Traps: Expanding Ransomware Protection for Current and Future Threats

Sep 19, 2017
5 minutes

Today we announced the next iteration of Traps advanced endpoint protection, Traps 4.1. With this release, we continue to develop our innovative, multi-method prevention approach to endpoint security with a specific focus on preventing ransomware.

Many estimates put the total value of ransoms paid out in 2016 at more than $1 billion1, but the ransom payout itself often pales in comparison to the frustration that follows…

  • Engaging disaster recovery on a massive scale
  • Bringing user machines back, and larger production and operation systems back online
  • Dealing with low employee morale, loss of productivity and potential breach notifications
  • Figuring out how to prevent an attack from happening again
  • Determining whether the organization is still vulnerable

The majority of ransomware causes damage in less than a minute2, far too quickly for endpoint detection and response or manual intervention to counter it. For that matter, neither will fix the underlying issue: ransomware has compromised user machines, and the organization is still vulnerable to additional and ongoing attacks. Compounding concerns, those relying on signature updates have large windows of vulnerability. While the speed of signature updates has improved, if an organization in a signature-based threat-sharing community is infected, it can take hours or days to create and distribute a signature from “patient zero” – much longer than the minutes ransomware needs to spread to other machines. Additionally, the ransomware market itself continues to evolve. “Ransomware as a service” has sprung up, giving even novice attackers access to advanced techniques. Furthermore, recent leaks, along with the re-emergence of exploits to circumvent the need for user action, have given rise to script-based and file-less attacks that pose issues for products or tools that rely heavily on analyzing file characteristics.


Key New Features in Traps 4.1

“It has been exciting to see the evolution of Traps. Red Sky is proud to be an early adopter of the technology and has been heavily integrated with the product development lifecycle. With the new game changing additions of anti-ransomware for Windows and static analysis on macOS, Traps has been lab tested and proven to be an industry leader in prevention based endpoint protection.”

Phil Wong  |  Security Practice Lead at Red Sky

New Exploits and Ransomware

While thousands of exploits exist, only a handful of exploit techniques are used. Traps focuses on these techniques to effectively shut down exploit-based attacks, rather than relying on signatures or attempting to chase each exploit. Recently, a new technique was seen in both WannaCry and NotPetya that directly exploits and utilizes the kernel. Despite Microsoft delivering a patch of the discovered Server Message Block vulnerability in Windows, many organizations were vulnerable to the first step of attack – exploiting the SMB – simply because they hadn’t patched their systems. The second step installs the now-infamous DoublePulsar, a powerful backdoor tool that runs in kernel mode and can load shellcode from the kernel into process memory, calling legitimate processes to run the shellcode and potentially leading to a file-less attack.

Enhanced kernel exploit protection: While Traps was already capable of blocking actions aimed at gaining kernel access through privilege escalation, this new kernel exploit prevention protects against exploit techniques used to execute malicious payloads, such as those seen in WannaCry and NotPetya. By blocking processes from accessing injected malicious code, Traps is now able to prevent the attacks early in the attack lifecycle without impacting legitimate processes.

Behavior-based ransomware protection: In this release, we’ve introduced a capability solely focused on ransomware, rather than malware in general. In addition to existing preventions, Traps will now monitor specifically for ransomware behavior and, upon detection, block the attack and encryption of customer data without interfering with legitimate encryption tools.


Script-Based and File-Less Attacks

Many approaches to malware prevention, both legacy and next-generation, have revolved around analyzing features and characteristics of a file. However, attackers have learned to manipulate legitimate processes and engage in script-based attacks that may not involve files.

Granular child process protection and malicious DLL prevention: With 4.1, Traps enhances its ability to ensure legitimate processes are running how and when they should, adding command-line evaluation of a process to its existing blacklisting and whitelisting abilities to prevent this emerging breed of attack. Additionally, attacks are increasingly utilizing DLLs, rather than traditional executable files, to run their malicious endeavors. To counter this, we’ve added the examination of DLLs to both our local and cloud-based WildFire analysis techniques for known and unknown malware.


The Rise of Mac Malware

Though malware on macOS is still a growing field, attackers know that where there’s an assumption of safety, there’s opportunity for profit. As an example, in early May 2017, a well-known Windows backdoor malware, Snake, was ported to Mac for the first time. As Mac use continues to grow throughout enterprises, it’s important that security teams take actions to ensure users are safe.

Local analysis on macOS: Traps continues to take a multi-method prevention approach to securing customers’ Mac endpoints. With 4.0, Traps delivered exploit protection specific to macOS, as well as enhanced Gatekeeper protection and WildFire integration for known malware. With 4.1, we’ve added local analysis capabilities to detect and prevent unknown variants on macOS, further securing our customers.


Where Can I Learn More?




Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.