To say that Ransomware is a vexing and thorny problem for modern businesses at large would be restating the obvious. A discussion about effective solutions to combat the problem would be a pertinent one.

Most solutions fall into the following 3 broad categories:

  1. Endpoint Agent – Endpoint agent uses machine learning or behavioral based approach to detecting ransomware, and these can be easily evaded. Examples of such evasions are: [a] if a Ransomware employs a new file type, the endpoint agent would require a new classifier based algorithm. [b] File less malware does not hit the hard disk, consequently the detection algorithm does not get activated. [c] Ransomware can enumerate processes and can kill the end-point agent. These evasions will open a window of opportunity for a threat actor to exploit an organization.
  2. IDS/IPS: Ransomware might not generate C&C communication. So in these cases, IDS/IPS which monitors the traffic will not be able to raise an alert.
  3. Detonation in a Sandbox: These solutions monitor email and web traffic, extract the files and detonate them in a virtualized environment and based on the behavior classifies the file as malicious or benign. These are also prone to evasions. Examples include: [a] detection of virtualized environment and hiding its malicious intent. [b] If ransomware employs a new file type, then the sandbox environment will have to be updated to have the right version of an application to detonate the file type and have proper right instrumentation to capture the behavior. In addition, these sandboxes have to monitor email and web traffic, making it a very expensive solution.

For the reasons outlined above, current Ransomware detection solutions come significantly short of what organizations need to ensure robust security.

ShadowPlex-R leverages Acalvio’s patented Deception 2.0 technology to achieve timely, cost-effective and high fidelity detection. ShadowPlex-R is immune to the delivery channel (email, web, threat actor) and file type. In addition, it is agent-less and has minimal IT impact.

ShadowPlex-R has the following attendant benefits:

  • Effective Detection: ShadowPlex-R presents attackers with a comprehensive environment palette of realistic and non-fingerprintable decoys, lures, baits and breadcrumbs that blend in with an organization’s production assets. These serve as sensors and any compromise to them results in very high fidelity detection.
  • Scalable and Flexible Deployment: ShadowPlex-R employs a DevOps approach to deploying deceptions. By dynamically and automatically deploying the most effective and relevant deceptions, ShadowPlex-R dramatically reduces the cost of operation compared to first generation deception products. By delivering deception from and to public clouds, private clouds and on-premises environments, organizations can deploy dynamic deceptions wherever their assets are deployed.
  • Low IT Impact: ShadowPlex-R dramatically lowers the cost of operation while simultaneously increasing efficacy, when compared to first generation deception products, by dynamically and automatically deploying the most effective and relevant deceptions.

shadowplex-r-diagram.png