Hi,
I’m Yuval
-and I’m Dedi
Today, we’d like/ we want to talk to you about Ransomware, and why you should care about Ransomware.
We’ll discuss the current landscape of Ransomware attacks, and then we will Deep dive into a case study, to show how Check Point’s Harmony solution provides a multi-layered protection against this attack.
Finally we will present the full range of protection applied when using the Harmony suite.
<<CLICK>>
Before diving in, let’s remember how frequent and severe are Ransomware cyberattacks a in 2021
<CLICK>
Check Point Research has seen a 41% increase in attacks since the beginning of 2021, and a 93% increase year over year
<< CLICK >>
Ransomware is in the news every week, with names like: Kaseya, Colonial Pipeline, Accenture
<< CLICK >>
Ransomware-as-a-service is a rising trend, with constant usage increase
<< CLICK >>
Ransomware does not skip mobile, as seen in the latest case of Lucy. A Malware-as-a-Service botnet for Android devices that had recently launched a new ransomware capability.
<<CLICK>>
A couple of examples are
<<CLICK>>
Kaseya, a cloud-based managed security services provider (MSSP) that offers patch management, experienced a massive attack affecting numerous organizations
Over 1,000 businesses were affected, with victims identified in at least 17 countries
The attack was carried out during the 4th of July weekend
<<CLICK>>
REvil used a zero-day vulnerability that was in the process of being fixed
Ransom demand ranged from $45K to $5 million US Dollars.
<<CLICK>>
Attack started by utilizing existing operating system files like PowerShell
The interesting part of this attack involves the use of an old version of Microsoft’s own antivirus for encryption, bypassing most security products that ignore Microsoft’s AV
<<CLICK>>
Another major attack happened at Colonial Pipeline, an American oil pipeline system.
<<CLICK>>
The attack temporarily shut down all pipeline operations, impacting 45% of all fuel consumed on the East Coast
<<CLICK>>
DarkSide works in a Ransomware-as-a-Service (RaaS) model, where it leverages a partner program to execute its cyber attacks
<<CLICK>>
The total ransom paid was almost $5M, FBI confirmed DarkSide group was responsible
<<CLICK>>
Let’s deep-dive and examine a case study in which a large EMEA retail company got hit by/with a ransomware attack.
Files were encrypted throughout the organization, blocking access to critical business data, while a $2M ransom was demanded.
The attack caused a 48-hour complete shutdown which incurred both operational and recovery costs on the company.
In the aftermath, it was realized that a single Endpoint device has infected multiple computers in the corporate network.
<<CLICK>>
Let’s take a look of how such an attack could have materialized in the organization
<<CLICK>> /show video
This video depicts a flow using MS-Teams, and later on with MS-Intune. We know there is a very broad range of applications, UEMs, and more, that can play a factor in such a materialization. We use a specific file in the example, but you can consider CVs, and many other files that can take part in such an event.
<<CLICK>> /start video
Jane receives a message with a download link to a book
<<TRIGGER>> (downloads) (0:00:05)
She goes on to download the file to her iPhone
<<TRIGGER>> (opens) (0:00:10)
To open the file on the device Jane looks in the downloads folder
The file seems legitimate, and harmless, since it does not target mobile devices
<<TRIGGER>> (Jane-Guy share) (0:00:18)
As Jane’s phone has access to corporate resources, she is able to forward the copy to Guy through the Microsoft Teams application. Jane writes down an explanatory message, and sends a copy (0:00:33 // at end).
<<CLICK>> (finish mobile video, start EP)
<<CLICK>> (move to EP video + download from teams)
Guy enters the Microsoft Teams web application and downloads the PDF file.
<<TRIGGER>> (open on PDF + malicious payload)
Shortly after opening the file, malicious code executes, encrypts all critical operating system data, and laterally moves to other victim targets.
<<TRIGGER>>
Guy then sees the ransomware bounty screen asking him to pay or all his files will be lost.
<<CLICK>>
Let’s review every step of the way, BUT this time with Check Point Harmony so you can see how the attack is prevented.
<<CLICK>>
With Harmony Mobile installed, once Jane clicks on the link
<<CLICK>>
The On-device Network Protection engine uses Check Point ThreatCloud to instantly inspect the link.
<<CLICK>>
The analysis includes both known and unknown threats
And in this case, it identifies a malicious URL and blocks the access to the malicious hosting site.
<<CLICK>>
We have seen how Harmony blocks non-secured mobile browsing.
Back to our defense timeline, moments after, Jane downloads the book from the malicious web site
<<CLICK>>
When Jane attempts to download
<<CLICK>>
New and unique On-device File Protection technology scans the file and prevents the malicious file download.
<<CLICK>>
While the threat details are shown to the user
<<CLICK>>
Harmony, is able to block the second stage of the attack, the PDF download.
Jane opens the file on her mobile, which can result in malicious code execution on the mobile device
<<CLICK>>
Any file downloaded is quarantined until full analysis is done for any malicious content – targeting the phone, or the corporate PCs.
<<CLICK>>
Harmony Mobile uploads the file to Threat Cloud for additional emulation, using state of the art Sandboxing and CDR capabilities, ensuring any threat will be removed from the file
<<CLICK>>
Jane, can open files freely, knowing they are protected
<<CLICK>>
So far, we have covered how Harmony is capable of preventing the malicious file from ever reaching the device.
While Jane’s is a personal device, it also acts as an access gate into the corporate resources. What if the file reached it anyway?
