SM Technology Develops New Ransomware-blocking 'DocStory' Solution for the First Time in the World

Printer-friendly versionPrinter-friendly versionSend by emailSend by email
Building the New Ransomware-blocking Technology base that allows attackers to follow the defenders
Friday, April 14th, 2017
랜섬웨어1

Ransomware block concept

"The R&D center of S company had a bitter experience several months ago. Because its R&D data it had accumulated by spending a massive amount of money for several years became useless as it was inflicted by ransomware. After all, S company could decrypt after sending the demanded money to an attacker. Meanwhile, Mr. K was recently shocked by the fact that the newlywed photos and those on child on the first birthday and related videos he took five years ago had changed to a digital garbage owing to ransomware. He had to pay with bitcoin to retrieve the locked files."
According to a survey conducted by Korea Ransomware Computer Emergency Response Team, 70% of CIOs and 50% of staffs at the IT department of global companies in the world said the first goal for 2017 is to prevent ransomware. In keeping with this, Korea IT Times had an interview with SM Technology CTO Kim Seong-ki on the DocStory solution, the world's first technology it developed to completely block ransomware, on April 12, 2017.
Is it possible for the IT world to be freed from ransomware? --Ed

Korea IT Times: What is ransomware?

Kim Seong-ki(Kim): Ransomware, the compound word of ransom and software, refers to the malicious code that demands money by holding files hostage. In case that files of a PC user are infected by e-mail or a malicious link, he or she cannot access to the system and files. There are only two solutions - one is to pay ransom or to destroy relevant files eternally.

According to the data of Korea Ransomware Computer Emergency Response Team, 49% of all companies became the target of cyber ransomware attack in 2016. The number of infectees soared from 53,000 in 2015 to 150,000 in 2016. The demanded bitcoin price also went up sharply from around $400 early 2016 to over $600 at present. The damage was estimated to have reached 300 billion won in 2016, a sharp rise from 109 billion won in 2015.

Korea IT Times: Is there any method to cure ransomware?

Kim: Unfortunately, there is no therapy method. Prevention is the best way. The ransom block is the best way by classifying normal and abnormal approaches intelligently, blocking the malicious approach and having the user know it.

Korea IT Times: Is there a safe folder to completely block malicious approach?

Kim: Valuable data on PC can be protected with ransom block. However, it is important to prepare a safe folder to protect the data more safely. Related to this, SM Technology has developed a safe folder that can be used easily like a general folder, block malicious approach completely and reduce the operation cost sharply.

The overall process from the infiltration of ransomware to the progress of actual encryption should satisfy various conditions.

There are many chances to detect in the process ranging from URL filtering web gateway to safe arrival of malware system, C&C server connection, encryption download, C&C server connection maintenance and file encryption. Then, what is the reason behind the high success rate of ransomware? For instance, the amount earned from ransomware surpassed 1 trillion won.

Korea IT Times: What is the reason behind the high success rate of ransomware?

Kim: In short, three are three reasons.

(1) In November 2016, security experts discovered the variant of Exploit about the SVG file. SVG, an XML-based vector image format, is compatible with web browsers and various applications and people send and receive SVG file through SNS.
(2) Attackers developed a method to insert a malicious Javascript code into the SVG file.
They grasped the mind of users willing to click an image.
(3) It is very difficult to detect the malicious code of the SVG file as it has been obfuscated. The signature-based detection method becomes useless almost 100%.

Like this, the prevention system we have is to be infiltrated someday. And attackers are always faster than defenders. After all, there is a limit in the method to chase attackers so that it is necessary to develop technology, which makes attackers chase defenders.

Korea IT Times: Would you introduce the base of the new paradigm that makes attackers chase defenders?

Kim: The "DocStoryRB" Solution developed by SM Technology this time supports the ransomware block and data backup. Namely, it originally blocks the ransomware that infiltrated into the endpoint section from accessing to data and notifies the relevant threatening information to the control server on real time. Also it backs up the creating and modifying data with server on real time and activates the restoration to the original state by each time.

Korea IT Times: The whitelist technology was introduced a long time ago. But it is widely known to have a limit in enhancing users' convenience. What is the difference with the existing technology?

Kim : Various security technologies such as signature, behavior-based, restoration from the preventive dimension, blacklist, pattern and cloud authentication have been applied to the endpoint. After all, hackers won the victory. Options hackers can select are various. As a result, a best way was necessary to tide over such a limit. Accordingly, the technology method we had selected was the whitelist, but it was very inconvenient. So we established an advanced idea and thought in the technology development stage after going through trials and errors in the past several years and succeeded in reaching a solution. It is the whitelist-based one. I think it will be the best model in terms of users' convenience if it is operated on an equal footing with the existing security product level. Our organization made it possible.

랜섬웨어2

Korea IT Times: Would you explain the DocStory RB solution function in detail?

Kim: DocStoryRB is the new paradigm technology and has the function of controlling the data access aimed by ransomware. It can enhance flexibility to meet the organization's characteristics with the adjustment of the two rights - control of the whitelist-style access and approval or disapproval of users' implementation. It is the final weapon to minimize damages from ransomware by chasing the data adjustment on a real time and backing it up automatically.

랜섬웨어3

DocStoryRB solution flow chart

It verifies confidence by comparing the document-editing application route and digital signature by using the ransom block engine. If there is an attempt to change, delete or code files through unreliable application and process, it stops a relevant act and transmit the relevant log to server.

(2)DRB(Data Real-time Backup)

In case of doing the document or other works at the endpoint, it has a function of backing up the creating and adjusting major documents on a real time. In case that a data is damaged by ransomware or other malicious code, it can retrieve the data to the time right before the damage or a hopeful time.

랜섬웨어4

Client document creation, adjustment, deletion

It is an integrated management solution that can transmit various policies to the running DWD and DRB at the endpoint. It supports the dashboard that can monitors the endpoint situation on a real time. At the same time, log about an abnormal process act occurred at the endpoint is notified on a real time, enabling a speedy countermeasure.

Korea IT Times: Would you explain the market competitiveness of the DocStory solution?

Kim: The sole competitive power of the DocStory solution is to generate the best defense effect with the minimum cost. The existing prevention systems require high cost as they have to introduce additional equipment for operation to enhance the defense effect. However, the DocStory solution can generate the best defense effect without additional equipment.

Its support functions and strong points of implementation technologies are as follows - automatized real-time date protection, real-time synchronization and scheduling back up support, automatic program drive with ransom block engine in case of booting the window, support for network drive deposit equipment, data file extension filtering function, support for restoration of wrongly deposited file owing to time backup, creation, duplication, adjustment of file and folder, deleted name change and synchronization, support for all MS-based OS with over Window 7, a function to remove duplication in the same folder in case of doing backup, and support for client's action control following the manager's policy.

Korea IT Times: Would you comment on the intellectual property rights and certifications?

Kim: We received patents on (1) the security method of movable storage and the following movable storage (2) driver security system and method using virtual call route
and (3) the whitelist-based ransomware block equipment and method. Also we acquired the GS 1-grade (DocStory v1.0) that was certified by the TTA.

Comments

samsung fire

new energy