Christian Mairoll

Our latest update features some useful new additions to Emsisoft Cloud Console and Emsisoft Anti-Malware. Device health status If you’re using Emsisoft Cloud Console to manage the malware protection of multiple devices, it’s critical to have access to information about potential problems with the device’s operating system. That’s why we’ve extended the device view and added new sections that display general device health and some basic information about the installed hardware. The new device details panel in Emsisoft Cloud Console The upper section shows all security-relevant details, such as last update and scan dates on the left, and active protection policies on the right. A new custom notes box allows you to enter any information that may be relevant for future reference. The lower part of the device health block shows the current memory and storage usage. Below, you will see recent critical system events such as blue screens, so you can find major software and hardware issues right on the spot. The new device details panel at the bottom displays details of the operating system and general hardware specifications that will help you manage your devices. New device restart scheduler In rare situations, Emsisoft protection software needs to restart the computer to update some of its core components. Our team aims to keep the number of required restarts as low as possible – much lower than those required by the Windows operating system. Many of our customers have requested an option to schedule required restarts to times when the computer is not being actively used. Based on this feedback, we’ve added a new setting that allows you to define time frames for restarts (e.g. allow restarts between 2:00 a.m. and 4:00 a.m.). The computer will not restart if it is being used. You can optionally allow your users to postpone restarts in one-hour intervals in case they are working on the device. New device restart scheduler All 2019.9 improvements in a nutshell Emsisoft Anti-Malware New update reboot scheduler. Improved event logging. Several minor tweaks and fixes. MyEmsisoft/Cloud Console New device health status and device details panels. New support for policy templates hierarchies. Improved user interface in many sections. Several minor tweaks and fixes. How to obtain the new version As always, so long as you have auto-updates enabled in the software, you will receive the latest version automatically during your regularly scheduled updates, which are hourly by default. Note to Enterprise users: If you have chosen to receive “Delayed” updates in the Update settings for your clients, they will receive the new software version no earlier than 30 days after the regular “Stable” availability. This gives you time to perform internal compatibility tests before a new version gets rolled out to your clients automatically. Have a great and well-protected day! The post New in 2019.9: Device health status in Cloud Console appeared first on Emsisoft | Security Blog. View the full article

CheckLab is a new security software testing organization founded by the well-known company AVLab. In July 2019, CheckLab ran the first edition of its “Advanced in the Wild Malware Test,” and we’re happy to announce that Emsisoft Business Security was awarded the Best+++ badge! How does CheckLab perform the tests? Malware is a significant threat to modern businesses. Failure to detect and stop a threat can potentially result in costly downtime, recovery and reputation loss. The Advanced in the Wild Malware Test can help business owners and IT professionals make a more informed choice in regards to their choice of security software. The test involved evaluating the protection capabilities of eight business-grade security solutions. To perform the test, each security product was installed on a system running Windows 10 Pro x64 with user account control disabled. A number of typical business applications were also installed on the system, including an office suite, email client, document browser and a few other tools. The security products were then exposed to almost 1,000 carefully vetted malware samples, and were awarded one of three badges depending on how well the protected the system: Best+++: at least 99% detection Best++: at least 95% detection Good+: at least 90% detection Results We’re delighted to report that Emsisoft Business Security excelled in the tough test conditions and successfully blocked 100 percent of the malware samples. As a result, Emsisoft Business Security was awarded the Best+++ badge! Click here to see the full report or here to check out some of the awards and certifications we’ve won in the past. About CheckLab CheckLab, a division of AVLab, is a new independent security software testing group. The organization specializes in testing the capabilities of security products in conditions that are designed to simulate real-world attacks. CheckLab plans to regularly release detailed reports that offer users valuable insight into the effectiveness of many security products available on the market. The post Emsisoft Business Security awarded Best+++ badge in CheckLab’s July 2019 tests appeared first on Emsisoft | Security Blog. View the full article

Pretty much all AVs have some sort of hard limit when it comes to file sizes. Main reason is that you want to avoid that your storage devices gets filled up or that you run out of memory during a scan, which both can have very ugly side effects. It's just not economical in terms of expected benefits vs. cost of time and performance, to extract huge files. Especially not if you consider that cleaning inside archives is mostly impossible and the entire file gets quarantined, combined with the fact that it's relatively irrelevant in terms of overall security to know that there is an inactive malware file wrapped inside some archive file. As long as the file doesn't get unpacked, it doesn't mean any harm. But when you extract it in the future, it will be scanned and detected by the real-time monitoring anyway. So all you would gain by scanning inside of archives is an 'earlier' knowledge that there is something in there, but your PC doesn't get any safer at the end of the day. In our opinion that benefit is not large enough to rectify a potentially overloaded computer for hours and a system crash because of a full disk.

That's currently not possible and at this point I can't promise that we will implement that. Reason is that it poses a major security risk in case the console gets hacked. We will try to figure out a way around that though.