<<CLICK>>
When detecting a security compromize, using the device security posture,
<<CLICK>>
The corporate security administrator can ensure that devices
<<CLICK>>
that may hold a risk to the organization
<<CLICK>>
No longer have access to corporate resources.
Ensuring that the lateral movement in the organization is prevented, as
<<CLICK>>
Microsoft teams would not be accessible from Janes’ phone.
<<CLICK>>
In the previous steps, we have demonstrated how Harmony Mobile keeps the mobile device completely protected from such threats.
Now, we will be focusing on the second part of the attack, which occurs on the Mac laptop (operating system)
<<CLICK>>
Guy receives a teams message from Jane containing a file.
<<CLICK>>
The traditional approach of protecting against infected documents by looking for malware, leaves gaps and does not provide complete protection
<<CLICK>>
Harmony Endpoint lets you quickly deliver safe, sanitized versions of common document formats to provide real-time protection and maintain uninterrupted business flow
<<CLICK>>
Threat Emulation can protect your network against new malware, zero-day vulnerabilities and targeted attacks
Harmony Endpoint Threat Emulation service works online as well as offline, enabling users with extended security even when they are disconnected from the Cloud
<<CLICK>>
Finally, Harmony implements additional measures to ensure that malicious files are not able to execute their malicious content, as well as automatically remediate the incident
<<CLICK>>
Driven by automation, Harmony Endpoint ensures full on-device attack detection and remediation, even in an offline mode
The solution automatically and in real-time records endpoint events for long-term retention, enriching these events with threat intelligence
Harmony Endpoint collects indicators from endpoint devices, and correlate them with behavioral heuristics, rules, and machine learning models
By automatically quarantining infected machines the attack won’t spread laterally across the rest of the corporate network
Once the attack is mitigated Harmony Endpoint automatically restores the device to the last clean point
The solution ensures full visibility into the actions taken with auto-generated forensics report, while informing the user on all the automated actions taken
Forensics data supplies hunt leads to enable security professionals to query the historical data and uncover attack residue across the environment
So, what does it mean for security admins?
<<CLICK>>
It means they can focus on the critical tasks and make sure Harmony Endpoint takes care of the rest
They spend less time taking manual actions for detection, analysis, investigation, correlation and response
<<CLICK>>
Harmony Mobile and Harmony Endpoint
<<CLICK>>
The solutions enabling Ransomware protection, are part of Check Point’s Harmony, the industry’s first unified security solution for users, devices, and access - ensuring that the corporate assets are protected, organizational access remains secured.
<<CLICK>>
So what does “complete endpoint protection” mean? How does Harmony Endpoint prevent the most imminent threats to the endpoint?
Multiple capabilities of Harmony Endpoint are provided in a way to ensure endpoints have multi-layered 360 degrees protection.
<<CLICK>>
It all starts with reducing the attack surface with VPN, host firewall, data and web protection.
<<CLICK>>
Once the surface is reduced, Harmony Endpoint leverages NGAV, anti-malware, anti-phishing, sandboxing and content disarm and reconstruction technologies to prevent attacks before they start.
As a core component of Harmony, the new Harmony Browse uniquely provides secure, fast, and private web browsing inspecting all SSL traffic directly on the endpoint without adding latency or by re-routing traffic through a secure web service
<<CLICK>>
Yet should an attack get through, Harmony Endpoint has a runtime protection in place to address and remediate those attacks with behavioral analysis, anti-ransomware, anti-exploit and other technologies in place.
<<CLICK>>
Harmony Mobile provides complete protection across 3 layers:
Harmony Mobile prevents malware from infiltrating employees’ devices by detecting and blocking the download of malicious apps in real-time.
Check Point’s unique Behavioral Risk Engine runs application analysis in a cloud-based environment to determine if an app is malicious, leveraging machine learning and AI, sandboxing, advanced code flow analysis, anomaly detection and app reputation among other techniques.
<<CLICK>>
Harmony Mobile’s unique network security infrastructure – On-device Network Protection – allows businesses to stay ahead of emerging threats by extending Check Point’s industry-leading Threat Cloud technologies to mobile devices.
It offers a broad range of network and file security capabilities, including:
Protection against phishing attacks across all apps, both from known and unknown zero-day phishing sites
Preventing file threats from reaching the device, or into the organization
Providing a fully secured browsing experience.
Detecting MiTM attacks, and more
<<CLICK>>
And lastly - OS and Device Protection
As we have seen with the Achilles vulnerability last year, and the most recent one in MediaTek DSP. Device vulnerabilities can impact up to 40% of Android devices in the world, making them susceptible to PE access by mobile applications.
Harmony Mobile ensures devices are not exposed to compromise with real-time risk assessments detecting device-level exploits, OS vulnerabilities, configuration changes, advanced rooting and jailbreak detection.
<<CLICK>>
With Check Point Harmony, your users get the same level of protection regardless of where they are, the applications they access, or the devices they use. Whether it’s a phishing website, a device vulnerability, a malicious email attachment, or zero-day ransomware, the solution protects them from cyber threats and across all attack vectors.
Powered by revolutionary AI engines and the industry’s most extensive threat intelligence network.
Harmony stops attacks before they happen.
<<CLICK>>
To sum up- ransomware is on the rise, but with Harmony, you can rest easy knowing that all attack vectors are covered:
Phishing and 0-phishing, network based attacks, malicious files, malicious applications, known vulnerabilities – all with ability to automate remediation and automatically mitigate the risk.
<<CLICK>>