Almost a year ago in June 2024, South Africa suffered substantial ransomware attacks again that disrupted services in July. They were hindering access to laboratory test results amid an outbreak of Mpox disease. This incident underscores the critical impact of ransomware on public health and the importance of robust cyber security measures in healthcare institutions.
WithSecure’s Elements Endpoint Protection for servers product has a new ransomware protection capability known as Server Share Protection. This monitors potentially malicious activities in real-time using technology named Activity Monitor. As the session unfolds and the threat is confirmed, it blocks the last operation and then rolls back all the changes that have been tracked, restoring the environment to the state it was in before it was attacked.
The Host-based Intrusion Prevention System – HIPS – engine called DeepGuard that is used by WithSecure endpoint protection products works by blocking suspicious activities immediately. In some rare situations, this can lead to false positives and frustrating delays for the user.
For example, something like a standard update to an application might be blocked because it hasn’t been seen before and is attempting to download and execute more code from a remote server, and therefore it looked suspicious. This is understandably frustrating for the user, but the alternative is to block later in the process and risk letting real malicious code execute.
In the realm of cyber security, ransomware has evolved beyond the tactic of tricking users into executing the ransomware themselves, now presenting a multiple-threat scenario to organisations. This multifaceted strategy involves cyber criminals gaining unauthorised access to valuable data, intending to sell it on the dark web before initiating the ransomware onslaught by executing the malware.
While it's not yet confirmed that LockBit was the ransomware used and Citrix Netscaler was exploited in the recent ICBC incident, all indicators point towards these possibilities. The recent ICBC LockBit incident sheds light on a critical vulnerability – the exploitation of unpatched systems like Netscaler to gain unauthorised access and subsequent LockBit execution. Recognising this gap, WithSecure offers proactive solutions that not only detect initial breaches but also mitigate the impact of ransomware execution that was also substantial in 2023. The incident serves as a vivid illustration of the sophisticated tactics employed by cyber adversaries. WithSecure's Rollback is positioned as a resilient defence against ransomware attacks. As the digital battleground continues to evolve, organisations must consider solutions that provide a robust response to cyber threats. Rollback's effectiveness is not just a claim; it has been demonstrated in action against the notorious LockBit 3.0 ransomware.
WithSecure acknowledges the complexity of modern cyber threats. A multi-layered security approach is employed, leveraging various technologies to bolster defences against a range of cyber threats.
To find out more about WithSecure, you are welcome to contact its distributor in Africa, Cybervision, to get what feedback you need.
Share