This is an important and, in some regards, disappointing review group. It’s important because it deals with managing ransomware, arguably the most serious cyberthreat today. It’s disappointing because we had a very few entries and some possibilities simply did not address ransomware directly. Rather, the tools added in some anti-malware protection that could not deal with ransomware effectively. We surmise that this shortcoming derives from a lack of understanding of the lifecycle of a ransomware attack.
There is a popular myth – and we admit to subscribing to it in the early days of ransomware – that all you need is good backups and you’re good to go. Well, we never considered that backups are all you need. But certainly, there has been way too much emphasis on the backup aspect of ransomware defenses. In fact, ransomware defense must address the lifecycle of a ransomware attack.
The lifecycle of an attack has three phases: pre-attack events, attack events and post-attack events. If we don’t protect against all three phases we won’t protect against ransomware adequately. That said, while it is possible to mix and match various tools that address the three phases individually, we don’t recommend it. The fact is, unless you suffer a ransomware attack on your home computer, the defense strategy must be enterprise-wide to be effective. That is where we are driving our stake in the ground this month: enterprise-wide defenses.
Since the most common delivery vector – the pre-event – is phishing, we are splitting this month’s reviews into two parts. This group will cover the final two phases: the attack event (or infection event for clarity) and the post event cleanup. The pre-event – phishing usually – will be the focus of a special review group on our website. For that one we only will consider tools that address phishing in the context of ransomware.
One of the most difficult questions to answer for the post-event cleanup is how one avoids backing up and restoring the ransomware itself. The answer is, you can’t with absolute certainty. However, we found a couple of products that attack that problem more or less effectively. Another important issue is how long it takes to complete an infection. By the time the ransom notice appears, it is too late. The encryption is complete. We tested with direct infection and with droppers and we found a significant difference in time to infection between the two. Any competent anti-ransomware product must take those intervals into account.
We enjoyed this month’s testing and in our opening column for the reviews we’ll give you a few hints about how to test safely. We receive samples routinely here in the SC Labs and we analyze them using a variety of tools and that is what we did this month. Additionally, we welcome Judy Traub, our support person for many years, into the lab as one of our testers. Our vendors have known Judy for quite some time and it is a pleasure to welcome her into the testing and analysis process where she gets her hands dirty with the tools she’s been sourcing for us for so long.