Tag Archives: Protect

CyberSight RansomStopper

Your antivirus or security suite really ought to protect you against ransomware, along with all other kinds of malware. There might be an occasional slipup with a never-before-seen attack, but those unknowns rapidly become known. Unfortunately, ex post facto removal of ransomware still leaves your files encrypted. That’s why you may want to add a ransomware protection utility to your arsenal. The free CyberSight RansomStopper stopped real-world ransomware in testing, but can have a problem with ransomware that only runs at boot time.

Similar Products

RansomStopper is quite similar to Cybereason RansomFree, Trend Micro RansomBuster, and Malwarebytes Anti-Ransomware Beta. All four are free, and all detect ransomware based on its behavior. Since they rely on behavior, it doesn’t matter whether the ransomware is an old, known quantity or a just-created zero-day attack. Like RansomFree, RansomStopper uses bait files as part of its detection methodology. However, RansomStopper hides its bait files from the user.

Getting Started

Installation went quickly in my testing. After the download, I completed the process by entering my first and last name and email address. Once I responded to the confirmation email, the product was up and running.

The product’s simple main window reports that “You are protected from ransomware.” Buttons across the bottom let you view security alerts, processes RansomStop has blocked, and processes you’ve chosen to allow. Another button lets you check for updates, if you didn’t select automatic updates during installation. Simple!

CyberSight also offers a business edition. Added features include email alerts, centralized administration, and detailed reports. The business edition costs $29.99 for a single license, though the price drops to as low as $10 per seat with volume licensing.

Ransomware Protection

When RansomStopper detects a ransomware attack, it terminates the offending process and pops up a warning in the notification area. Clicking the warning lets you see what file caused the problem. There’s an option to remove programs from the blocked processes list—along with a warning that doing so is a bad idea.

Waiting to detect ransomware behavior can sometimes mean that the ransomware encrypts a few files before termination. When I tested Malwarebytes, it did lose a few files this way. Check Point ZoneAlarm Anti-Ransomware actively recovers any encrypted files. In my testing, it did so for every ransomware sample. ZoneAlarm’s only error was one instance of reporting failure when it had actually succeeded.

For a quick sanity check, I launched a simple fake ransomware program that I wrote myself. All it does is look for text files in and below the Documents folder and encrypt them. It uses a simple, reversible cipher, so a second run restores the files. RansomStopper caught it and prevented its chicanery. So far so good.

Caution, Live Ransomware

The only sure way to test behavior-based ransomware protection is by using live ransomware. I do this very cautiously, isolating my virtual machine test system from any shared folders and from the internet.

This test can be harrowing if the anti-ransomware product fails its detection, but my RansomStopper test went smoothly. Like ZoneAlarm and Malwarebytes, RansomStopper caught all the samples, and I didn’t find any files encrypted before behavioral detection kicked in. Cybereason RansomFree did pretty well, but it missed one.

I also test using KnowBe4’s RanSim, a utility that simulates 10 types of ransomware attack. Success in this test is useful information, but failure can simply mean that the behavior-based detection correctly determined that the simulations are not real ransomware. Like RansomFree, RansomStopper ignored the simulations.

Boot-Time Danger

Keeping under the radar is a big deal for ransomware. When possible, it does its dirty deeds silently, only coming forward with its ransom demand after encrypting your files. Having administrator privileges makes ransomware’s job easier, but getting to that point typically requires permission from the user. There are workarounds to get those privileges silently. These include arranging to piggyback on the Winlogon process at boot time, or set a scheduled task for boot time. Typically, the ransomware just arranges to launch at boot and then forces a reboot, without performing any encryption tasks.

I mention this because I discovered that ransomware can encrypt files at boot time before RansomStopper kicks in. My own fake encryption program managed that feat. It encrypted all text files in and below the Documents folder, including RansomStopper’s bait text file. (Yes, that file is in a folder that RansomStopper actively hides, but I have my methods…)

I reverted the virtual machine and tried again, this time setting a real-world ransomware sample to launch at startup. It encrypted my files and displayed its ransom note before RansomStopper loaded. From my CyberSight contact I learned that they’re “testing several solutions” for this problem, and that an update in the next few weeks should take care of it. I’ll update this review when a solution becomes available.

RansomFree runs as a service, so it’s active before any regular process. When I performed the same test, setting a real-world ransomware sample to launch at startup, RansomFree caught it. Malwarebytes also passed this test. RansomBuster detected the boot-time attack and recovered the affected files.

