Minerva Labs Blog

News & Reports

Ransomware Mania

Fifty new ransomware families have appeared in less than six months, according to a recent TrendMicro report.
 
Prior to 2016 there were about a dozen major ransomware families and very rarely would we see the release of a new variation. Recently however, we are witness to almost weekly releases of new ransomware variants, each trying to gain "market share" in the lucrative ransomware business.

This ransomware “population explosion” is making life very difficult for security vendors. Because of the way some security vendors designed and engineered their products, they are forced to chase each new ransomware family and its unique characteristics. Assuming that this approach was feasible when new ransomware appeared once a month or so – it clearly become a losing game.

At Minerva Labs we have a unique approach a paradigm shift in the battle against malware– Minerva Anti-Evasion Platform. Our platform creates the impression that each endpoint is a sandbox and is protected by multiple high-end security products. The technology takes advantage of the fact that modern malware tries to remain undetected for as long as possible. It tries to avoid automated analysis in sandbox solutions and other sophisticated security products. Ransomware operators know that once they are caught by such solutions the gig is up! the infection infrastructure will be taken down, AV vendors will employ signatures that will detect their "product" and law enforcement agencies will hunt them down.

Using the ransomware's strength’s against itself is super-effective and in most cases the moment it meets a Minerva-protected endpoint it simply goes to sleep. However, we are well-prepared for the "stupid" ransomware, deploying without sending queries. Our ransomware protection module fills this gap, remediating ransomware damage in a generic manner even if the malware is not environmentally-aware.

In Minerva-protected endpoints, ransomware simply goes to sleep

To prove the effectiveness of our solution we decided to perform our mini-"real-world" test:

  • We took the latest samples from trusted feeds like Malware Traffic Analysis and checked our performance against the samples they published.
  • Samples were executed in our lab on a fully operational Windows 7 machine protected by Minerva Anti-Evasion Platform.
  • The Minerva Anti-Evasion Platform agent which was put to the test is months old and hasn't been updated with any kind of signature-like data or cloud-based intelligence.

The results were as follows:

1. Bandarchor

  • ‍Hash: 4c0855466cc65cfc273f8cd953c9bf328656732879a0ce387cbdf9c78b9827a1
  • ‍Result: malware halted, tried to evade sandbox

2. Cerber

  • ‍Hash: 649f06c85b1b9a6ed1d257c21a103e6aa09480706719d86bfb10436654a0b517
  • Result: malware halted, tried to evade security products‍

3. CryptXXX

  • ‍Hash: 427029cb7166d1ace6dfbd697effcb2f277648f04a9d674d5becbfa5a4cc3ec0
  • Result: files were successfully restored‍

4. Locky (1)

  • Hash: c42c9b2ab7f8f4a0f3c3554f199bf62a75382447c98b7dc430e33a616e60ce65
  • Result: malware halted, tried to evade sandbox‍

5. Locky (2)

  • Hash: 844555caf160300f82e2bd08a3ee84aac093f40f7223177ef89f1f2bb55761cc
  • Result: malware halted, tried to evade sandbox‍

6. Pizzacrypts (1)

  • Hash: d6818864dc9e10b15c88aca4d1e8fd971eff43572beba3001fd6c96028afd9f3
  • ‍Result: malware halted, tried to evade sandbox

7. Pizzacrypts (2)

  • ‍Hash: 3b752319cbdd965d229841f150815445ce2da2d90a613d1b965a55351fff270a
  • Result: files were successfully restored‍

8. VaultCrypt

  • Hash: 77b097a74824725e58eebe6b571e04a5d5dd533bd112a0edc3a6abe39a7ca7fa‍
  • Result: malware halted, tried to evade sandbox‍

It is difficult to quantify performance against ongoing live malware campaigns, but we believe that the above results are clear. Minerva prevents most of the ransomware that is currently out there before even a single file was encrypted. On the rare occurrence of ransomware which is not environmentally aware we were able to restore all of the infected files. We didn't need any updates, we didn't block any URLs or known traffic patterns nor did we perform any CPU-heavy computations – yet, we were still able to prevent and remediate all of the malware we tested.