Mimecast is a veteran player in the email security market so it is no surprise that we see them as a major player in the anti-ransomware market. Mimecast takes the position that it should - and can - stop all ransomware before it reaches the user. Because Mimecast sits between the endpoints of an email communication this certainly is feasible. In fact, its record is impressive. For example, during a recent period 50 percent of all of the malware it stopped was Locky. Mimecast is a Phase 1 - delivery phase - player.
The tool breaks its process down as a sequence of events. First, it weeds out spam. Spam is a major carrier of malware - and ransomware in particular. Having reduced the volume of incoming email by, perhaps, half, the solution then begins to look for dangerous file types followed by malware attachments - a first whack at the ransomware. It then, using its sandbox technology, it weeds out some more malware, unknown types this time. By now the tool has cleaned out well over half the incoming emails and, hopefully, all of the ransomware. Just in case, though, the last step is to weed out impersonation attacks.
One of the secrets to Mimecast's success with ransomware is its sandboxing technology. By detonating any attachment in the sandbox and observing behavior, ransomware can be identified and isolated. This sandbox recognizes and overcomes obfuscation techniques, such as dynamic code building, use of the victim's crypto API or requesting an unavailable HTTP link.
As is a trend among anti-phishing vendors, Mimecast offers built-in education to help organizations train users in safe internet and email use. This can be a simple bit of explanation of a red flag event, such as the appearance of a DGA (domain generation algorithm) created URL. This usually is a guarantee that something is trying to access a bad place. Of course, users also need to be taught to hover over a URL that might be suspicious to see the DGA URL.
The admin dashboard is simple but carries a lot of information. Besides administration, attachment protection and URL protection are available. This allows URLs and attachments to be removed from the system.
In addition to inspection of inbound, outbound and internal emails, Mimecast provides a full MTA so that if your email system is disabled for some reason you can pick right up with a safe Mimecast email server. If you need it, you can get archiving services as well.
The website is well-constructed and there is support offered as part of the basic cost covering working hours (8/5). Additionally, there are three levels of enhanced support - Business, Priority and Platinum at four, seven and 15 percent of the annual subscription fee, respectively. The website has a knowledgebase and a Mimecaster Central Community page which goes well beyond a FAQ.
Overall, this is a good example of a very focused product that does one thing - deliver clean email - and does it very well. We see one-trick ponies from time to time in the SC Lab and Mimecast certainly is not one of those. This is an excellent defense against ransomware from the Phase 1 start of an attack.