To further explore this problem, I obtained a sample of the Petya ransomware that caused trouble earlier this year. This particular strain crashes the system and then simulates boot-time repair by CHKDSK. What it’s actually doing is encrypting your hard drive. Malwarebytes, RansomFree, and RansomBuster all failed to prevent this attack. RansomStopper caught it before it could cause the system crash—impressive! To be fair to the others, this one is not a typical file encryptor ransomware. Rather, it locks the entire system by encrypting the hard drive.

Querying my contacts, I did learn that boot-time ransomware attacks, including Petya, are becoming less common. Even so, I’m adding this test to my repertoire.

Other Techniques

Behavior-based detection, when implemented properly, is an excellent way to fight ransomware. However, it’s not the only way. Trend Micro RansomBuster and Bitdefender Antivirus Plus are among those that foil ransomware by controlling file access. They prevent untrusted programs from making any change to files in protected folders. If an untrusted program tries to modify your files, you get a notification. Typically, you get the option to add the unknown program to the trusted list. That can be handy if the blocked program was your new text or photo editor. Panda Internet Security goes even farther, preventing untrusted programs from even reading data from protected files.

Ransomware crooks need to take care that they’ll be able to decrypt files when the victim pays up. Encrypting files more than once could interfere with recovery, so most include a marker of some kind to prevent a second attack. Bitdefender Anti-Ransomware leverages that technique to fool specific ransomware families into thinking they’ve already attacked you. Note, though, that this technique can’t do a thing about brand-new ransomware types.

When Webroot SecureAnywhere AntiVirus encounters an unknown process, it starts journaling all activity by that process, and sending data to the cloud for analysis. If the process proves to be malware, Webroot rolls back everything it did, even rolling back ransomware activity. ZoneAlarm and RansomBuster have their own methods for recovering files. When the anti-ransomware component of Acronis True Image kills off a ransomware attack, it can restore encrypted files from its own secure backup if necessary.

Give It a Try

CyberSight RansomStopper detected and blocked all my real-world ransomware samples without losing any files. It also detected my simple hand-coded ransomware simulator. And it blocked an attack by Petya, where several competing products failed.

RansomStopper did exhibit a vulnerability to ransomware that only runs at boot time, but my sources say this type of attack is becoming less common, and CyberSight is working on a solution. Other free products had their own problems. RansomFree missed one real-world sample, and Malwarebytes let another sample encrypt a few files before its detection kicked in. RansomBuster fared worse, missing half the samples completely (though its Folder Shield component protected most files).

Check Point ZoneAlarm Anti-Ransomware remains our Editors’ Choice for dedicate ransomware protection. It’s not free, but at $2.99 per month it’s also not terribly expensive. If that still seems too steep, give the three free utilities a try, and see which one you like best.

Datos IO RecoverX backup gets table-specific

Datos IO RecoverX software, designed to protect scale-out databases running on public clouds, now allows query-specific recovery and other features to restore data faster.

RecoverX data protection and management software is aimed at application architects, database administrators and development teams. Built for nonrelational databases, it protects and recovers data locally and on software-as-a-service platforms.

Datos IO RecoverX works with scale-out databases, including MongoDB, Amazon DynamoDB, Apache Cassandra, DataStax Enterprise, Google Bigtable, Redis and SQLite. It supports Amazon Web Services, Google Cloud Platform and Oracle Cloud. RecoverX also protects data on premises.

RecoverX provides semantic deduplication for storage space efficiency and enables scalable versioning for flexible backups and point-in-time recovery.

More security, faster recovery in Datos IO RecoverX 2.5

The newly released RecoverX 2.5 gives customers the ability recover by querying specific tables, columns and rows within databases to speed up the restore process. Datos IO calls this feature “queryable recovery.” The software’s advanced database recovery function also includes granular and incremental recovery by selecting specific points in time.

The latest Datos IO RecoverX version also performs streaming recovery for better error-handling. The advanced database recovery capability for MongoDB clusters enables global backup of sharded or partitioned databases. The geographically dispersed shards are backed up in sync to ensure consistent copies in the recovery. Administrators can do local restores of the shards or database partitions to speed recovery.

RecoverX 2.5 also supports Transport Layer Security and Secure Sockets Layer encryptions, as well as X.509 certificates, Lightweight Directory Access Protocol authentication and Kerberos authentication.

