Rethinking ransomware defence: BullWall’s innovative approach to containment

1 month ago 74

Multiple reports of ransomware attacks hit the news daily globally, indicating how difficult it is for organisations to protect against what are often hugely profitable attacks.

What this clearly indicates is that the current strategy of prevention – stopping the malware from accessing IT infrastructure – is not working.

According to Statista, spending on IT security grew from just under US$100-billion in 2017 to a projected more than $200-billion by 2024, yet the outcomes have been far from positive. The reasons for this are varied and complicated, but the fact remains the current predominant approach of “prevention” is insufficient, and a new last line of defence is required.

For the “prevention” strategy to work, it must be reliable 100% of the time against 100% of threats – which is obviously unattainable.

A question for organisations to reflect on is this: what will you do in the first 30 seconds of a ransomware file encryption commencing?

The reality for most organisations is that they will do nothing at all. Fully 99% of the time, they will be blissfully unaware until users start complaining that they cannot open the files.

Enter BullWall Ransomware Containment. BullWall will not prevent a ransomware attack from starting (that is the role of countless other security products) but will isolate and shut down the user and the device that introduced the malware within seconds of the ransomware attack commencing.

The attempt to encrypt files started with an organisation becoming a victim of a ransomware attack; however, the attack is terminated by BullWall in seconds, ensuring that minimal numbers of files were encrypted, and that a full list of these is provided by BullWall, thus helping the organisation’s speedy recovery.

SMB protocol

BullWall utilises the SMB protocol, developed by IBM in the 1980s to securely enable file sharing, editing and printing within the emerging client/server architecture. This protocol is supported by many operating systems, including all versions of Windows, Linux, macOS and Android. SMB requires that the first line of all files serve as an indicator of their type, whether Word documents, Excel spreadsheets, text files and so on.

BullWall monitors for these events, does several additional checks, and if a ransomware event is detected, disables and switches off the user and device initiating the attack – “Patient 0” – and initiates the configured alerting mechanisms, informing operations and providing a list of encrypted files.

Utilising existing operating system functions allows the BullWall solution to provide rapid containment of an active attack within seconds. The solution’s simplicity requires no agents, can be deployed in a day or two, and does not impact network resources.

“BullWall has over a thousand customers and has contained ransomware outbreaks on numerous occasions, emphasising the need for a proactive last line of defence when existing preventative measures have been bypassed,” said co-founder, co-owner and chief technology officer Jan Lovmand.

Lovmand said BullWall Ransomware Containment has undergone rigorous testing against more than 300 real ransomware variants supervised by its Red Lab Team.

“In these tests, BullWall Ransomware Containment detected all ransomware strains/families within a few seconds once malicious encryption began. There are only a few ways you can encrypt a file to make it unreadable unless you are reversing the bits and bytes inside the file. It is this process that BullWall Ransomware Containment detects instantly, regardless of how the malware got in and who or which process is doing the encryption,” said Lovmand.

Solid8 Technologies, in conjunction with BullWall, is available to provide an assessment to demonstrate how ransomware can bypass your existing “preventative” solutions as well as how BullWall will contain the attacks.