Team Emsisoft is proud to announce the official launch of Emsisoft Cloud Console, a web based-platform for centrally monitoring and managing Emsisoft’s endpoint protection products. Using Emsisoft Cloud Console, security administrators can deploy protection, manage device settings, enforce team policies and permissions, run malware scans, monitor protection status, respond to alerts, analyze forensic logs and review security reports. Emsisoft Cloud Console Dashboard – all your devices on one screen “It’s better than being onsite” When we designed the console, our primary focus was to save administrators as much time as possible and set new standards in user experience. Emsisoft Cloud Console doesn’t require extensive training to get started. Administrators will notice that the console is pretty much a perfect mirror of what users can see on their local devices – plus much more. Kiss onsite visits goodbye. Emsisoft Cloud Console mirrors the design of the endpoint protection Time savers: Group policies and team collaboration In addition to making all Emsisoft protection, remediation and analysis features fully accessible via the cloud platform, we also added tools that allow you to collaborate with other admins and define smart hierarchical group policies for settings and permissions that reflect your team departments. Powerful team policies that include all settings Deployment couldn’t be easier If you’ve ever had to endure the installation hassles of old-fashioned antivirus management tools, you’ll love Emsisoft Cloud Console. Deploying new devices is as simple as hitting the download button in the console, which gives you a custom tagged installer that automatically installs and connects the endpoint protection to your console workspace – without any further user interaction required! Use the same custom installer to connect your existing devices to the cloud with just a double-click to start the downloaded file. One-click installation and activation with your own custom installer Save precious bandwidth with the Relay feature One or more of your devices can be configured to act as a relay for all Emsisoft data transfers. Relays cache all update downloads to reduce the total amount of internet traffic. The more Emsisoft protected devices you have in your network, the higher the traffic savings. Channel all Emsisoft data through one of your devices to save bandwidth and traffic Access the console from any device Emsisoft Cloud Console can either be accessed via the web browser from any device – at my.emsisoft.com – or pinned to the home screen of your mobile device as a progressive web app (PWA), with all major operating systems supported. Access via a web browser or via apps for Android and iOS from any device Best of all: It’s free! Emsisoft Cloud Console is part of all Windows endpoint protection license plans, such as Emsisoft Anti-Malware Home, Emsisoft Business Security and Emsisoft Enterprise Security. Open Emsisoft Cloud Console Now How to get started with Emsisoft Cloud Console Please log in at MyEmsisoft to see the new ‘Workspaces’ menu at the ‘Cloud Console’ section on the left. Simply follow the instructions to migrate your personal licenses and devices to a new workspace. Let us know what you think and send us an email via [email protected] We are thankful for your input as it helps us to make this the best central antivirus management console available. The post New Emsisoft Cloud Console for SMBs and MSPs available now appeared first on Emsisoft | Security Blog. View the full article

In this month’s software update we’ve made some improvements to the main screen of Emsisoft Anti-Malware and added a number of handy tools for your added security. New network lockdown feature This new feature allows you to instantly take your devices offline by clicking the on/off switch. Use it in an emergency situation if you suspect that a malware infection has taken place, or simply block hidden programs from accessing the Internet without your consent (e.g. if you’re on a metered connection). Note that Emsisoft protection updates will still be let through and the connection to Emsisoft Cloud Console will remain intact to allow your admins to investigate the issue. Network lockdown can also be enabled remotely from the Cloud Console, either for single devices or all devices of a particular group. New firewall status display The overview screen now shows your current firewall status, be it the Windows built-in firewall or a third-party product. The status display also allows you to turn your firewall on or off with just a click. New Network Lockdown and Firewall status display Quick access via systray context menu All 2019.8 improvements in a nutshell Emsisoft Anti-Malware New network lockdown feature. New firewall status display. New display of workspace connection on overview screen. Improved traffic relay feature. Improved logs. Several minor tweaks and fixes. MyEmsisoft/Cloud Console New network lockdown feature for single devices and groups of devices. New license re-assign and merge feature to move personal licenses to workspaces. Improved workspaces list dashboard for managed service providers: Search box, expanded device list, reports drill down, etc. Improved single workspace dashboard for admins. Improved login security and additional system hardening. Improved exclusions, now supporting quick import of lists of paths. Improved user interface in many sections. Several minor tweaks and fixes. How to obtain the new version As always, so long as you have auto-updates enabled in the software, you will receive the latest version automatically during your regularly scheduled updates, which are hourly by default. Note to Enterprise users: If you have chosen to receive “Delayed” updates in the Update settings for your clients, they will receive the new software version no earlier than 30 days after the regular “Stable” availability. This gives you time to perform internal compatibility tests before a new version gets rolled out to your clients automatically. Have a great and well-protected day! The post New in 2019.8: One-click network lockdown appeared first on Emsisoft | Security Blog. View the full article