With the granular recovery, you can pick and choose what you are looking for. That helps the time to recovery.
Dave Russelldistinguished analyst, Gartner

Dave Russell, distinguished analyst at Gartner, said Datos IO RecoverX 2.5 focuses more on greater control and faster recovery with its advanced recovery features.

“Some of these next-generation databases are extremely large and they are federated. The beautiful thing about databases is they have structure,” Russell said. “Part of what Datos IO does is leverage that structure, so you can pull up the [exact] data you are looking for. Before, you had to back up large databases, and in some cases, you had to mount the entire database to fish out what you want.

“With the granular recovery, you can pick and choose what you are looking for,” he said. “That helps the time to recovery.”

Peter Smails, vice president of marketing and business development at Datos IO, based in San Jose, Calif., said the startup is trying to combine the granularity of traditional backup with the visibility into scale-out databases that traditional backup tools lack.

“With traditional backup, you can restore at the LUN level and the virtual machine level. You can get some granularity,” Smails said. “What you can’t do is have the visibility into the specific construct of the database, such as what is in each row or column. We know the schema.

“Backup is not a new problem,” Smails said. “What we want to do through [our] applications is fundamentally different.”

Advanced Protection Program locks down Google accounts

The latest Google multifactor authentication solution aims to protect high-risk users from targeted attacks, but will add complexity to logins.

Google’s Advanced Protection Program has been designed to not only help keep users safe from phishing attacks such as spear phishing as well preventing unauthorized access to Gmail accounts by having users take advantage of physical security keys — like a Yubikey — for authentication.

“Journalists, human rights defenders, environment campaigners and civil society activists working on any number of sensitive issues can quickly find themselves targeted by well-resourced and highly capable adversaries,” Andrew Ford Lyons, a technologist at Internews, said in Google’s announcement post. “For those whose work may cause their profile to become more visible, setting this up could be seen as an essential preventative step.”

Google’s Advanced Protection Program could help to prevent some types of cyberattacks seen over the past couple years, including the phishing schemes that compromised the Gmail account of Hillary Clinton’s campaign chairman, John Podesta, or the Google Docs phishing attack.

According to Google, the Advanced Protection Program focuses on three areas of defense: using a security key for multifactor authentication, limiting third-party app access to Gmail and Google Drive, and mitigating fraudulent account access by adding steps to the account recovery process.

Google warns that third-party mobile apps like Apple Mail, Calendar and Contacts “do not currently support security keys and will not be able to access your Google data,” so Advanced Protection Program users would need to use Google’s first-party apps for now.

How the Google Advanced Protection Program works

Google has supported security keys for multifactor authentication in the past and has an option to use mobile devices as a multifactor device, but the Advanced Protection Program is far more strict because there will be no backup options with SMS or stored authentication codes.

Users will only be able to login to Google accounts with their password and registered security keys. If a security key is lost, the account recovery will be more onerous than answering simple security questions, but Google has yet to provide details on what such a recovery process will entail.

For those whose work may cause their profile to become more visible, setting this up could be seen as an essential preventative step.
Andrew Ford Lyonstechnologist at Internews

Although anyone can enroll in the Advanced Protection Program, Google admitted in its blog post that it would be best for those who “are willing to trade off a bit of convenience for more protection of their personal Google Accounts.”

At the start, the Advanced Protection Program requires the use of the Chrome browser and two security keys that support the FIDO U2F standard — one to connect to a traditional computer via USB port and one for mobile devices using Bluetooth.

The former isn’t as troublesome, but users need to be careful about the security key used for mobile. Google’s support page suggests purchasing the Feitan Multipass Bluetooth security key, which appears to be in limited supply on Amazon, as of this post, but, a Bluetooth security key is only necessary for those using iOS devices or an Android device that doesn’t support Near Field Communication.(NFC) for wireless access. An NFC-enabled security key would work for those with NFC-capable Android devices. 

IBM Spectrum Protect Plus tackles VM data protection

IBM has designed a new application to protect virtual machines, as part of its IBM Spectrum Protect storage suite.

IBM Spectrum Protect Plus includes Google-like search, snapshot-based recovery and policy management in virtual environments. It works with VMware vSphere and Microsoft Hyper-V hypervisors.

The agentless software can be deployed as stand-alone software for data protection or application availability in small environments, or integrated with the agent-based IBM Spectrum Protect Tivoli Storage Manager — for physical and cloud data protection.

It also supports the agent-based IBM Spectrum Protect for data protection in physical and cloud environments.

