Even enterprise-grade backup platforms can fall victim, such as Veeam, a backup and recovery vendor that claims more than a quarter-million business customers. Earlier this spring, a customer reported that attackers gained access to credentials and erased the backups.
Other techniques that ransomware writers use include getting digital signatures for their malicious code, so that it doesn't register as a threat, says Acronis' Gerbennikov. His company was the only one to score well in both the AV-Test and Anti-Malware Test Lab reports. "Backup vendors never thought about this, and have almost zero self-protection," he says. "But self-protection is a crucial component of protection right now."
Once someone in the ransomware community comes up with a new attack method, it spreads quickly. Inventors sell their tools, or license them to distributors. "They have these kits that you can buy to create your own ransomware attacks," says Kaspersky's Bartholomew. "Just target the people you want, and off you go. Now they also have ransomware as a service. It's becoming more and more readily available and easy to use."
Heuristics, AI, and other next-gen protections
Traditional signature-based antivirus can't keep up with new variants, new zero-days and infections that don't depend on executable files. As a result, traditional antivirus vendors and new endpoint protection vendors have both been offering next-generation protection capabilities such as sandboxing and behavioral analysis.
Even free and low-cost antivirus products are adding advanced detection tools to their signature-based approaches. "The free version of our antivirus comes with all the normal detections that you would have in a paid version," says Bartholomew. "That includes behavior and heuristics. Most of the large antivirus companies have some level of heuristic detection in their engines."
McAfee, for example, is taking a multi-layered approach. "The first layer is [traditional] signature-based antivirus," says Raja Patel, VP for corporate product at McAfee LLC. "The second layer is watching for behaviors." Say, for example, something is trying to encrypt a lot of files, or the entire C drive. "That seems a little iffy, you don't want to allow it to do that," he says.
Companies can stop that behavior, or send it to a containment environment where they can take a look at it, Patel says. "And the third layer is machine learning. You can start trying to separate what is malicious from that is not malicious."
In addition to the traditional vendors, a new crop of security vendors are on the market specifically focused on next-generation malware detection that is designed to either replace or supplement traditional signature-based antivirus. They were out in full force at Black Hat this summer.
Sean Pike, an analyst at International Data Corp., says that nearly every endpoint protection vendor he talked to at the Black Hat conference this summer reported zero ransomware infections. "A lot of the vendors are messaging that they've solved ransomware," he says. "Which leads you to wonder where all these newsworthy infections are coming from." It's not that the ransomware is still getting through the protections, he says. It's that the machines weren't protected in the first place.
Sign up for CIO Asia eNewsletters.