The VB100 is a certification designed to test the malware detection capabilities of endpoint security solutions. Virus Bulletin, the independent security experts behind the VB100, have released the results of their August tests, and we’re pleased to announce that Emsisoft has once again earned certification! What is the VB100? To earn the VB100, a security product has to pass the Certification Test. The tests are performed on physical computers or virtual machines with specifications similar to those you would expect to find on a typical business PC. Each security product is installed with default settings on a clean instance of Windows. The tests involve exposing the security products to thousands of malicious samples curated by various organizations, including the WildList Organization, the Anti-Malware Testing Standards Organization and Virus Bulletin. To determine how accurately a product can distinguish a malicious file from a safe file, the products are also exposed to a set of 100,000 clean files taken from popular software downloads. To be awarded the VB100, a product has to achieve two things: Detect at least 99.95 percent of the malicious files. Mistake no more than 0.01 percent of the clean files as malicious. How did Emsisoft do? We’re happy to report that Emsisoft Anti-Malware aced the test! Our flagship software detected 100 percent of the 1,508 malicious files without generating any false positives and was consequently awarded the VB100. Click here to see the full report, or click here to have a look at some of the other awards we’ve won in the past. About Virus Bulletin Headquartered in the UK, Virus Bulletin is an independent security information portal and certification body. The organization regularly performs tests designed to evaluate the protection capabilities of security products and help users make a more informed decision about their choice of antivirus software. A product that has earned the VB100 can be considered to have met a certain standard of quality in regards to malware detection. The post Emsisoft earns VB100 in August 2019 tests appeared first on Emsisoft | Security Blog. View the full article

This story was originally published by ProPublica. Even when public agencies and companies hit by ransomware could recover their files on their own, insurers prefer to pay the ransom. Why? The attacks are good for business. On June 24, the mayor and council of Lake City, Florida, gathered in an emergency session to decide how to resolve a ransomware attack that had locked the city’s computer files for the preceding fortnight. Following the Pledge of Allegiance, Mayor Stephen Witt led an invocation. “Our heavenly father,” Witt said, “we ask for your guidance today, that we do what’s best for our city and our community.” Witt and the council members also sought guidance from City Manager Joseph Helfenberger. He recommended that the city allow its cyber insurer, Beazley, an underwriter at Lloyd’s of London, to pay the ransom of 42 bitcoin, then worth about $460,000. Lake City, which was covered for ransomware under its cyber-insurance policy, would only be responsible for a $10,000 deductible. In exchange for the ransom, the hacker would provide a key to unlock the files. “If this process works, it would save the city substantially in both time and money,” Helfenberger told them. Without asking questions or deliberating, the mayor and the council unanimously approved paying the ransom. The six-figure payment, one of several that U.S. cities have handed over to hackers in recent months to retrieve files, made national headlines. Left unmentioned in Helfenberger’s briefing was that the city’s IT staff, together with an outside vendor, had been pursuing an alternative approach. Since the attack, they had been attempting to recover backup files that were deleted during the incident. On Beazley’s recommendation, the city chose to pay the ransom because the cost of a prolonged recovery from backups would have exceeded its $1 million coverage limit, and because it wanted to resume normal services as quickly as possible. “Our insurance company made [the decision] for us,” city spokesman Michael Lee, a sergeant in the Lake City Police Department, said. “At the end of the day, it really boils down to a business decision on the insurance side of things: them looking at how much is it going to cost to fix it ourselves and how much is it going to cost to pay the ransom.” The mayor, Witt, said in an interview that he was aware of the efforts to recover backup files but preferred to have the insurer pay the ransom because it was less expensive for the city. “We pay a $10,000 deductible, and we get back to business, hopefully,” he said. “Or we go, ‘No, we’re not going to do that,’ then we spend money we don’t have to just get back up and running. And so to me, it wasn’t a pleasant decision, but it was the only decision.” Ransomware is proliferating across America, disabling computer systems of corporations, city governments, schools and police departments. This month, attackers seeking millions of dollars encrypted the files of 22 Texas municipalities. Overlooked in the ransomware spree is the role of an industry that is both fueling and benefiting from it: insurance. In recent years, cyber insurance sold by domestic and foreign companies has grown into an estimated $7 billion to $8 billion-a-year market in the U.S. alone, according to Fred Eslami, an associate director at AM Best, a credit rating agency that focuses on the insurance industry. While insurers do not release information about ransom payments, ProPublica has found that they often accommodate attackers’ demands, even when alternatives such as saved backup files may be available. The FBI and security researchers say paying ransoms contributes to the profitability and spread of cybercrime and in some cases may ultimately be funding terrorist regimes. But for insurers, it makes financial sense, industry insiders said. It holds down claim costs by avoiding