The global and independent platform for the SAP community.

New approaches to protection against ransomware

Attacks like WannaCry have shown that conventional protection measures are often inadequate. To increase security, greater focus should be placed on user rights management and application control.
Michael Kleist, CyberArk
October 5, 2017
It Security
avatar
This text has been automatically translated from German to English.

What is clear is that traditional security approaches based on the use of antivirus software or malware scanners are insufficient for ransomware defense.

Such solutions try to detect attacks using signatures. If a malware is detected, the protection software blocks it, preventing access to system resources.

It is precisely at this point that the serious disadvantage of these solutions becomes apparent: Because they rely on malware detection, they often cannot provide reliable security against the growing number of new, previously unknown ransomware.

Companies need to take additional measures, common ones include application blacklisting, application whitelisting, application greylisting, and least privilege control.

Blacklisting allows organizations to prevent malware from executing in their environment. This method is hardly useful for protection against ransomware.

By its very nature, application whitelisting is 100 percent effective in the fight against ransomware, as this method blocks all applications that are not explicitly trusted.

Although ransomware attacks can be prevented extremely effectively with this containment strategy, it too is difficult to implement in practice.

In contrast to the blacklist, the creation and management of a whitelist is very time-consuming, since not only all the applications in use must be taken into account, but above all the updates of the applications.

Finally, the update may change the check value - such as a hash - of the approved application in such a way that it differs from the entry in the whitelist and consequently the program no longer starts.

Greylisting of applications offers another option. It allows organizations to prevent known malware from running on blacklists in their environments while limiting permissions for all applications that are not explicitly trusted or unknown.

This classification can take place on the basis of various parameters that an administrator stores centrally. The greylisting procedure thus offers more flexibility than whitelisting and can be used to prevent actions by unknown applications such as establishing an Internet connection, accessing the network or reading, writing and modifying files.

By limiting permissions, ransomware is also generally unable to access and encrypt files. Last but not least is the least privilege control, which is not only a security routine, but also one of Microsoft's "Ten Immutable Laws of Security".

Ransomware currently presents itself as a very reliable and suitable method for attackers to present companies with the dilemma of writing off the hijacked data or - in the hope of getting the data back - making a payment.

The classic security solutions, such as antivirus software, are not effective in defending against ransomware, so additional security measures must be taken. The analysis of various options shows that blacklisting and whitelisting alone are also not suitable means; the least-privilege approach and application control in particular prove to be efficient.

A first step is to revoke local administrator rights, as CyberArk research has shown that a large number of modern malware require such rights to function smoothly.

However, this measure is not sufficient. Equally important is application control with greylisting. With the combination of a least privilege approach and application control, there is an effective shield against malware encryption, and without compromising user productivity.

avatar
Michael Kleist, CyberArk

Michael Kleist is Regional Director DACH at CyberArk in Düsseldorf.


Write a comment

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork.

Venue

More information will follow shortly.

Event date

Wednesday, May 21, and
Thursday, May 22, 2025

Early Bird Ticket

Available until Friday, January 24, 2025
EUR 390 excl. VAT

Regular ticket

EUR 590 excl. VAT

Venue

Hotel Hilton Heidelberg
Kurfürstenanlage 1
D-69115 Heidelberg

Event date

Wednesday, March 5, and
Thursday, March 6, 2025

Tickets

Regular ticket
EUR 590 excl. VAT
Early Bird Ticket

Available until December 20, 2024

EUR 390 excl. VAT
The event is organized by the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes attendance at all presentations of the Steampunk and BTP Summit 2025, a visit to the exhibition area, participation in the evening event and catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due course.