July 4

Cato’s Ransomware Lab Births Network-based Ransomware Prevention


As you might have heard, Cato introduced network-based ransomware protection in June. Using machine learning algorithms and the deep network insight of the Cato SASE Cloud, they’re able to detect and prevent the spread of ransomware across networks without having to deploy endpoint agents. Infected machines are identified and immediately isolated for remediation.

Of course, this isn’t Cato's first foray into malware protection. Cato has a rich multilayered malware mitigation strategy of disrupting attacks across the MITRE ATT&CK framework. Cato’s antimalware engine prevents the distribution of malware in general. Cato IPS detects anomalous behaviors used throughout the cyber kill chain. Cato also uses IPS and AM to detect and prevent MITRE techniques used by common ransomware groups, which spot the attack before the impact phase. As part of this strategy, Cato security researchers follow the techniques used by ransomware groups, updating Cato’s defenses, and protecting enterprises against exploitation of known vulnerabilities in record time.

To get a better sense of what Cato's ransomware protections bring, check out the video below:

What’s being introduced are heuristic algorithms specifically designed to detect and interrupt ransomware. The machine-learning heuristic algorithms inspect live SMB traffic flows for a combination of network attributes including:

  • File properties such as specific file names, file extensions, creation dates, and modification dates,
  • Shared volumes access data such as metrics on users accessing remote folders,
  • Network behavior such as creating certain files and moving across the network in particular ways, and
  • Time intervals such as encrypting whole directories in seconds.

Once found, Cato automatically blocks SMB traffic from the source device, preventing lateral movement or file encryption, and notifies the customer.

The work comes out of Cato's ransomware lab project that they started several months ago. The lab uses a standalone network within Cato where they reproduce ransomware infections in real-life organizations.

“We execute them in the lab to understand how they do their encryptions, what file properties they change, and other parts of their operations and then we figure out how to optimize our heuristics to detect and prevent them,” says Tal Darsan, manager of managed security services at Cato.

So far, the team has dug into more than a dozen ransomware families, including Black Basta, Conti, and Avos Locker.

To learn more about Cato Networks, their services, or to get started protecting your business today, give us a call at (781) 235-5520 or contact us here.


Source: By Dave Greenfield for Cato Networks