expenses such as covering lost revenue from snarled services and ongoing fees for consultants aiding in data recovery. And, by rewarding hackers, it encourages more ransomware attacks, which in turn frighten more businesses and government agencies into buying policies. “The onus isn’t on the insurance company to stop the criminal, that’s not their mission. Their objective is to help you get back to business. But it does beg the question, when you pay out to these criminals, what happens in the future?” said Loretta Worters, spokeswoman for the Insurance Information Institute, a nonprofit industry group based in New York. Attackers “see the deep pockets. You’ve got the insurance industry that’s going to pay out, this is great.” A spokesperson for Lloyd’s, which underwrites about one-third of the global cyber-insurance market, said that coverage is designed to mitigate losses and protect against future attacks, and that victims decide whether to pay ransoms. “Coverage is likely to include, in the event of an attack, access to experts who will help repair the damage caused by any cyberattack and ensure any weaknesses in a company’s cyberprotection are eliminated,” the spokesperson said. “A decision whether to pay a ransom will fall to the company or individual that has been attacked.” Beazley declined comment. Fabian Wosar, chief technology officer for anti-virus provider Emsisoft, said he recently consulted for one U.S. corporation that was attacked by ransomware. After it was determined that restoring files from backups would take weeks, the company’s insurer pressured it to pay the ransom, he said. The insurer wanted to avoid having to reimburse the victim for revenues lost as a result of service interruptions during recovery of backup files, as its coverage required, Wosar said. The company agreed to have the insurer pay the approximately $100,000 ransom. But the decryptor obtained from the attacker in return didn’t work properly and Wosar was called in to fix it, which he did. He declined to identify the client and the insurer, which also covered his services. “Paying the ransom was a lot cheaper for the insurer,” he said. “Cyber insurance is what’s keeping ransomware alive today. It’s a perverted relationship. They will pay anything, as long as it is cheaper than the loss of revenue they have to cover otherwise.” Worters, the industry spokeswoman, said ransom payments aren’t the only example of insurers saving money by enriching criminals. For instance, the companies may pay fraudulent claims — for example, from a policyholder who sets a car on fire to collect auto insurance — when it’s cheaper than pursuing criminal charges. “You don’t want to perpetuate people committing fraud,” she said. “But there are some times, quite honestly, when companies say: ’This fraud is not a ton of money. We are better off paying this.’ … It’s much like the ransomware, where you’re paying all these experts and lawyers, and it becomes this huge thing.” Insurers approve or recommend paying a ransom when doing so is likely to minimize costs by restoring operations quickly, regulators said. As in Lake City, recovering files from backups can be arduous and time-consuming, potentially leaving insurers on the hook for costs ranging from employee overtime to crisis management public relations efforts, they said. “They’re going to look at their overall claim and dollar exposure and try to minimize their losses,” said Eric Nordman, a former director of the regulatory services division of the National Association of Insurance Commissioners, or NAIC, the organization of state insurance regulators. “If it’s more expeditious to pay the ransom and get the key to unlock it, then that’s what they’ll do.” As insurance companies have approved six- and seven-figure ransom payments over the past year, criminals’ demands have climbed. The average ransom payment among clients of Coveware, a Connecticut firm that specializes in ransomware cases, is about $36,000, according to its quarterly report released in July, up sixfold from last October. Josh Zelonis, a principal analyst for the Massachusetts-based research company Forrester, said the increase in payments by cyber insurers has correlated with a resurgence in ransomware after it had started to fall out of favor in the criminal world about two years ago. One cybersecurity company executive said his firm has been told by the FBI that hackers are specifically extorting American companies that they know have cyber insurance. After one small insurer highlighted the names of some of its cyber policyholders on its website, three of them were attacked by ransomware, Wosar said. Hackers could also identify insured targets from public filings; the Securities and Exchange Commission suggests that public companies consider reporting “insurance coverage relating to cybersecurity incidents.” Even when the attackers don’t know that insurers are footing the bill, the repeated capitulations to their demands give them confidence to ask for ever-higher sums, said Thomas Hofmann, vice president of intelligence at Flashpoint, a cyber-risk intelligence firm that works with ransomware victims. Ransom demands used to be “a lot less,” said Worters, the industry spokeswoman. But if hackers think they can get more, “they’re going to ask for more. So that’s what’s happening. … That’s certainly a concern.” In the past year, dozens of public entities in the U.S. have been paralyzed by ransomware. Many have paid the ransoms, either from their own funds or through insurance, but others have refused on the grounds that it’s immoral to reward criminals. Rather than pay a $76,000 ransom in May, the city of Baltimore — which did not have cyber insurance — sacrificed more than $5.3 million to date in recovery expenses, a spokesman for the mayor said this month. Similarly, Atlanta, which did have a cyber policy, spurned a $51,000 ransom demand last year and has spent about $8.5 million responding to the attack and recovering files, a spokesman said this month. Spurred by those and other cities, the U.S. Conference of Mayors adopted a resolution