Ransomware has been in the news again lately with an FBI agent being quoted (out of context) as saying that if you fall prey to ransomware you should just pay to get your data back. The critical missing context is that the cost of getting your data back may literally exceed the GDP of many countries. Ransomware uses high strength encryption — the very encryption that protects your information when you go shopping or banking online — to modify your data in such a way that the attackers can easily restore it, but would cost anyone else billions of dollars worth of computers and centuries to recover.
Backups can be very useful in recovering from ransomware; in fact, they’re the only way to recover other than paying the attackers. Unfortunately, even with the best of backup systems, restoring is disruptive and time consuming. Even worse, if your backup servers are accessible from an infected machine, the backups themselves may get encrypted, rendering them unusable!
A better approach to ransomware is, obviously, to avoid being infected in the first place. Since most ransomware comes from websites, one option would be to just not use the Internet, but that’s not a reasonable choice for most people. Unfortunately, just avoiding less reputable sites isn’t even a viable defense, since the attacks frequently come from compromised ad delivery networks. Fortunately, browser virtualization can provide excellent protection by preventing the browser from having any access to your file system at all. If you do get hit by ransomware in your virtualized browser, the only files that it can encrypt are the worthless ones in the virtual machine that will be destroyed as soon as you close the browser anyway. Though that cuts down on the risk dramatically, it doesn’t entirely eliminate it as there may be a worm aspect to the ransomware, making it seek out and attack other machines on the network using different attack strategies. That’s why the best virtualized browsers, like Passages, also segregate the browser from your local network, ensuring that nothing but the browser’s virtual machine is ever exposed.
To see how much protection Passages offers against ransomware, let’s walk through an example attack. A user browsing the Internet visits a site and is attacked with a 0-day served up from an ad network that installs ransomware on the VM. The ransomware then attempts to encrypt all of the documents that it can find, but the VM has no information stored locally. After failing to encrypt the local information, the ransomware tries to spread to other systems on the network, but is halted by the protections that Passages puts into place to keep any network traffic to or from the VM isolated from the user’s network. Any other machines on the network are invisible to the VM. Having been stymied in its attempts to spread, the ransomware then goes into a semi-dormant state in the hopes that its environment will change to give it a chance to spread or corrupt documents. Instead, the user ends the browsing session, causing the VM to be destroyed and the persistent threat factor of the ransomware to be eliminated. By using Passages for all web browsing, our user has made it unscathed through an attack by very sophisticated ransomware.