IBM Spectrum Protect Plus will enter beta in September, with general availability planned for later in 2017.

IBM previously had a similar product for virtual environments. Tivoli Storage Manager for virtual environments was the company’s first attempt at backup and restores in virtual environments that leveraged the VMware vStorage API for Data Protection (VADP).

“Protect Plus still uses VADP, but it also uses blockchain technology. It’s written so much more efficiently,” said Randy Kerns, senior strategist and analyst at IT consultant firm Evaluator Group.

Backup and recovery for VMware vSphere and Microsoft Hyper-V

The IBM Spectrum Protect Plus server provides block-level incremental forever backup for vSphere and Hyper-V. Backups are stored as read and write snapshots, and the storage can be tiered to disk, tape and the cloud. Instant restores are available in a repository for multipurpose data access for testing, DevOps, reporting, analytics and other operations.

The product provides global search and restore so that administrators across the organization can do text searches across all VMware vSphere and Microsoft Hyper-V virtual machines (VMs). IBM claims Spectrum Protect Plus can install in less than 15 minutes and be configured in an hour.

Customers can deploy storage service-level agreements via the centralized policy management for consistent data protection practices across VMs. IBM Spectrum Protect Plus also works with virtual machine APIs to create application- or crash-consistent data copies. It also performs block-level incremental forever backups and immutable backup snapshots, using any storage as a backup target.

IBM Spectrum Protect Plus also works with virtual machine APIs to create application- or crash-consistent data copies.

“The Google-like search can be done not just by timeline but by text search,” said Doug O’Flaherty, program director for IBM’s Spectrum marketing. “This is a brand new product by the development team for backup and management in virtual machines. It’s designated for simple installation and simple ease of use.”

Evaluator Group’s Kerns said now administrators can directly mount snapshots and bring up VMs for instant restores. In previous IBM Spectrum Protect versions, administrators had to restore the data first and then bring up the VMs.

“When you get the Spectrum Protect suite, you can also leverage more advanced features like tiering to the cloud and tiering to tape,” Kerns said. “And the unique thing about the file-level search is you can do it across all VMs, whether it’s VMware or Hyper-V.”

Mobile threat defense helps fill EMM’s gaps

SAN DIEGO — As more IT pros realize that EMM doesn’t completely protect mobile data, they’re taking a closer look at mobile threat defense tools.

Enterprise mobility management (EMM) allows IT to enforce security policies and control what users do on their devices. But attacks on mobile operating systems and devices are becoming more common as hackers identify vulnerabilities, and organizations need clear insight into these threats and their potential effects. Mobile threat defense tools can help with that piece of the security puzzle, said analysts and attendees here at the Gartner Catalyst conference.

“EMM is more of just the management; it’s just pushing a policy to the phone,” said Seth Wiese, an IT security administrator at Kuraray America, a chemicals manufacturer in Houston.

Mobile threat defense tools supplement EMM by continuously monitoring devices for malicious apps and other risks, and by providing analytics around app and network usage to prevent cyberattacks. Kuraray uses VMware AirWatch for EMM and wants to adopt this technology to get more monitoring capabilities and predictive analytics about its devices, Wiese said.

But for organizations just starting out with mobility, it can be a challenge to convince higher-ups that IT requires more than just EMM for security.

Patrick Hevesi, research director, GartnerPatrick Hevesi

“That comes down to dollars and sense,” said the director of enterprise solutions at a banking and investment firm, who requested anonymity because he is not authorized to speak publicly. “And how do you assign a cost value to data being lost?”

The bank uses Microsoft Intune to manage around 750 corporate-owned mobile devices, but there is definitely a need to supplement that software with mobile threat defense, the director said.

Mobile threat defense market heats up

Traditional security vendors are acquiring mobile threat defense startups to integrate this technology into their larger product offerings; see Symantec’s acquisition of Skycure last month.

Other vendors in the market include Appthority, Check Point and Zimperium. All of these offerings have different capabilities for analyzing devices, apps and operating systems to identify risks, and many use machine learning to detect patterns in user and app behavior and predict future threats.

“There’s not one tool,” said Patrick Hevesi, research director at Gartner, in a session. “Some tools detect. Some tools prevent. Some tools remediate. Some tools pop up an alert. So as you’re building this strategy, you need to start thinking about what attacks you’re most worried about.”