this summer not to pay ransoms. Still, many public agencies are delighted to have their insurers cover ransoms, especially when the ransomware has also encrypted backup files. Johannesburg-Lewiston Area Schools, a school district in Michigan, faced that predicament after being attacked in October. Beazley, the insurer handling the claim, helped the district conduct a cost-benefit analysis, which found that paying a ransom was preferable to rebuilding the systems from scratch, said Superintendent Kathleen Xenakis-Makowski. “They sat down with our technology director and said, ‘This is what’s affected, and this is what it would take to re-create,’” said Xenakis-Makowski, who has since spoken at conferences for school officials about the importance of having cyber insurance. She said the district did not discuss the ransom decision publicly at the time in part to avoid a prolonged debate over the ethics of paying. “There’s just certain things you have to do to make things work,” she said. Ransomware is one of the most common cybercrimes in the world. Although it is often cast as a foreign problem, because hacks tend to originate from countries such as Russia and Iran, ProPublica has found that American industries have fostered its proliferation. We reported in May on two ransomware data recovery firms that purported to use their own technology to disable ransomware but in reality often just paid the attackers. One of the firms, Proven Data, of Elmsford, New York, tells victims on its website that insurance is likely to cover the cost of ransomware recovery. Lloyd’s of London, the world’s largest specialty insurance market, said it pioneered the first cyber liability policy in 1999. Today, it offers cyber coverage through 74 syndicates — formed by one or more Lloyd’s members such as Beazley joining together — that provide capital and accept and spread risk. Eighty percent of the cyber insurance written at Lloyd’s is for entities based in the U.S. The Lloyd’s market is famous for insuring complex, high-risk and unusual exposures, such as climate-change consequences, Arctic explorers and Bruce Springsteen’s voice. Many insurers were initially reluctant to cover cyber disasters, in part because of the lack of reliable actuarial data. When they protect customers against traditional risks such as fires, floods and auto accidents, they price policies based on authoritative information from national and industry sources. But, as Lloyd’s noted in a 2017 report, “there are no equivalent sources for cyber-risk,” and the data used to set premiums is collected from the internet. Such publicly available data is likely to underestimate the potential financial impact of ransomware for an insurer. According to a report by global consulting firm PwC, both insurers and victimized companies are reluctant to disclose breaches because of concerns over loss of competitive advantage or reputational damage. Despite the uncertainty over pricing, dozens of carriers eventually followed Lloyd’s in embracing cyber coverage. Other lines of insurance are expected to shrink in the coming decades, said Nordman, the former regulator. Self-driving cars, for example, are expected to lead to significantly fewer car accidents and a corresponding drop in premiums, according to estimates. Insurers are seeking new areas of opportunity, and “cyber is one of the small number of lines that is actually growing,” Nordman said. Driven partly by the spread of ransomware, the cyber insurance market has grown rapidly. Between 2015 and 2017, total U.S. cyber premiums written by insurers that reported to the NAIC doubled to an estimated $3.1 billion, according to the most recent data available. Cyber policies have been more profitable for insurers than other lines of insurance. The loss ratio for U.S. cyber policies was about 35% in 2018, according to a report by Aon, a London-based professional services firm. In other words, for every dollar in premiums collected from policyholders, insurers paid out roughly 35 cents in claims. That compares to a loss ratio of about 62% across all property and casualty insurance, according to data compiled by the NAIC of insurers that report to them. Besides ransomware, cyber insurance frequently covers costs for claims related to data breaches, identity theft and electronic financial scams. During the underwriting process, insurers typically inquire about a prospective policyholder’s cyber security, such as the strength of its firewall or the viability of its backup files, Nordman said. If they believe the organization’s defenses are inadequate, they might decline to write a policy or charge more for it, he said. North Dakota Insurance Commissioner Jon Godfread, chairman of the NAIC’s innovation and technology task force, said some insurers suggest prospective policyholders hire outside firms to conduct “cyber audits” as a “risk mitigation tool” aimed to prevent attacks — and claims — by strengthening security. “Ultimately, you’re going to see that prevention of the ransomware attack is likely going to come from the insurance carrier side,” Godfread said. “If they can prevent it, they don’t have to pay out a claim, it’s better for everybody.” Not all cyber insurance policies cover ransom payments. After a ransomware attack on Jackson County, Georgia, last March, the county billed insurance for credit monitoring services and an attorney but had to pay the ransom of about $400,000, County Manager Kevin Poe said. Other victims have struggled to get insurers to pay cyber-related claims. Food company Mondelez International and pharmaceutical company Merck sued insurers last year in state courts after the carriers refused to reimburse costs associated with damage from NotPetya malware. The insurers cited “hostile or warlike action” or “act of war” exclusions because the malware was linked to the Russian military. The cases are pending. The proliferation of cyber insurers willing to accommodate ransom demands has fostered an industry of data recovery and incident response firms that insurers hire to investigate attacks and negotiate with and pay