Leading Cloud Service Providers and Majority of AV Engines Failed to Detect New Ransomware Variant
Cloud Access Security Brokers (CASBs) provide visibility into the cloud. Some CASBs provide malware protection. Some clouds provide malware protection. Bitglass analyzed the efficacy of cloud-only protection by scanning the files of its customers that had not implemented its own Advanced Threat Protection (actually Cylance).
Bitglass scanned tens of millions of customer files and found (PDF) a remarkably high number of infections: 44% of organizations had at least one piece of malware in their cloud applications; and nearly one-in-three SaaS app instances contained at least one threat. Among the SaaS apps, 54.4% of OneDrive and 42.9% of Google Drive instances were infected. Dropbox and Box followed, both at 33%.
The research discovered that the average company had nearly 450,000 files held in the cloud, with more than 20 of the files containing malware. Forty-two percent of the infected file types were script and executable files, 21% were Office documents, 10% were Windows system files, and 8% were compressed formats. The other 19% were in various different file formats.
Among the infections it discovered a malware that Cylance confirmed as a zero-day ransomware -- which it calls ShurL0ckr. ShurL0ckr is ransomware-as-a-service , "meaning," says Bitglass, "the hacker generates a ransomware payload and distributes it via phishing or drive-by-download to encrypt files on disk in a background process until a Bitcoin ransom is paid." No analysis of the malware and its inner workings is provided.
It is, however, undetected by either Microsoft's or Google's cloud offerings.
"The sad truth," comments Meni Farjon, co-founder and CTO at SoleBIT Labs, "is that today, most cloud services providers still do not supply advanced malware detection capabilities, thus making this vector a perfect choice for attackers who aim to infect corporate users on a massive scale. I believe we will definitely see more ransomware variants targeting cloud application in the coming months, at least until the major cloud services providers offer malware detection capabilities to those services."
Bitglass checked whether mainstream anti-malware would detect the ShurL0ckr ransomware. "The team," writes Bitglass, "then leveraged VirusTotal to scrutinize a file containing the ransomware across dozens of antivirus engines. Only 7% of said engines (five in sixty-seven) detected the malware - one of these engines was Cylance, a Bitglass technology partner."
VirusTotal was acquired by Google in 2012.
The key takeaways from this research are that security teams' concerns about cloud security are valid, and there's a new ransomware that goes largely undetected. That last point is, however, not clear cut. The purpose of VirusTotal (VT) is to allow concerned users to gain insight into a suspect file -- could it be, or is it likely not, malicious? It is not an anti-malware comparative tool.
VirusTotal itself says, "Antivirus engines can be sophisticated tools that have additional detection features that may not function within the VirusTotal scanning environment. Because of this, VirusTotal scan results aren't intended to be used for the comparison of the effectiveness of antivirus products."
"In other words," comments ESET senior research fellow David Harley, "a VirusTotal report is not a reliable indicator as to whether a product detects or blocks a given sample out in the field, because VirusTotal doesnít necessarily make use of all the layers of protection made available by a specific product in the real world. To draw any conclusions about the efficacy of any product based on one sample isnít testing at all," he added; "itís just marketing."
Lenny Zeltser, VP of products at Minerva Labs, isn't surprised by the VT engines' low detection rate. "Attackers continually find ways of getting around AV tools, due to the inherent weaknesses of any approach to detecting malicious software on the basis of previously-seen patterns. This is a reality for all types of AV solutions," he told SecurityWeek, "regardless of whether they employ AI or not."
He believes that it is reasonable for Bitglass to quote a low VT detection rate because "this research focused on the way in which files stored on cloud services are identified as malware. I believe the providers of such services rely on static scans, which makes VirusTotal a reasonable approximation of AV efficacy in such scenarios. The findings show that organizations cannot rely solely on the scans performed by these providers, and should deploy anti-malware protection to their endpoints as well.î
What we now know is that there is another ransomware to worry about. We know that Cylance can detect it, but we don't know whether other anti-malware products deployed in the field will also catch it -- we do not know that only 7% will detect it. Bitglass hasn't provided any IOCs in its report, so it will be difficult for security teams to check for themselves.
However, since Bitglass uploaded an infected file to VirusTotal, VT will have shared details with its partner AV companies. They will now be making sure that they will detect it in the future -- so it might be useful for security teams to check directly with their own anti-malware provider to make sure they are already covered.
Silicon Valley-based Bitglass raised $45 million in a Series C funding round in January 2017, adding to the $25 million Series B round in 2014.
Related: Inside The Competitive Testing Battlefield of Endpoint Security
Related: VirusTotal Policy Change Rocks Anti-Malware Industry