New approaches to protection against ransomware

What is clear is that traditional security approaches based on the use of antivirus software or malware scanners are insufficient for ransomware defense.

Such solutions try to detect attacks using signatures. If a malware is detected, the protection software blocks it, preventing access to system resources.

It is precisely at this point that the serious disadvantage of these solutions becomes apparent: Because they rely on malware detection, they often cannot provide reliable security against the growing number of new, previously unknown ransomware.

Companies need to take additional measures, common ones include application blacklisting, application whitelisting, application greylisting, and least privilege control.

Blacklisting allows organizations to prevent malware from executing in their environment. This method is hardly useful for protection against ransomware.

By its very nature, application whitelisting is 100 percent effective in the fight against ransomware, as this method blocks all applications that are not explicitly trusted.

Although ransomware attacks can be prevented extremely effectively with this containment strategy, it too is difficult to implement in practice.

In contrast to the blacklist, the creation and management of a whitelist is very time-consuming, since not only all the applications in use must be taken into account, but above all the updates of the applications.

Finally, the update may change the check value - such as a hash - of the approved application in such a way that it differs from the entry in the whitelist and consequently the program no longer starts.

Greylisting of applications offers another option. It allows organizations to prevent known malware from running on blacklists in their environments while limiting permissions for all applications that are not explicitly trusted or unknown.

This classification can take place on the basis of various parameters that an administrator stores centrally. The greylisting procedure thus offers more flexibility than whitelisting and can be used to prevent actions by unknown applications such as establishing an Internet connection, accessing the network or reading, writing and modifying files.

By limiting permissions, ransomware is also generally unable to access and encrypt files. Last but not least is the least privilege control, which is not only a security routine, but also one of Microsoft's "Ten Immutable Laws of Security".

Ransomware currently presents itself as a very reliable and suitable method for attackers to present companies with the dilemma of writing off the hijacked data or - in the hope of getting the data back - making a payment.

The classic security solutions, such as antivirus software, are not effective in defending against ransomware, so additional security measures must be taken. The analysis of various options shows that blacklisting and whitelisting alone are also not suitable means; the least-privilege approach and application control in particular prove to be efficient.

A first step is to revoke local administrator rights, as CyberArk research has shown that a large number of modern malware require such rights to function smoothly.

However, this measure is not sufficient. Equally important is application control with greylisting. With the combination of a least privilege approach and application control, there is an effective shield against malware encryption, and without compromising user productivity.