hackers. This year, two FBI officials who recently retired from the bureau opened an incident response firm in Connecticut. The firm, The Aggeris Group, says on its website that it offers “an expedient response by providing cyber extortion negotiation services and support recovery from a ransomware attack.” Ramarcus Baylor, a principal consultant for The Crypsis Group, a Virginia incident response firm, said he recently worked with two companies hit by ransomware. Although both clients had backup systems, insurers promised to cover the six-figure ransom payments rather than spend several days assessing whether the backups were working. Losing money every day the systems were down, the clients accepted the offer, he said. Crypsis CEO Bret Padres said his company gets many of its clients from insurance referrals. There’s “really good money in ransomware” for the cyberattacker, recovery experts and insurers, he said. Routine ransom payments have created a “vicious circle,” he said. “It’s a hard cycle to break because everyone involved profits: We do, the insurance carriers do, the attackers do.” Chris Loehr, executive vice president of Texas-based Solis Security, said there are “a lot of times” when backups are available but clients still pay ransoms. Everyone from the victim to the insurer wants the ransom paid and systems restored as fast as possible, Loehr said. “They figure out that it’s going to take a month to restore from the cloud, and so even though they have the data backed up,” paying a ransom to obtain a decryption key is faster, he said. “Let’s get it negotiated very quickly, let’s just get the keys, and get the customer decrypted to minimize business interruption loss,” he continued. “It makes the client happy, it makes the attorneys happy, it makes the insurance happy.” If clients morally oppose ransom payments, Loehr said, he reminds them where their financial interests lie, and of the high stakes for their businesses and employees. “I’ll ask, ‘The situation you’re in, how long can you go on like this?’” he said. “They’ll say, ‘Well, not for long.’ Insurance is only going to cover you for up to X amount of dollars, which gets burned up fast.” “I know it sucks having to pay off assholes, but that’s what you gotta do,” he said. “And they’re like, ‘Yeah, OK, let’s get it done.’ You gotta kind of take charge and tell them, ‘This is the way it’s going to be or you’re dead in the water.’” Lloyd’s-backed CFC, a specialist insurance provider based in London, uses Solis for some of its U.S. clients hit by ransomware. Graeme Newman, chief innovation officer at CFC, said “we work relentlessly” to help victims improve their backup security. “Our primary objective is always to get our clients back up and running as quickly as possible,” he said. “We would never recommend that our clients pay ransoms. This would only ever be a very final course of action, and any decision to do so would be taken by our clients, not us as an insurance company.” As ransomware has burgeoned, the incident response division of Solis has “taken off like a rocket,” Loehr said. Loehr’s need for a reliable way to pay ransoms, which typically are transacted in digital currencies such as Bitcoin, spawned Sentinel Crypto, a Florida-based money services business managed by his friend, Wesley Spencer. Sentinel’s business is paying ransoms on behalf of clients whose insurers reimburse them, Loehr and Spencer said. New York-based Flashpoint also pays ransoms for insurance companies. Hofmann, the vice president, said insurers typically give policyholders a toll-free number to dial as soon as they realize they’ve been hit. The number connects to a lawyer who provides a list of incident response firms and other contractors. Insurers tightly control expenses, approving or denying coverage for the recovery efforts advised by the vendors they suggest. “Carriers are absolutely involved in the decision making,” Hofmann said. On both sides of the attack, “insurance is going to transform this entire market,” he said. On June 10, Lake City government officials noticed they couldn’t make calls or send emails. IT staff then discovered encrypted files on the city’s servers and disconnected the infected servers from the internet. The city soon learned it was struck by Ryuk ransomware. Over the past year, unknown attackers using the Ryuk strain have besieged small municipalities and technology and logistics companies, demanding ransoms up to $5 million, according to the FBI. Shortly after realizing it had been attacked, Lake City contacted the Florida League of Cities, which provides insurance for more than 550 public entities in the state. Beazley is the league’s reinsurer for cyber coverage, and they share the risk. The league declined to comment. Initially, the city had hoped to restore its systems without paying a ransom. IT staff was “plugging along” and had taken server drives to a local vendor who’d had “moderate success at getting the stuff off of it,” Lee said. However, the process was slow and more challenging than anticipated, he said. As the local technicians worked on the backups, Beazley requested a sample encrypted file and the ransom note so its approved vendor, Coveware, could open negotiations with the hackers, said Steve Roberts, Lake City’s director of risk management. The initial ransom demand was 86 bitcoin, or about $700,000 at the time, Coveware CEO Bill Siegel said. “Beazley was not happy with it — it was way too high,” Roberts said. “So [Coveware] started negotiations with the perps and got it down to the 42 bitcoin. Insurance stood by with the final negotiation amount, waiting for our decision.” Lee said Lake City may have been able to achieve a “majority recovery” of its files without paying the ransom, but it probably would have cost “three times as much money trying to get there.” The city fired its IT director, Brian Hawkins, in the midst of the recovery efforts. Hawkins, who is suing the city, said in an interview posted online by his new employer that he was made “the scapegoat” for the city’s unpreparedness. The “recovery process on the