Dubbed by many as the “Year of Ransomware”, 2017 provided us with a very important and dangerous evolution to how these attacks make their way to your endpoints. The Cisco 2018 Annual Cybersecurity Report warns that “defenders should prepare to face new, self-propagating” attacks, like those we saw in WannaCry and Nyetya. As attackers make their malware even more potent by combining it with worm-like functionality, they have essentially eliminated the need for the human element in launching ransomware campaigns. And for some adversaries, the prize isn’t monetary, but the destruction of systems and data.

Although the technique used to land these threats on your endpoints has evolved, the core behavior of ransomware remains unchanged. Once detonated, there are certain tell-tale signs that indicate the threat we are up against is ransomware, including the encryption or deletion of files on the endpoint.

If we know how ransomware behaves, why don’t we just block these processes when we start to see them?

We asked the same question, and our engineers responded with Malicious Activity Protection, a new engine for AMP for endpoints, designed to stop malware from encrypting a host. With malicious activity protection, your endpoints (both on and offline) are protected against ransomware, regardless of how it was detonated, or how it got onto your endpoints.

How does it work?

Our new engine monitors process and disk activity for specific behaviors associated to key stages in ransomware execution, as seen in the figure above, beginning with file download and execution, through to file encryption. When a process begins to exhibit those behaviors, malicious activity protection terminates it. Gone are the days of a ransomware attack encrypting all of the files in your network.

Is it fast enough?

With behavior-based protection, there is in an inherent delay as to when processes can be terminated. We must first see a behavior occur, such as a file opening and the ransomware code beginning to execute, to be certain it is malicious. Then we take action. The engine is precisely tuned to detect ransomware at the earliest possible stages. This means when ransomware hits, you experience far less damage.

What if I’m not online?

As ransomware has evolved, it has become more self-reliant. It can begin encrypting files and propagate without the need to call home or reach out to the Internet. On average, we see ransomware encrypting machines in under 22 seconds. In these cases, even taking your endpoints offline can’t prevent the threat from spreading within your environment.

Like many features within AMP for Endpoints, malicious activity protection runs both on and offline. When online, telemetry and event data is sent to the cloud for live alerting. When offline, that same data is logged locally to the system events to ensure no data around the threat is lost. This means no matter where your endpoints are or what kind of network connectivity they have, they are always protected against ransomware

Ever-evolving endpoint protection

We know adversaries are motivated, creative, and relentless with their work – but they’re no match for the teams of engineers, threat researchers, and data scientists that back AMP for Endpoints. These teams ingest millions of emails, malware samples, and network intrusion events daily. Their threat intelligence is used to better-understand new threat variants and develop protection against them, including our new malicious activity protection engine. This constant evolution of protection and detection has led to a protection lattice made up of over a dozen different engines designed to protect you from even the most advanced threats.

Want to see more about how the malicious activity protection works?  Watch this video.  If you’re ready to experience the most comprehensive endpoint protection in the industry, click here for our free trial.



Neil Patel

Technical Product Marketing Manager

Advanced Threat Solutions Portfolio