Why Signature Based AntiVirus Solutions Fail to Detect Crypto Ransomware

Dell released a SonicWall Security Center alert regarding the Jigsaw ransomware virus on April 22, 2016. The alert explained that “The Dell SonicWall Threats Research team has received reports of a new Ransomware Trojan, Jigsaw (named after the fictional character) which encrypts the system files and also deletes them if the payment is not made on time.” The alert informs recipients that the “GAV: Jigsaw.A (Trojan)” signature has been added to the SonicWALL Gateway Antivirus service. The alert is very informative and describes in detail what Jigsaw is, how it infects a workstation or server and even gives screenshots of the ransom note and the C&C server. I appreciate Dell’s efforts in alerting the community to this potential ransomware threat. However, there is a very big problem. For many victims of ransomware; signature based alerts are too little, too late.

I cannot fault Dell for their alert being too late to protect the tens of thousands of systems that were infected by Jigsaw. If you stop and consider the process; Dell had to become aware of the threat. Dell had to get a copy of the ransomware and test in a secure environment. They had to document how Jigsaw spreads, where it installs, and then they had to create their antivirus signature. Even though Dell released their alert on April 22^nd, 2016; I’m guessing they knew about it more than a few days before their press release.

How to Decrypt Jigsaw Ransomware

Jigsaw ransomware isn’t as complex as other ransomware products I’ve seen, and it can be decrypted quite easily. This is actually one of the first crypto ransomware products that can be decrypted without reverting to a backup or paying a ransom. The fact that this is easy to decrypt might be comforting to some, but I think something more sinister is going on. I think the cybercriminals are continuing to launch attacks in numbers never before seen, and I also think less sophisticated actors are finding how easy it is to make money with ransomware and are jumping into the game. There are a lot of sobering statistics that seem to back up that hypothesis.

Cybercriminals Getting Busy with Ransomware in 2016 

2015 saw explosive growth for the ransomware industry and so far 2016 looks to be even better for cybercriminals. According to cybersecurity firm Proofpoint, email, social media, and mobile devices have been the most exposed vectors for cybercriminals in Q1.

• Ransomware will cost businesses $1 billion in 2016. - FBI
• 66% increase in malicious emails in first quarter (Q1) of 2016
• 800% increase in malicious emails in Q1-2016 compared to Q1-2015
• Antivirus is only 47% effective
• New threats are created at a rate of 3.5 per second

 Why Signature Based Solutions Fail

Signature based solutions fail quite simply because antivirus products do not know a threat is a threat until numerous computer systems have been compromised and a signature to identify the malware is created and distributed. Only after the zero-day threat is identified can you examine how it works and create a signature that can be distributed to antivirus products. This process takes time. Since many people do not allow automatic updates and fail to update software manually on a regular basis, there is potential for a security gap here as well. This is why signature based solutions fail, and you need to upgrade your defenses to include endpoint protection.

The Ransomware Solution!

WatchPoint is releasing CryptoStopper.io to identify, isolate and stop Ransomware, even after it has infected your network and gotten through all of your prevention systems. 

Learn more and download a fully functional 14-day test drive.  The trial allows you to simulate a Ransomware attack on your network and see the isolation process in action.

 More Articles for Your Enjoyment!

Why Didn't My AntiVirus Detect CryptoWall? 

Another Hospital Becomes Victim of Ransomware 

Shodan Demonstrates Why Closing Unused IoT Ports is Critical to Cyber Security