files was taking a long time” and “the lengthy process was a major factor in paying the ransom,” he said in the interview. On June 25, the day after the council meeting, the city said in a press release that while its backup recovery efforts “were initially successful, many systems were determined to be unrecoverable.” Lake City fronted the ransom amount to Coveware, which converted the money to bitcoin, paid the attackers and received a fee for its services. The Florida League of Cities reimbursed the city, Roberts said. Lee acknowledged that paying ransoms spurs more ransomware attacks. But as cyber insurance becomes ubiquitous, he said, he trusts the industry’s judgment. “The insurer is the one who is going to get hit with most of this if it continues,” he said. “And if they’re the ones deciding it’s still better to pay out, knowing that means they’re more likely to have to do it again — if they still find that it’s the financially correct decision — it’s kind of hard to argue with them because they know the cost-benefit of that. I have a hard time saying it’s the right decision, but maybe it makes sense with a certain perspective.” The post The Extortion Economy: How Insurance Companies Are Fueling a Rise in Ransomware Attacks appeared first on Emsisoft | Security Blog. View the full article

The biggest change in 2019.7 is the introduction of a new relay feature designed to help people with multiple Emsisoft-protected devices reduce unnecessary Internet traffic. Emsisoft’s protection software automatically updates every hour to make sure that all malware detection patterns are kept up to date to combat the latest threats. When doing online updates, the software only downloads the data that’s missing on your particular device. With the combination of differential and incremental update techniques, the overall required Internet traffic averages out to about 20-30 MB per day. While that might not sound like much, it adds up throughout the month, especially if you’re on a limited data plan, connected through expensive mobile (3G/4G) networks or operate a large number of devices that all need to be updated regularly. To reduce the required total update traffic, we’ve built a new feature that allows you to define one (or more) Emsisoft-protected devices that act as a relay/cache-proxy for all traffic to and from the Emsisoft servers. All data that has been downloaded once will be cached locally to avoid unnecessary duplicate downloads. If you have a local network (no matter if you have 3 devices at home or 500+ in a corporate environment) you can save a significant amount of unnecessary traffic by using that relay feature. For example, in a network with 10 devices, the overall traffic could potentially be reduced to as much as one-tenth of the original volume. Benefits of the Emsisoft Relay Feature Caching: With a relay in place, each file is only transferred once and then provided to the other devices from the local cache. Speed: Online updates are accelerated, especially when using slower Internet connections. Bandwidth: In larger networks, uplink congestion in the mornings (when many devices get online at the same time) can be avoided. Firewall compatible: Only the relay device needs to be able to access the Internet, or, in particular, the Emsisoft servers. Other local devices can stay ‘offline’ behind your network firewall, but still get Emsisoft updates. Proxy protection: The Emsisoft relay only lets data to Emsisoft servers through and can’t be used to bypass firewalls or proxies for accessing the Internet. How to enable a traffic relay The relay feature can be enabled for individual devices in your Emsisoft Cloud Console workspace. Log in at MyEmsisoft, navigate to your workspace and select the device that you wish to act as a relay. Go to the ‘Protection Settings’ of that device and scroll down to the bottom of the settings panel. Enable the option ‘Device can be used as traffic relay’. Navigate up to the ‘Protection Policies’ in your workspace, select a policy group that contains your devices and go to the ‘Traffic relay’ setting in the right top. Select the previously defined relay device from the dropdown box. That’s all you need to do. All devices in that policy group will connect to your relay from now on. If the relay is not available for any reason (e.g. when you use that device while traveling) the other devices will try to connect to the Emsisoft servers directly or via their local proxy settings (if any). All 2019.7 improvements in a nutshell Emsisoft Anti-Malware New traffic relay/cache proxy feature. New remote management integration with Datto RMM. Several minor tweaks and fixes. Note: This update may require a system reboot in certain situations. We apologize that we couldn’t find a way to avoid that. MyEmsisoft/Cloud Console New traffic relay/cache proxy feature. Added options to cancel and restart a subscription. Improved policy template editor. Improved workspace dashboard, now also displaying unmanaged devices. Added workspace removal feature. Improved mobile app view. Improved login procedure. Improved user account security. Improved infrastructure hardening against attacks. Several minor tweaks and fixes. How to obtain the new version As always, so long as you have auto-updates enabled in the software, you will receive the latest version automatically during your regularly scheduled updates, which are hourly by default. Note to Enterprise users: If you have chosen to receive “Delayed” updates in the Update settings for your clients, they will receive the new software version no earlier than 30 days after the regular “Stable” availability. This gives you time to perform internal compatibility tests before a new version gets rolled out to your clients automatically. Have a great and well-protected day! The post New in 2019.7: Local traffic relay to proxy and cache updates appeared first on Emsisoft | Security Blog. View the full article

