SoftControl SysWatch Provides Reliable Protection against WannaCry and Petya Ransomware
People all over the world have suffered from WannaCry and Petya ransomware. The attack is hitting major infrastructure in the countries where it has spread and has also affected companies ranging from Danish shipping giant Maersk to the British advertising company WPP. The amount of damage is not yet estimated, but the figure will be multivalued. The question is: are there any measures to prevent the infection of the computer and guarantee trouble-free operation of the information system?
The easiest way is to not open attached files and do not click on the links in emails. Each company needs to train its employees the rules of "information hygiene". But phishing emails can look very convincing, and the fear of opening an incorrect email can slow down business processes. In this case, companies need to use additional protection - something more effective than antivirus software, which in such cases does not work.
SoftControl SysWatch is an application that is installed on the device. It has an antivirus component, but its main functionality is based on whitelisting: processes from only the approved list are allowed to run. Even if hackers exploit vulnerabilities in systems and applications SysWatch monitors system privileges of the processes, limits activity scenarios and protects the process buffer from external influences.
Unlike antiviruses, SysWatch does not depend on regular updates and allows companies to protect endpoints of the corporate network from all kinds of malicious software, application vulnerabilities, including zero-day threats and unique malicious code written specially for the attack that does not get widespread and does not get into antivirus databases.
How SysWatch protects from WannaCry and Petya
Both ransomware variants have a similar structure: penetration and cipher. MalwareHunterTeam specialists found out that the Petya loader is supplied with a second encryption malware called Misha. One of WannaCry studies showed that an initial file "mssecsvc.exe" drops and executes "tasksche.exe". The file tasksche.exe checks for disk drives, including network shares, and encrypts these using 2048-bit RSA encryption. While the files are being encrypted, the malware creates a new file directory 'Tor/' into which it drops tor.exe and nine dll files used by tor.exe. Additionally, it drops two further files: taskdl.exe & taskse.exe. The former deletes temporary files while the latter launches @wanadecryptor@.exe to display the ransom note on the desktop to the end user. The @wanadecryptor@.exe is not in and of itself the ransomware, only the ransom note. And this is only one of several scenarios for the malware operation.
SoftControl SysWatch:
- Blocks any processes that are not included in the approved list.
- Recognizes the disguise of a malicious program as a trusted program.
- Allows to restrict directories to run programs and to block unauthorized attempts to modify or create files and processes.
Currently SysWatch is installed on more than 500 thousand devices in 24 countries of the world and none of them has been subjected to destructive influence of the malware.
StarForce Technologies is the main distributer authorized to sell SoftControl Solution worldwide.
