This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Arun_R
Collaborator
‎2017-10-13 12:41 AM

How to prevent business premises from RedBoot ransomware attack?

Hi Team,

Has anyone have any idea about RedBoot ransomware and how to prevent it by using IPS/Anti-bot/Anti-Virus blade's:

Is any specific protection/Signature needs to prevent in order to avoid such issues on business premises?

Regards,

Arun.R (Hari)

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2017-10-13 08:45 AM

First of all, this is probably a better question for the Threat Prevention‌ space.

Second, Ransomware such as RedBoot is really a great example of why you need multiple layers of protection.
While IPS, Anti-Virus, and Anti-Bot are great technologies, they are not enough to stop Ransomware.

Any number of things could potentially deliver the RedBoot payload to a customer--things which could surely be blocked by AV if it's a known variant.

However, it's trivial to make any known variant unknown, reducing the efficacy of AV. 

Since there's no "phone home" element to this ransomware/wiper, Anti-Bot or IPS wouldn't see anything.

If the payload is delivered as a Microsoft Office or PDF doc (which is fairly common), then Threat Emulation would surely catch it.

Threat Extraction would strip out these unsafe elements so the end user would never see them.

If on the off chance Threat Emulation/Extraction didn't catch it, then Check Point's AntiRansomware on the endpoint would stop it and quickly undo the damage.

0 Kudos
Pablo_Barriga
Advisor
‎2017-10-15 05:30 PM

Hello Arun there isn't a signature to prevent that infection  for now on any of those blades, the next step should be to incorporate the threat emulation technology on the gateway or in the endpoint with Sandblast Agent.

We are recommending our customer to have their computes up to date, to configure the shadow copy on their machines to have several copies of their information or at least have a procedure to have a backups once a day, also to be more stricted on the URL or categories that the users can access, for example block uncategorized sites or block high risk sites, also on the antivirus block unusual file extention using the Files Types feature to block some files.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events