This approach can help IT decide what tool to buy. One organization could be prone to malware, while another may have users downloading unwanted applications, for instance. At Kuraray, data leakage is the biggest concern, Wiese said.

Every code written by someone can be exploited by someone else.
Patrick Hevesiresearch director, Gartner

The most common mobile attack vectors are websites, app stores, text messages and network vectors such as rogue access points on Wi-Fi networks, Hevesi said. Traditional antivirus software might not catch threats to mobile devices, and hackers have wised up and figured out where the vulnerabilities in mobile operating systems are, he said.

“Vulnerabilities exist on all mobile platforms,” he added. “It’s software. Every code written by someone can be exploited by someone else.”

Mobile threat defense best practices

As part of a strong mobile security strategy, IT should set up data classification levels that determine how much risk each user’s information presents and how much security they require, because not all will be the same, Hevesi said.

“Maybe your CEO just wants email, calendar, contacts,” he said. “So maybe you don’t need EMM for that and just use [Microsoft] Exchange ActiveSync and throw threat defense on there.”

Classifying data levels is the first step the banking and investment firm’s director wants to take as he evaluates mobile threat defense software.

“I’m trying to understand the users to figure out the risk profile,” he said.

IT should also limit the devices and operating systems that employees can use, to ensure they have the most secure and up-to-date versions available, and continuously educate users on how to avoid mobile threats. For instance, there’s a flashlight app on Google Play that requests permissions to access information in many other apps, Hevesi said.

“Train your users to say no,” he said.

Disaster Recovery to Microsoft Azure – Part 2


Continuing from the previous blog – check out the recent TechEd NA 2014 talk @ https://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/DCIM-B322 which includes a cool demo of this product.

Love it??? Talk about it, try it and share your comments.

Let’s retrace the journey – in Jan 2014, we announced the General Availability of Hyper-V Recovery Manager (HRM). HRM  enabled customers to co-ordinate protection and recovery of virtualized workloads between SCVMM managed clouds. Using this Azure service, customers could setup, monitor and orchestrate protection and recovery of their Virtual Machines on top of Windows Server 2012, WS2012 R2 Hyper-V Replica.

Like Hyper-V Replica, the solution works great when our customers had a secondary location. But what if it isn’t the case. After all, the CAPEX and OPEX cost of building and maintaining multiple datacenters is high. One of the common questions/suggestions/feedback to our team was around using Azure as a secondary data center. Azure provides a world class, reliable, resilient platform – at a fraction of a cost compared to running your workloads or in this case, maintaining a secondary datacenter.

The rebranded HRM service – Azure Site Recovery (ASR) – delivers this capability. On 6/19, we announced the availability of the preview version of ASR which orchestrates, manages and replicates VMs to Azure.

When a disaster strikes the customer’s on-premises, ASR can “failover” the replicated VMs in Azure.

And once the customer recovers the on-premises site, ASR can “failback” the Azure IaaS VMs to the customer’s private cloud. We want you to decide which VM runs where and when!

There is some exciting technology built on top of Azure which enables the scenario and in the coming weeks we will dive deep into the workflows and the technology.

Top of my head, the key features in the product are:

  • Replication from a System Center 2012 R2 Virtual Machine Manager cloud to Azure – From a SCVMM 2012 R2 managed private cloud, any VM (we will cover some caveats in subsequent blogs) running on Windows Server 2012 R2 hypervisor can be replicated to Azure.

  • Replication frequency of 30seconds, 5mins or 15mins – just like the on-premises product, you can replicate to Azure at 30seconds.

  • Additional 24 additional recovery points to choose during failover – You can configure upto 24 additional recovery points at an hourly granularity.


  • Encryption @ Rest: You got to love this – we encrypt the data *before* it leaves your on-premises server. We never decrypt the payload till you initiate a failover. You own the encryption key and it’s safe with you.

  • Self-service DR with Planned, Unplanned and Test Failover – Need I say more – everything is in your hands and at your convenience.

  • One click app-level failover using Recovery Plans
  • Audit and compliance reporting
  • .…and many more!

The documentation explaining the end to end workflows is available @ http://azure.microsoft.com/en-us/documentation/articles/hyper-v-recovery-manager-azure/ to help you get started.

The landing page for this service is @ http://azure.microsoft.com/en-us/services/site-recovery/

If you have questions when using the product, post them @ http://social.msdn.microsoft.com/Forums/windowsazure/en-US/home?forum=hypervrecovmgr or in this blog.

Keep watching this blog space for more information on this capability.