A Different Approach To Anti-Ransomware

Over the past few years many endpoint security products have popped up, each asking for claim on your security needs. However, when it comes to ransomware protection there are typically only three ways that these products attempt to protect a device. Some products use only one of these techniques while other products use two or even all three of these techniques. Let’s discuss each of these techniques one-by-one.

Detection and blocking

The first way that these products protect you is through detection. They use different techniques, such as signatures, machine learning, heuristics, behavior analysis, or other means to detect the ransomware and then block it. Detecting and blocking ransomware is the typical way that antivirus software works. This is very effective for known ransomware and other malware types. However Fully UnDetectable (FUD) ransomware cannot be blocked with these solutions. To make matters worse, ransomware authors will routinely check their ransomware against services like VirusTotal to ensure that their ransomware cannot be detected. Relying on detection alone is not an adequate way to protect your device from ransomware.

Backing up files

Another technique that some anti-ransomware solutions use is to backup files to another location on disk before they are modified. This way once ransomware is detected they can revert these files back to a pre-encrypted state. Backing up files works pretty good for typical ransomware, however there several problems with this approach. First, backing up files doubles the disk activity (I/O) because each file that is modified needs to be backed up one-by-one, meaning it causes a significant performance hit. Secondly, many ransomware programs will start out by attempting to delete all backups before encrypting the original file. In this case there is no way to recover since the backup has been destroyed. Finally, we see more advanced ransomware programs, such as NotPetya and Shamoon, that will do full disk encryption or simply wipe the disk of all data. For these cases backing up the files won’t help since the disk itself, including the backup, is overwritten.

Protecting specified folders

A third approach that ransomware solutions take is to block unknown programs from writing to protected folders so that only approved applications have access to these folders. This way ransomware is blocked from encrypting files in protected folders. At first glance this sounds like a good approach. However, enabling a feature like this can be problematic since it is difficult for users to figure out which applications need to be approved. For managed environments this can cause continuous complaints from users who have different third-party applications that need specific access to these folders. Also, a potentially worse problem is that allowing any application, even known good applications, opens a backdoor to allow ransomware in. Ransomware can use these approved applications to encrypt data. For example, there are ransomware programs that use Microsoft Word macros to encrypt files. In addition, just like backing up files, this does not help against ransomware that encrypts or wipes the full disk of all data. Controlling access to folders does not fully protect you from ransomware.

A different way

NeuShield Data Sentinel takes a completely different approach by creating a protective shield between your files and applications. When ransomware or other application tries to make changes, the original files stay intact allowing users to revert any unwanted change that has been made. While other products create backup copies of your files which, can dramatically increase disk usage and cause a significant performance overhead, NeuShield’s revolutionary Mirror Shielding™ technology can preserve the original file without requiring a backup, which allows Data Sentinel to protect files with virtually no additional disk activity (I/O). In addition, the boot portion (MBR) of your drive is monitored to prevent aggressive types of ransomware from overwriting the boot record or leaving the device unable to boot. Raw disk access is also monitored to prevent wipers and malicious ransomware programs from destroying or encrypting your drive.