In the past, ransomware attacks typically targeted a single computer or a restricted network. When an employee clicked on a link, they would unknowingly download malware that would then encrypt the computer or server. Restoring from a backup often helped resolve the issue.
Ransomware attacks are one of the most pressing threats for organizations today. The more ransoms are paid to restore data, the more cybercriminals are encouraged to intensify their efforts to compromise and undermine corporate environments.
The Minerva solution was developed to allow any organization to preemptively avoid modern cyber threats, regardless of your team's size, skill set, and tool set. Minerva's endpoint solution is backed by 3 cyber patents and 5 patents pending approval.
The Minerva solution protects servers and workstations from threats that would have circumvented other security measures such as modern antivirus for example. The Minerva solution manages to protect without checking any files or processes. Instead, it relies on the Minerva Simulation Engine to selectively hide or reveal relevant artifacts or fool the malware so that it doesn't achieve its goal.
Benefits of the Minerva solution:
• Reduce more than 90% of the threats your team handles
• Complete browser isolation
• Malware protection for ATMs
• Protection against ransomware
• Memory injection prevention
• Prevention against Living off the land attacks
• Prevention of malicious documents
• Operation on legacy systems
• No prerequisites
• No reboot
• No downtime
Hostile environment simulation
It simulates environments such as analytics sandboxes that malware is typically designed to avoid. This module tricks the threat into disabling it because it "believes" that the environment is not safe to launch. Memory Injection Prevention Ransomware often evades detection by injecting malicious code into legitimate applications or operating system components. This approach allows malware to bypass security mechanisms such as traditional antivirus, application whitelist, and personal firewalls. Memory injection is often used by malware that is sometimes considered fileless, because in such cases attackers avoid putting recognizable malicious code on the file system.
Prevention of malicious documents
Interrupts or disarms malicious documents that try to abuse resources such as macros, scripts and built-in tools. This module allows users to benefit from the full features of modern applications without worrying about infections.
It intercepts document destruction attempts by placing protected files in a cache that Minerva maintains on the endpoint. This module allows users to recover affected files without relying on backup solutions or paying ransom.
Simulates infection markers to trick the malware into believing it is already on the system. This module makes the corresponding threat shut down to avoid infecting the same environment more than once.
Protect users from browser-based attacks. This module allows users to benefit from safe navigation.
It interferes with attempts to misuse system-integrated tools to cause damage without using classic forms of malware. This module prevents threats from being “stepping stones” for these tools to infect the endpoint or cause harm.
Simulates the existence of artifacts, such as sensitive files, that attackers and their tools might try to access. This module makes it possible to detect and interfere with attacks, even if they bypass other defenses.
Protection of critical assets
It hides sensitive files, processes and other artifacts to prevent attackers or their malware from collecting credentials (or other sensitive data) even if the threat finds a way to run on the system.
It collects activity from local processes to accommodate forensic analysis, threat hunting and other system investigations. This module also provides visibility into the endpoint's security posture.
Use Minerva's centralized management capabilities to monitor, configure, and remediate the state of third-party antiviruses (eg, Windows Defender Antivirus) that form the foundation of your endpoint protection.
These modules work together to reinforce each other. Minerva can supply them as part of a single, unified solution for your corporate customers.
How Minerva Prevented Highly Sophisticated Attacks related to SolarWinds in August 2020
1. The attacker added empty classes to the SolarWinds code. Malicious code was added just before signing the SW code. The backdoor had only 4,000 lines of code and was run through a different thread so as not to interfere with the legitimate application
2. SolarWinds updates that included the malware were available for download from March to June 2020. The malicious update was deployed to over 18,000 SolarWinds customers
3. The malware waited 12 to 14 days. Then, to AVOID detection, it performed a set of environmental tests (queries) BEFORE execution, such as:
• Are there forensic tools?
• Is there a Russian keyboard installed?
• Are there specific security tools?
• Are there files named “malware”?
• And many other avoidance techniques.
4. Once the environment is in place, malware starts distributing itself (and potentially new code) within the network through PowerShell to gain the necessary massive base.
5. On each new device, the malware performs an attack through the SolarWinds plugin called Orion Improvement Program. All data collected by the malware are saved in this plugin's configuration files. In some cases, the attacker used Cobalt Strike as part of the second attack stage.
6. 2FA / SSO bypass for 0 days and privilege escalation
7. The malware runs a completely unknown tool (written for this campaign) that runs in memory only (LOL)
8. The attacker now owns the endpoints and the network. He can perform any type of attack. At some point, the damage becomes visible. It was here that FireEye realized something had gone wrong and declared the investigation.
Minerva's solution managed to stop the ransomware in attack 4 months in advance of the attack (as of August 2020) compared to other vendors.
As detailed in the FireEye report (which can be found here), the malicious backdoor refuses to function when certain blacklisted processes are present in the operating system, proving once again the effectiveness of Minerva's approach and the Hostile Environment Simulation module that is a key part of the prevention platform. Minerva pre-run threats. Thousands of these artifacts simulate the presence of security and forensic tools that create an environment in which malware is prevented from running.
Below are two examples of a avoided memory injection attack on the Minerva interface for the attack via SolarWinds.
Century Data is a company that helps its clients on the path of digital transformation by promoting technologies that enable the creation of new lines of business. We offer innovative solutions, specialized products and services, driven by the demand of business and technology areas.
All rights reserved to Century Data Tecnologia da Informação LTDA