Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

Why UBA Will Catch the Zero-Day Ransomware Attacks (That Endpoint Protection Can’t)

Ransomware attacks have become a major security threat. It feels like each week a new variant is announced –Ransom32, 7ev3n. This malware may even be involved in the next big...
Kieran Laffan
2 min read
Published November 29, 2016
Last updated May 26, 2023

Ransomware attacks have become a major security threat. It feels like each week a new variant is announced –Ransom32, 7ev3n. This malware may even be involved in the next big breach. New variants such as Chimera threaten to not just ransom your data, but also leak it online if you don’t pay up.

These cyber extortionists are not exactly the most scrupulous people, and so who’s to say they won’t sell your data online even if you pay the ransom? They don’t have to offer a Terms of Service agreement!

Want to learn ransomware basics and earn a CPE credit? Try our free course.

 
“In just one hour, I’ll teach you the fundamentals of Ransomware and what you can do to protect and prepare for it.”

Let’s face it: they have a really good business model.

What’s the Signature?

Some have turned to endpoint security solutions in the hope that it will detect and stop crypto-malware. However, the industry is catching on to the fact that, as one observer put it, “signature-based antivirus software that most organizations still rely on to defend them can’t cope with modern attacks.”

A recent CIO article described the drawback best:

 “… while a signature-based approach reduces the performance hit to the systems on which it runs, it also means somebody has to be the sacrificial sheep. Somebody has to get infected by a piece of malware so that it can be identified, analyzed and other folks protected against it. And in the meantime the malefactors can create new malware that signature-based defenses can’t defend against.”

Bottom line: endpoint security solutions can’t block unknown ransomware variants by, for example, blacklisting connections to a current (but outdated) list of C&C servers. They’re also bound to a device/user/process, and so don’t provide any anti-heuristics or debugging techniques.

Ransomware Prevention that Works

If endpoint security tools won’t help prevent ransomware, what will?

Northeastern University’s latest ransomware research paperCutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks, analyzed 1,359 ransomware samples and found that a “close examination on the file system activities of multiple ransomware samples suggests that by… protecting Master File Table (MFT) in the NTFS file system, it is possible to detect and prevent a significant number of zero-day ransomware attacks.”

Is there a technology that will protect your file systems based on this idea?

Answer: User Behavior Analytics (UBA). It’s an essential ransomware prevention measure.

UBA compares what users on a system are normally doing — their activities and file access patterns – against the non-normal activities of an attacker who’s stolen internal credentials. First, the UBA engine monitors normal user behavior, by logging each individual user’s actions – file access, logins, and network activities. And then over time, UBA derives a profile that describes what it means to be that user.

Identifying Ransomware with Varonis Automated UBA Threat Models

Without any configuration, Varonis UBA threat models spot the signs of ransomware activity — when files are being encrypted — and therefore can stop these attacks without having to rely on a static list of signatures.

Once detected, a combination of automated steps can be triggered to prevent the infection from spreading: for example, disabling the infected user, the infected computer, network drives on the infected machine, or the NIC.

Interested in seeing UBA in action? Let’s talk.

Further reading:

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

with-keranger,-mac-users-are-no-longer-immune-to-ransomware-threats
With KeRanger, Mac Users Are No Longer Immune to Ransomware Threats
Cybercriminals who previously targeted Windows operating systems with ransomware have expanded their customer base to include the Mac OS. Known as KeRanger, it’s the first ransomware variant detected that infects...
cyptmix-ransomware-claims-to-donate-your-ransom-payment-to-charity
CyptMix Ransomware Claims to Donate Your Ransom Payment to Charity
Unlike traditional ransomware notes that rely on fear-based tactics, a new ransomware strain called CyptMix preys on your generosity. Part of the ransom note reads: “Your money will be spent...
last-week-in-ransomware:-week-of-august-9th
Last Week in Ransomware: Week of August 9th
This week saw the rise of a new ransomware group called BlackMatter and demonstrated even ransomware groups should worry about disgruntled employees.
threat-update-43-–-ransomware-early-warning:-brute-force
Threat Update 43 – Ransomware Early Warning: Brute Force
With the proliferation of more sophisticated, human-operated ransomware, attackers can live inside an organization for days, weeks, or months - finding and exfiltrating data before making their presence known by detonating ransomware.