회사소개

제품

안내

고객지원

Company

Product

Information

Support

Thông tin về công ty

Sản phẩm

Thông tin

Hỗ trợ chung

ZombieZERO EDR for Ransomware

Ransomware Response Solution on Endpoint by behavior-based and real-time backup technologies

ZombieZERO EDR for Ransomware

ZombieZERO EDR for Ransomware Introduction

EDR (EndPoint Detection & Response) is a system that detects / responds to new / variant malware based on behavior on endpoint.

ZombieZERO EDR for Ransomware is Ransomware-only product that pre-detects and blocks Ransomware based on behavior, and backup Endpoint(PC)’s data to Central storage server to protect data integrally of organization.

Ransomware is a type of malware that encrypts all images and document files on a PC and restricts access and requires money in exchange for decryption.

※ EDR for Ransomware can be operated with ZombieZERO Manager (Central management server, Cloud type).

Main Features

> Proactively block Ransomware based on behavior

  • Detects and treats malware based on behavior to respond instantly to unknown and various Ransomware.
  • Upload Ransomware pattern info to ZombieZERO Manager and distribute it to prevent spreading to other PC.
  • Real-time response to malware or Zero-Day attacks that bypass and infiltrate the network
  • Access control through extension-based protection file (Whitelist)
  • Shared folder protection and secure routing against Ransomware

> Secure backup of PC data

  • ZombieZERO Manager creates a virtual secure drive on the local drive of the user’s PC or external storage media, and the backup data is stored.
  • Supports various options such as data backup (real time / schedule management function), copy, one-way, two-way.
  • Version management: Even if one file is backed up several times, it can be restored to the required point by index info.
  • Efficient management of storage capacity with duplicate data removal technology and data compression
  • Prevents data loss by excluding files infected by Ransomware from backup.
  • Cloud business environment : Access to data from various devices anytime, anywhere (optional)

> Security Sharing / Collaboration

  • Sharing and collaboration of files and folders per user or group by user policy and permissions (except C: \ drive)
  • Documents in the shared folder are encrypted, so only authorized user can access them.
  • When the laptop is stolen / lost, data can be remotely deleted and external work (such as business trip) can be done with security maintained.

> Private Zone

  • Creates a virtual secure drive on the local drive of user PC by ZombieZERO Manager.
  • Private Zones is managed by individuals, not for backup purposes. Only authorized users can access.
  • Server authentication-based login and automatic logout when PC is idle for a certain time
  • Blocks and deletes access to Private Zone in case of malicious use of external intruder or loss / theft of PC.

> Ransomware attack process via web and email

  • Web-based Ransomwares use drive-by-download attack method that exploits vulnerabilities of browser, application and system in a multistep process.
  • Step 1: Infect legitimate websites or hack ad networks to insert malware.
  • Step 2: Profiling your system and redirecting it to another web page using an attack method that detects vulnerable software such as previous versions of Java or Flash in your computer.
  • Step 3: Deliver the encrypted and obfuscated malicious program to your system. When the program is decrypted, Ransomware is activated.
  • Step 4: Connect to the callback server so that the attacker can set a unique key encrypting the victim’s data.
  • Most Ransomware infiltrates via email attachments or embedded links. CryptoWall 3.0, which has caused $ 325 million damage worldwide, has been distributed using phishing method via email (67.3%) and drive-by-download (30.7%), according to a report from the CTA (Cyber Threat Alliance).

> Ransomware Types Detected with Behavior-based Technology

  • CryptoLocker : The beginning of the regular Ransomware that appeared in 2013. Encrypts documents stored in your PC and request ransom (Bitcoin) for the decryption.
  • TorrentLocker : A type of CryptoLocker that appeared in February 2014. The same key is used for encryption and decryption, and the decryption key is stored in the file.
  • TeslaCrypt – CryptXXX : Crypt XXX emerged after TeslaCrypt that had been highly active since early 2016 and was suddenly terminated in mid-May 2016. Crypt XXX also stopped activity at the end of July 2016. Distributed using spam mail and drive-by-download method, and encrypted files or changed extension.
  • CryptoWall 4 : Distributed by downloading the attachment of phishing e-mail disguised as important email. 4.0 is the latest version and changes the file name randomly so that the original file name is not known.
  • Locky : Appeared in February 2016 and distributed as document file (doc) attached to email via Dridex botnet. Since March 2016, changed the attachment file to a compressed file (zip) with a built-in script file. If you download it, the extension of other files stored in the PC will change. Bart, Hucky is Ransomware imitating this.
  • Cerber : Encrypts a file and then informs you this by voice. Distributed as spam and changes the extension name.
  • Petya : Encrypts the Master Boot Record (MBR) area and force the system to reboot in a few minutes and the PC is not available.
  • Mischa : Encrypts either MBR or file / GoldenEye: Encrypts MBR and file at the same time.
  • Parent Ransomware : Disguises as normal process action when executing. Actually creates / downloads another Ransomware.
  • Jigsaw : In April 2016, Jigsaw Ransomware appears to be produced as a motif of the horror movie Saw emerged. Uses an offline encryption method that encrypts files even in the environment without internet connection. Also includes the function to delete encrypted files hourly. The amount of deleted files increases every hour, and after the ransom payment period (72 hours), all files are deleted.
  • HDDCryptor : In November, 2016, San Francisco, USA, paralyzed the ticketing and dispatching system of the city train system. An important case of substantial damage caused by Ransomware infections in infrastructure. This case is related with SCADA(Supervisory Control And Data Acquisition) system. More than 2,000 systems, 25 percent of the total system, have been damaged, and the attacker is reported to ask for $ 73,000. Encrypts both MBR and files simultaneously and encrypts files in the shared folder.
  • Telecrypt : Uses protocol of famous messenger, Telegram. Found in early November 2016.
  • Popcorn Time : Found in early December 2016. When being infected, you should choose between 2 ways to decrypt. Paying ransom or infecting other 2 people with Ransomware. Provide a dedicated URL for delivering Ransomware to others. If you do not pay for the recovery within 2 hours, deletes the encrypted files.
  • Korea : Ransomware disguised as KakaoTalk. Found in August 2016, in Korean. After encrypting the file, ‘encrypted’ is added in extension name. It exploits Hidden Tear source code which is open source Ransomware.
  • USA : Ransomware exploiting the issue of Presidential election (Donald Trump)

Ransomware Response Method 1) Detects the increase of malicious entropy

‘ZombieZERO EDR for Ransomware’ detects the increase of malicious entropy by classifying with Behavior Detection Category such as encrypting API, file manipulating API, existence of Sign, and number of encryption. When higher figures of entropy appear, it judges the process as Ransomware and isolates and uploads the pattern data to ‘ZombieZERO Manager’. So the Manager shares the pattern data with other PCs with ‘EDR for Ransomware’ installed to prevent infection.

npcore

Ransomware Response Method 2) Unauthorized program

  • Detects / blocks unauthorized program manipulates the files.
  • Installed on I/O driver level to prevent conflicts with other programs, so stable and minimizes PC’s resource usage.

npcore

Data Backup Method (2 types)

  • A type that stores backup data in each local drive and B type that stores in the central storage server.

npcore

Minimum requirements for ZombieZERO EDR for Ransomware installation

Endpoint Manager
CPU More than DualCore More than Xeon 2.4Ghz
Memory More than 4GB More than 32GB
HDD free space More than 500MB More than 256GB
File system NTFS/ FAT32
OS More than WindowsXP More than WindowsXP
NIC More than 100/1000mbps More than 1GB, 2Port