Acronis Active Protection prevents zero-day infections, enables instant restore of encrypted data after Osiris and other ransomware attacks
Acronis, a global leader in hybrid-cloud data protection and storage, has developed an advanced technology that proactively prevents zero-day infections, enabling users to prevent ransomware attacks and recover data without paying any ransom.
The capability is included in the latest Acronis True Image 2017 New Generation products, distributed in SA and Africa by Synapsys.
Acronis Active Protection, a combination of an integrated security and a backup solution, is capable of detecting and instantly recovering files attacked by Osiris, the most common ransomware infection malware.
"Recently, a new mutation of Osiris ransomware that easily bypassed Windows Defender, was discovered," says Peter French, MD of local Acronis distributor Synapsys. "The baddies are constantly evolving malware technologies such as .locky and .odin, and new more fiendish iterations of Osiris ransomware are constantly appearing, enabling them to bypass most conventional protections," French explains.
Some researchers note that Osiris also affects Apple Mac and Android devices. "The Acronis Security Team is currently conducting investigations and a new report will be released separately," says French.
How infections are distributed
Typically, Osiris ransomware is distributed through spam e-mails with the words "Invoice" or "Order Confirmation" in the subject line and a compressed attachment containing the malicious script. It can be an Excel file with a VBA macro or a .jse executable script (a dropper). When executed, it downloads a DLL file and runs it with the help of Rundll32.exe.
"Osiris authors try to hide ransomware by not using .exe executables and instead using standard Windows components to launch their scripts and DLL files," French explains.
Another common method of distributing ransomware is through Malicious Advertising (Malvertising). Ransomware crooks use legitimate advertising networks to serve cleverly-designed ads that distribute ransomware with little or no user interaction required. Some of the Web sites affected recently include BBC, MSN, and AOL. "Cyber criminals take advantage of the automated ad networks, which allows them to serve malicious ads after their account passes initial verification checks," says French.
Spreading into the corporate network
Just like Locky, Osiris is a Trojan crypto-virus with the worm-like distribution technique. It spreads over the network without any user interaction. "Some victims report having to shut down the domain controller to stop the spreading of the attack," French observes.
"Osiris is capable of infecting thousands of shared folders, network-attached drives, and other machines on the same network. The damage from losing that many devices on the same network can be devastating for any business."
Osiris can also be distributed via CRM/Customer support systems (including cloud-based) across organisational boundaries. Infected user in one organisation can send an e-mail to CRM system e-mail address. Its internal parser parses incoming e-mail and assigns the malicious attachment to an auto-generated ticket. When the Customer Support Engineer opens the ticket and associated spreadsheet attachment, the infection spreads to the network.
Attacks on backup
To prevent victims from restoring files from backup without paying the ransom, Osiris disables Volume Shadow Copy Service (VSS). VSS allows Windows-based systems to take manual or automatic backup copies or snapshots of computer files or volumes.
Osiris also deletes already created shadow copies by running command "vssadmin.exe Delete Shadows /All /Quiet" in quiet mode.
This action prevents users from performing a system restore from the saved data on the infected computer.
Microsoft VSS doesn't contain security measures to protect itself and created shadow copies from deletion or alteration. Acronis predicts such attacks to the backup solutions and implemented self-protection techniques in its own products. Independent tests show that Acronis product is resistant to such attacks such as those implemented in Osiris.
"Acronis Active Protection is the only technology that is able to block all versions of Osiris ransomware attacks. And what's more, it's capable of instantly restoring any encrypted data without contacting the crooks or paying any ransom," says French. "This is possible because of integration with Acronis Cloud."
Protecting systems from Osiris ransomware
Manual "decryption" of Osiris files is difficult and only possible if the user has backups that have not also been encrypted.
Acronis Active Protection has been confirmed to successfully protect computer systems against Osiris ransomware. This innovative patent-pending technology introduced in Acronis True Image 2017 New Generation is based the behavioural heuristics and easily detects and stops Osiris malicious activity. It also allows the user to instantly recover any affected files.