01-02-2019 , 02:43 AM
Quote:Ransomware Detection and Remediation
Kaspersky Lab
Published on Dec 27, 2018
In this video, in-the-wild ransomware designed to encrypt valuable data on the attacked endpoint is used to demonstrate how Kaspersky Endpoint Security for Business detects ransomware, then performs a rollback process to restore the data affected.
Let’s start with an unprotected system. We have a PDF file here, and we’ll open this file, just to check that it’s not encrypted yet. Now, let’s execute a malware file. As is typical of ransomware, it first enumerates the files on disk, searching those most likely to be valuable to the user – generally going for the common file formats used for documents, pictures, audio and databases. This malware is very dangerous to individual users and also to corporations that stand to lose a lot of important data this way.
Now, the ransomware has encrypted all the important data on the endpoint, including our PDF file – we now can’t open it. And there’s a ransom message on the desktop: it’s says the files are encrypted with a strong algorithm – we’re going to have to contact the hackers and pay for their decryption.
Now let’s see what happens when the system is protected by of Kaspersky Endpoint Security for Business.
Here we have of Kaspersky Endpoint Security for Business running.
We’ll open the same user PDF file from the desktop to check that it’s not yet encrypted. Then we execute the malware. Again, we can see that this ransomware is searching for interesting file formats like DOC, or PDF or JPG. Let’s see if it’ll be able to encrypt them all this time.
Now, the instant the ransomware starts encrypting files, our Behavior Detection module blocks this malicious process. Next, the product asks what action we want to apply. For full remediation, we generally recommend restarting the machine. But for demo purposes, let’s just select the rollback process without a restart.
We can see that the malware was able to encrypt only three files before being spotted, and all these have now been automatically recovered. In the Report screen, full details are given on the Trojan removal and remediation processes: you can see exactly what happened to each file the malware tried to change.
https://www.youtube.com/playlist?list...
#KasperskyLab
Category
Science & Technology