Once a PC is infected and files are encrypted by ransomware, it is almost impossible to restore the encrypted files unless you pay a ransom. Therefore, the best way to deal with ransomware is to prevent infection from occurring in the first place. But with so many new ransomware and ransomware variants being introduced every day, it is rarely possible to prevent all of them with a single security solution. Therefore, we need to find a practical way to prevent important files from being encrypted from the outset, thereby minimizing the damages caused by ransomware attacks.
Lure ransomware with decoy
In order to enhance ransomware detection, AhnLab, Inc. (hereinafter ‘AhnLab’), the global leader in cybersecurity, applied an additional technology, “Decoy analysis”, to V3, AhnLab’s anti-virus products, in June 2016. Decoy analysis technology literally uses decoy files to lure ransomware, and then analyzes ransomware behavior such as file encryption or file name change.
Recently, AhnLab has updated its Decoy analysis technology. Previously, it used “hidden” attribute to create decoy folders in the root path, and the decoy folders and files were visible. Through this update, on the other hand, the decoy folders and files will remain invisible even if the hidden folder option is activated.
Rendering ransomware unable to touch files: Anti-Ransomware Folder
In order to reinforce ransomware protection at the endpoint, AhnLab also added an “Anti-Ransomware Folder” feature to V3 products (for Windows OS): V3 Internet Security 9.0, V3 Endpoint Security 9.0 and V3 Net for Windows Server 9.0.
V3’s new feature prevents “not-allowed” processes that prevent the accessing of files in the assigned folder, Anti-Ransomware Folder. When you set a folder with important files as an Anti-Ransomware Folder, it prohibits modifying or deleting files, or creating new files in the folder. In other words, even if a ransomware were to infiltrate a PC, it would not be able to encrypt files in the Anti-Ransomware Folder.
This simple setting protects against ransomware by preventing important files from being encrypted – you don’t have to back up files to a thumb drive or external drive, or go through the complicated process of restoring your computer. In addition, it is expected to contribute to reducing costs and resources for corporations since there is no need to deploy and manage a back-up solution or restoration solution.
The Anti-Ransomware Folder feature can be enabled (on and off) in Settings as shown in Figure 1, and you can assign specific folders to protect up to 100 folders. However, system folders and files cannot be assigned as an Anti-Ransomware Folder because they are supposed to be frequently modified to run OS.
[Figure 1] V3 setting for Anti-Ransomware Folder
When a “not-allowed” process, which attempts to edit or create files, accesses the assigned folder, V3 blocks the process and issues an alert. In addition, if the process is related with ransomware behavior, the details will be shown as Figure 2. Naturally, certain processes that ransomware mostly use cannot be added as an “allowed” process.
[Figure 2] Alert pop-up of V3 Anti-Ransomware Folder
In order to respond more effectively to ransomware and its variants, editing files in the Anti-Ransomware Folder is basically restricted. If you want to modify a file in the folder, you need to disable the Anti-Ransomware Folder feature in Settings, or exclude the file from “Allowed Process List”, though there is a risk of the file becoming encrypted in the case of ransomware infection. For your convenience, it is recommended that you add Anti-Ransomware Folder List with folders that have photos, videos, and documents that no longer need to be edited.
Through this update, V3 has applied another ransomware detection technology based on multiple-document fabrication behavior. Some of the latest ransomware encrypt files and folders in random order after infecting the computer. V3 effectively responds to this type of ransomware by detecting multiple-document modification behavior. In addition, AhnLab has reinforced V3’s malware response capability—it blocks malware that sets itself to start up each time the system is booted.
Luke H. Lee, head of the R&D Center at AhnLab, remarked, “V3 has already provided a diverse array of the latest security threat response technology, including signature, cloud, behavior and decoy based detection”. He also added, “This update will enhance the holistic threat response level for both individual and corporate users”.
Given that there is no such thing as complete ransomware prevention, AhnLab offers multi-layered protection against ransomware. Also, AhnLab has continuously reinforced the ransomware response capabilities of its solutions, including V3 products, MDS and other products, through various analysis and detection technologies; AhnLab also features a more robust ransomware response. You can use V3 and AhnLab MDS, an advanced persistent threat protection solution, separately or together according to your corporate environment and business, and thereby build a more powerful multi-layered protection against the latest cyber security threats, including ransomware and targeted attacks.