Question method of detecting (and preventing) data encryption processes

[wpshooter]

I have done SOME but not a LOT of searching YET but so far I have not been able to find any info on if it is possible and if so how one would both detect and prevent data being written to a storage device from being encrypted (perhaps I am phrasing the search incorrectly), i.e. block any attempts at encrypting data write processes. I have found many articles regarding if, when & how to encrypt data but none saying if it is possible to detect and block such a process.

The only thing that I have found is this, which seems (if I am understanding it correctly) to be at least somewhat related:

Intel® Software Guard Extensions Protects Data

Protect your data from cyber attacks with Intel® Software Guard Extensions, a combo of cybersecurity, encryption, and verification capabilities.

www.intel.com

Is there currently such an animal which will detect & block data encryption processes ???

Thanks.

 

[fcorbelli]

Perhaps it is possible by some heuristic analysis of the number of files overwritten in a certain period of time
However, it would require extensive support from the operating system which, at present, I don't think exists.

It is not realistically possible to prevent encryption, it is worth having very resilient recovery mechanisms.

 

[thecoolnessrune]

Yes, anti-ransomware detection is a big deal in antivirus right now. For instance, Kapersky‘s AV will look for and block heuristics that resemble Ransomware activity.

The ones that have aggressive prevention behavior are Enterprise level centrally managed solutions, such as VMware Carbon Black Endpoint Protection. That’s because aggressive prevention policies prevent the most ransomware attacks, but are also most likely to interrupt the day to day use of the system without extensive tuning. Thus, a central security management team is usually managed to Triage and address the false positives, and take immediate action on positives (such as Network isolation).

 

[wpshooter]

Thanks for your reply.

Then how are the Russia "based ???" hackers managing to capture USA systems ?

Is it that they are more sophisticated than the US anti-attack software or is it that these companies which are getting attacked either do not avail themselves of the best of the defensive security software or is it that they are not utilizing such software correctly and 100% of the time ?

 

[thecoolnessrune]

It’s a number of factors including the last two you mentioned. Lots of businesses out there do not run themselves like they’re the NSA. IT is viewed as a cost to minimize as much as possible. Sacrifices are made either at the technology level, or at the personnel level to deal with threads (and the technical debt involved with defending against threats). Backups aren’t taken. Disaster Recovery isn’t codified and tested. All save costs that make managers happy until their company is hit.

At the end of the day, the weak point is almost always people. A random person opening an E-mail link to a spreadsheet with Macros because their brain is on autopilot, and it seeks out a linked file share that often isn’t running any heuristics scanning because “it’s only accessible inside the network.”

The irony in it is that the more you try to lock this down, the more frustrating it is for end users to get work done, and therefore, the more your users will work to get around said restrictions, whether it’s attempting to install additional programs or simply being too liberal with the copy / paste into Notepad.

It will always be a cat / mouse game, which is why a solid Backup and Disaster Recovery plan are so critical.