Ransomware protection with Malwarebytes EDR: Your FAQs, answered!

We get a few questions about ransomware protection and how our Endpoint Detection and Response software can protect you from ransomware. In this post, our security experts answer some of your most frequently asked questions about ransomware and how our EDR can help—let’s get started.

Q: When considering an EDR solution, what anti-ransomware features should I be looking for?

Adam Kujawa, security evangelist and director of Malwarebytes Labs:

“First, it should quickly identify and isolate systems that are infected with ransomware. Second, it should detect ransomware-like behavior and automatically kill and remove the threat from the system. Third, it should provide options for file recovery (in case something does get encrypted). Fourth, it should have features that are valuable for detecting and thwarting malware in general, such as exploit prevention, behavioral detection of never-before-seen malware, malicious website blocking, and brute force protection.”

Robert Zamani, Regional Vice President, Americans Solutions Engineering at Malwarebytes:

“Ransomware stems from the exploitation of trust. We know that in society and computer systems, trust is essential and foundational for communication productivity and growth. What’s needed is encapsulated in a principle called trust-but-verify! In the context of EDR, trust-but-verify means the algorithmic “detection” part of EDR must employ heuristics to look for anomalous encryption that deviates from known-good encryption. This is the trust-but-verified part of a modern EDR tool. To make the EDR tool a solution, it must offer four essential functionalities:

  1. Contain threats, allowing time to investigate and document.
  2. Easy, non-vendor-specific language describing detected suspicious activity.
  3. Precision instrumentation for eradicating malware, potentially unwanted programs, and potentially unwanted changes.
  4. Instrumentation to search for indicators across the rest of your managed endpoints for early signs.”

Q: Other than the percentage of malware-detected efficacy, what other factors should I consider when acquiring an anti-ransomware solution? 

Robert Zamani, Regional Vice President, Americans Solutions Engineering at Malwarebytes:

“Other than efficacy, you need to look also at integration—the EDR must become part of your system. It should not be a standalone solution; it should be usable and not complex. Have a “single pane of glass”—with Malwarebytes cloud-based Nebula platform, for example, you have access to an intuitive UI which helps you gain visibility into all activity across your entire organization. If I could summarize it into a single sentence, you don’t want just a next-gen solution; you need a solution that any IT professional will understand without specialized cyber-forensic knowledge.”

Q: How is detecting ransomware different from other malware?

Adam Kujawa, security evangelist and director of Malwarebytes Labs:

“Up until around 2013, most malware infections were problems that could easily be solved ‘after the fact’.  For example, a bank credential stealing bot can infect a system, steal your credentials and commit fraud. Well the bank can clear out those fraud charges, you can change your credentials and you can clean the system, suddenly the whole attack can be treated as an inconvenience rather than a significant disruption, almost like it didn’t happen. Ransomware, on the other hand, immediately encrypts files and sometimes locks down vital system settings used for recovery, as well as deleting locally stored backups, and it’s often used against multiple endpoints at the same time. So, recovery after the fact is nearly impossible without being prepared, or paying the ransom. This kind of threat requires a lot more planning, redundancy and threat monitoring than any other type of malware out there. Imagine regular malware infections as seasonal allergies, while ransomware is like being hit with pepper spray in the face.”

Q: How does Malwarebytes EDR protect against ransomware attacks?

Robert DeStefano, Senior Global Product Marketing Manager at Malwarebytes:

“First, Malwarebytes’ EDR anti-ransomware layer constantly monitors endpoint systems and automatically kills processes associated with ransomware activity. It features a dedicated real-time detection engine that does not use signatures, and doesn’t require updates. Second, our solution uses multiple combined modes of endpoint isolation, so if an endpoint is attacked, it can easily halt malware from spreading and causing harm—minimizing disruption to IT and users during attacks. Third—we give you up to 72 hours of ransomware rollback. We make use of local cache on each endpoint, storing all relevant changes to the device for up to 72 hours. If you’re infected, Malwarebytes simply backs out device changes and restores files that were encrypted, deleted, or modified. You don’t have to lose all that time reimaging an endpoint. And perhaps most importantly, all of this is offered through the ‘single pane of glass’ that Zamani mentioned earlier—meaning you can easily manage endpoints to prevent threats from entering, detect infections that find their way into your environment, and remediate with one click, keeping your servers and workstations secure against ransomware while keeping your end users productive.”

Q: How often and at what intervals are files backed up? How much space does it take?

David Pier, Senior Sales Engineer at Malwarebytes:

“Our file backup is not triggered on a time basis—it’s really driven by our activity monitoring feature. The backups are only going to be created in an instance where Malwarebytes has detected suspicious behavior. And for the second question, data storage space isn’t an issue, as our proprietary dynamic exclusion technology learns ‘good’ behavior of applications and minimizes storage utilization. Additionally, administrators can configure their policies to dynamically manage disk space requirements, based on the remaining available disk space.”

Q: Can you identify when the first infection took place and if the same threat process has been installed across the environment or on other devices, such as malicious scheduled tasks?

David Pier, Senior Sales Engineer at Malwarebytes:

“Yes! You can do this with the Flight Recorder feature of our EDR, which allows you to search event data captured from all of your managed endpoints to investigate and identify indicators of compromise. You can search data like files, registry, processes, and networking activity up to the past 7 days to threat hunt or analyze when a compromise occurred in your environment. You can search through file properties, such as the file hash or the file name, or you could leverage something like searching actual command line arguments that were used by the attacker to try and locate the original infection points.”

Q: How many full time employees are needed to deploy and manage your EDR?

David Pier, Senior Sales Engineer at Malwarebytes:

“That is something we hear very frequently at Malwarebytes; customers are coming from other EDR solutions or other security solutions, and a large concern is your team may only be two to three, maybe five people at most. An EDR solution that you might be interested in may require you to have full-time staff to manage, or configure it. Malwarebytes EDR is not that kind of solution. This is something that we’ve successfully deployed with teams as small as two people managing this. You do not need additional headcount, you don’t need a dedicated SOC to make this program work. That being said, this solution works very well at scale. We have customers with 1000s of endpoints running this solution and effectively using it as an EDR so really, it’s a tool built for customers of any size.”

Q: Would we need a physical server or can this be operated from a cloud-based system?

David Pier, Senior Sales Engineer at Malwarebytes:

“There’s no requirement for any physical architecture,” says Pier. “You could use it entirely cloud-based if you have cloud-based servers or cloud-based VMs. Really the only requirement we have is making sure that your endpoints can reach the Malwarebytes cloud infrastructure, which is all done through HTTPS traffic. So typically, it’s not something you need to customize unless you have a very restrictive network.”

Read about how companies used Malwarebytes EDR to fend off ransomware 

To help you understand the ransomware threat and how Malwarebytes EDR can help, we’ve curated a collection of customer case studies that illustrate the common patterns of ransomware protection and recovery across a variety of industry sectors and business sizes. Check out a few of them below!

City of Vidalia gains a ransomware and vulnerability-free zone

Mike Carney Toyota tackles the rising ransomware threat

Alden Central Schools gains peace-of-mind protection against ransomware threats

The post Ransomware protection with Malwarebytes EDR: Your FAQs, answered! appeared first on Malwarebytes Labs.