malicious activities. And the autonomous agent responds instantaneously with flag messages when a event is detected.

“Our Behaviour AI is vector-agnostic,” said Odeh. “[It covers] file-based malware, scripts, weaponised documents, lateral movement, file-less malware and even zero-days.”

SentinelOne’s automated endpoint detection and response (EDR) provides rich forensic data that can help mitigate ransomware threats automatically, perform network isolation and auto-immunise endpoints against new threats. As a final safety measure, SentinelOne can even roll back an endpoint to its pre-infected state.

“We match ransomware attacks at their own speed and unify prevention, detection and response in a single platform, driven by sophisticated machine learning and intelligent automation,” Odeh said. “Ransomware attackers have met their match.”