March 2, 2023
Ransomware can take on many forms, each containing unique characteristics to remain undetected for as long as possible. However, many of these malware samples also contain common behaviors that can be used against them. Royal, like many others, consistently tries to delete the backup files on the devices it compromises. Why? Ransomware can be reversed by re-imaging a device from its backups, restoring it to a pre-attack state. This reversibility forces most ransomware authors to disable, disrupt or delete the backups - giving endpoint defenses a behavior they can signature. Enable backups and ensure endpoint defenses continuously monitor processes touching them. It is also worth noting that ransomware is impossible to pull off (in the traditional sense) on “secure by design” operating systems. Wherever possible, switch from workstations and servers to iPads, Chromebooks and containers.
Be immediately notified of new advisories and associated security tests