Jump to content

How (What Methods) Does MBAM Use for Ransomeware Rollback?


Recommended Posts

We have a client considering purchase of the MBAM cloud/business suite. They were recently afflicted (prior to MBAM testing) with ransomware, so this is a hot topic for them.

I noticed that one of the features offered by MBAM for business is "Ransomware Rollback". I was curious how this actually worked, and what methods are used to roll the system back to a pre-encrypted/ransomware state? Are they simply using restore points, or is there something better and more detailed involved?

Any insight would be appreciated. It sounds like a very neat and promising feature, but I feel like the implementation could drastically change it's actual usefulness.

Link to post
Share on other sites
  • Staff

Greetings,

I'm not a member of the staff, however I should be able to offer at least some useful info which will hopefully address some of your questions and concerns until a member of the staff is able to provide a more detailed response.

Specifically with regards to ransomware, Malwarebytes has a few things going for it from a protection perspective.  I will describe each in the order that they come into play during an attempted attack event where the end result would be infection of the system by ransomware and encryption of the user's files.

  1. First, the Web Protection component filters known malicious websites, both based on domain/URL as well as IP, and even blocks many known malware/crime-friendly hosts/hosting providers (entire networks and IP blocks, not just individual addresses).  This stops a lot of the malicious content from ever reaching your endpoints which is particularly useful against most ransomware attacks since one of the most frequently used attack methods is through malicious advertisements and redirects on otherwise safe websites (malvertisements and malicious scripting etc.)
  2. Next, the Exploit Protection component monitors shielded applications and operating system components such as web browsers, office applications, document viewing/editing programs (Adobe Reader/Acrobat, MS Office, other PDF viewers and document editors etc.), media players, Java etc.) for exploit activities and also hardens key OS components (including augmenting existing OS protection technologies such as DEP) and also adds generic behavior based monitoring for exploit behaviors in general for many exploit attack vectors and behaviors (buffer overflow attacks, ROP, memory patch hijacks, stack pivoting etc.) which also covers scenarios where the point of attack is a malicious email attachment such as a Word document, PDF or other document type or media file which contains exploit code which is the other primary means of exploit attacks used for the vast majority of ransomware infection attempts
  3. After that is the Ransomware Protection component which monitors all processes and threads in memory in real-time and monitors both memory behaviors and filesystem events to look for any ransomware behavior patterns to stop any active ransomware attack before it is able to encrypt the user's files (as soon as suspicious ransomware behavior is detected, the process is halted and terminated then quarantined and the event is logged)

As for rollback features, I don't have a great deal of details about it, however I do know that the Malwarebytes Developers and Researchers are quite aware of the fact that one of the first things most ransomware threats do is to destroy any existing System Restore points and shadow copies and to disable or otherwise cripple System Restore functionality and other built in OS file restoration functionality to prevent recovery without paying the ransom, so I suspect that whatever they are doing, it is likely employing some form of protected encryption and probably similar technologies to those used by Malwarebytes' Self-Protection component which guards Malwarebytes' processes in memory, files, folders and other data on disk, as well as critical program registry keys from being terminated, modified or deleted by any unapproved processes (basically anything outside of Malwarebytes itself; a necessity for it to be able to modify its settings when changes are made by the user as well as when databases and new program versions are downloaded and installed).

With that said, I did find the following information in the Malwarebytes Cloud Console Administration guide which is available here and I found a bit more detail about this component here which details some changes/enhancements in the latest release.  I hope this information is at least somewhat helpful to you and your client.

Rollback
This setting is available once you enable Suspicious Activity Monitoring. The Rollback feature is dependent on activity monitoring – you must enable monitoring to allow for Rollback. Once Rollback is enabled, Malwarebytes will create a local cache on the endpoint to store changes to files on the system. The application uses this cache to help revert changes caused by a threat. Endpoints typically use 200MB – 500MB for the cache, depending on usage and how you configure Rollback. Two options exist to customize Rollback in your environment. They are:
  • Rolling time to store changes – This setting determines how long Malwarebytes will store information in the cache. Increasing this time will increase the size of the cache on your endpoints, as they will store any changes to the endpoint in the time window you specify. The default value is 48 hours.
  • Maximum size for individual file backups – This setting controls which files are saved in cache based on size. The default setting is 20MB – meaning that any file larger than 20MB will not be saved in cache. Increasing the maximum file size will increase the size of the cache.

Rollback.png.d5c8543ce4ff06810a4eb15bb8a39823.png


By enabling Rollback, you allow Malwarebytes additional options to help recover damage caused by threats on your endpoints. In conjunction with our existing Malware Removal Engine, the Rollback Cache allows the Endpoint Agent to restore files that malware removed or encrypted.

Link to post
Share on other sites

Wow, excellent information Exile. Thank you very much.

 

I did have a phone call with an MBAM rep earlier today, and she said that the rollback service is independent of, and separate, of any System Restore processes. She did also mention, as you have pointed out, that the rollback feature works by storing a relatively small file on the local endpoint.

 

Everything seems pretty impressive to me. Very nice.

Link to post
Share on other sites
  • Staff

Hi BlueBolt

Welcome to Malwarebytes!

The information provided is all great above and covers many of our layers.

For more details on how the EPR module works specifically please check out our documentation here:

https://www.malwarebytes.com/pdf/datasheets/MBEPRDatasheet.pdf

https://www.malwarebytes.com/pdf/datasheets/MEPRSolutionBrief.pdf

Let us know if everything provided still leaves anything unanswered, we are here to help

Edited by KDawg
Link to post
Share on other sites

Thanks guys,

 

For my own purposes, all of my questions have been answered. I had some very positive conversations over the phone and via an online conference withs some MBAM reps as well. It's ultimately up to our client what provider they choose, but I'm hoping they decide to go in this direction as I think it would offer them the best protection while being the easiest on our end to manage.

 

Thank you!

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.