Of all the different types of malware, the ransomware is perhaps the worst. It is the beginning of a nightmare if your PC gets infected with one of the ransomware like Cryptolocker, TeslaCrypt, Zepto and others. They encrypt the documents on your PC using very strong ciphers and then demand you to pay them some ransom money before they send you instructions about how you can decrypt your files. One of the time tested methods of protection against ransomware is to keep regular backups of your files, but you should also try to prevent malware infection altogether using a good antivirus software. In addition, the use of other third party utilities like SBGuard or McAfree Stinger may help in detecting some other malware that managed to skipp detection somehow.
SBGuard is neither a real-time monitoring utility, nor a malware scanner tool. It is actually a tool to modify certain settings in the Windows operating system to make it a little difficult for the ransomware to propagate and work its way through different files present on your system.
After the installation, when you launch SBGuard, it presents you with two buttons which allow you to enable or disable the protection. When you click on the Enable Protection button, it adds over 700 different entries in the Windows Registry which enable some of the Windows Group Policy settings. Moreover, it disables Windows gadgets and some of the features that ransomware use to encrypt your data. The protection status switched from red to green when it is enabled. You have to restart your PC in order for the changes to take effect.
Because of all the strict group policy settings, SBGuard can make it a little difficult for you to install new software in your PC. If you are not able to install safe or legitimate software in your PC, then you have to first disable the protection, restart the PC and then attempt installing the software once again.
Conclusion: SBGuard depends on the group policies settings in Windows to block some of the known ransomware. However, it may miss some of the new ransomware and you should not depend on it alone for protection from ransomware. You must install a regular antivirus software for full protection from malware.
You can download SBGuard Anti-Ransomware from http://www.sydneybackups.com.au/sbguard-anti-ransomware/.
If you run certain ‘sensitive’ programs sandboxed, and don’t make automatic exceptions for the directories holding data, the ransomware will put the encrypted data files it creates … into the sandbox. When the sandbox is ‘dumped’ the unencrypted data files remain untouched, in their original locations. Windows users could use Sandboxie (may be others by now, but this one is the oldest) and GNU/Llinux users could use Firejail.
As you can see from the names, the ‘ie’ on the end of the first utility and the ‘Fire’ at the beginning of the second show they were originally created for the Microsoft and Mozilla Corp. browsers. But, now they can be used for anything that ‘touches’ the internet.
I believe ransomware resistance has been more thoroughly tested with Sandboxie (refer to the forum) but the Firejail authors say the same ‘should’ apply, without exactly saying they did test it, and it really works. These approaches don’t readjust operating systems, but the same problem with program updates and installations persists … you don’t want either ending up in the sandbox, or they will disappear when the ‘box’ is emptied.
We would like to shed some light on how SBGuard Anti-Ransomware works. There may have been some misunderstanding at how it protects.
Ransomware has 2 stages before it infects and encrypts:
1. Delivery – Ransomware uses social engineering and spear phishing to lure users to click on links, mostly through emails (links or attachments) and browsers. These 2 methods are confirmed to be the case 99% of the times.
2. Payload – Once users click on the link, it executes some sort of script. It could be an exe or vbs or js or scr etc. One it executes it (automatically in the background you don’t see this) it downloads Ransomware and delivers the payload (infection).
SBGuard protects that 1st stage. It will restrict hundreds of actions Ransomware performs to try and deliver the payload.
For example it will not allow certain file types to run from certain locations. It will prevent fake file types (for example pdf.exe). It will protect from running macros automatically within documents etc..
So, if you try and test it by running Ransomware from your desktop, or usb, it will not protect it. In real life, if you get to the point that Ransomware files sit freely on your desktop and ready to be run, you need to look into getting a better AV solution. Remember, YOU NEED A REPUTABLE ANTIVIRUS RUNNING TOGETHER WITH SBGUARD.
Once SBGuard blocks the delivery, that behaviour should be caught by your Antivirus and quaranteened.
How do we know Ransomware patterns? We have spent a lot of time on research, testing, reverse engineering etc. We also regularly receive Ransomware technical deep dives from awarded Security vendors.
Example of the above explanation.
User gets a phishing email. Clicks on the link which takes it to a web page where javascript (for example) deploys an executable onto users computer.
These executables can be various file types. For example exe, com, cmd, bat, js, jse, scr etc.. These files get deployed on users computer and once automatically executed, they will deploy Ransomware.
SBGuard injects rules into Windows that prevent above and similar files from executing and delivering Ransomware. Now, you can’t just disable those extensions, you need to target locations from where these files can execute. For example, most of them like to do it from %TEMP% or %APPDATA%. These are just 2 examples, we have included around 700 possible locations and file types combinations. Once the payload is blocked by SBGuard rules, computer’s antivirus should pickup this behavior and quarantine it.
The above is protection against delivery, there are other rules included that block creation of certain files completely, disabling certain processes used by Ransomware etc.
Hope this makes more sense.
Any questions please let us know:
sbguard@sydneybackups.com.au