Three years ago today, No More Ransom was launched. Designed to combat the growing ransomware threat, No More Ransom has helped hundreds of thousands of ransomware victims since its inception and prevented millions of dollars from falling into the hands of cybercriminals. Read on to learn more about No More Ransom and the role it plays in the ransomware epidemic. What is No More Ransom? No More Ransom is an anti-ransomware portal that hosts a number of free decryption tools and educates users about preventing infections. It was first launched in 2016 as a joint initiative between the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre and McAfee. Since its launch, more than 150 partners have joined the project, including Internet security companies, law enforcement agencies, computer emergency response teams (CERTs), telecommunications companies and more. “No More Ransom brings hope to the victims, a real window of opportunity, but also delivers a clear message to the criminals: the international community stands together with a common goal, operational successes are and will continue to bring the offenders to justice,” explained Steven Wilson, Head of Europol’s European Cybercrime Centre (EC3), in a press release. Emsisoft proud contributors to the No More Ransom project Emsisoft is at the forefront of the battle against ransomware and is proud to be an active contributor to the No More Ransom project – in fact, Emsisoft has made 32 of the 82 decryptions available on the No More Ransom portal. In total, the decryptors have helped more than 200,000 ransomware victims recover their files for free and prevented cybercriminals from making more than $108 million in extortion money. These figures are based on confirmed decryptions and may be different to download-based statistics we’ve referred to in the past. Today, the tools available on No More Ransom can decrypt 109 different types of ransomware infections, with 14 new tools already added in 2019. The portal is available in 26 languages and has been accessed by 188 countries around the world. From all of us here at Emsisoft, we’d like to say happy anniversary to the No More Ransom team and salute them for their efforts in the ongoing battle against ransomware. Before you go, check out this infographic by No More Ransom and Europol/EC3 (yes, we’re proud to be a top decryption tools contributor to No More Ransom!): The post No More Ransom project saves victims more than $108 million since launching 3 years ago appeared first on Emsisoft | Security Blog. View the full article

We’re continuously improving our protection software and its cloud management console. This month’s release delivers a new license import wizard for newly created workspaces, as well as a series of fine tuning changes. In addition, we have migrated our online systems to a platform that allows for further growth. All 2019.6 improvements in a nutshell Emsisoft Anti-Malware Improved user interface for visually impaired users. Improved support for third-party remote management. Stability improvements in Commandline Scanner. Several minor tweaks and fixes. MyEmsisoft/Cloud Console New license import wizard for newly created workspaces. Workspace dashboard: New label that indicates the number of custom settings edits for each device. Workspace dashboard: Added display showing the most recent disk scan findings. Added ability to trial different product editions. Improved mobile app view. Several minor tweaks and fixes. How to obtain the new version As always, so long as you have auto-updates enabled in the software, you will receive the latest version automatically during your regularly scheduled updates, which are hourly by default. Note to Enterprise users: If you have chosen to receive “Delayed” updates in the Update settings for your clients, they will receive the new software version no earlier than 30 days after the regular “Stable” availability. This gives you time to perform internal compatibility tests before a new version gets rolled out to your clients automatically. Have a great and well-protected day! The post New in 2019.6: Additional Improvements and Fine tuning appeared first on Emsisoft | Security Blog. View the full article

Virus Bulletin is an independent certification body headquartered in the UK. The group recently released the results of its June tests, and we’re happy to report that Emsisoft Anti-Malware has once again been awarded the VB100! The VB100 testing process The VB100 award certifies that a security product can provide a certain level of protection against modern malware. To earn the VB100, a product has to pass a range of tests. The tests are performed on a physical computer or virtual machine with specifications similar to those you would find on a typical business PC. During the tests, the security products are exposed to a few thousand malicious samples curated from various places, including: The WildList set: A set of well-vetted malware samples curated by the WildList Organization. The AMTSO RTTL set: A continuous feed of new samples collected by experts from around the world and stored by the Anti-Malware Testing Standards Organization. The Diversity set: A set of samples collected by Virus Bulletin. The tests also include a false positive component, which is designed to test how effectively a product can distinguish malicious files from safe files. The products are exposed to a subset of 100,000 files taken from the Clean set, which is a collection of 400,000 benign files harvested from popular software downloads. To be awarded VB100 certification, a security product has to meet the following criteria: Detect at least 99.95 percent of the malicious samples. Identify no more than 0.01 percent of the clean samples as malicious. The results We’re delighted to announce that Emsisoft Anti-Malware flew through the test and was consequently awarded the VB100. Our software achieved a perfect score in all categories, detecting 100 percent of the 2,236 malware samples used in the tests while generating no false positives. About Virus Bulletin Virus Bulletin is a widely recognized name in the antivirus industry. For more than 20 years, the organization has been performing independent tests that offer important insight into the capabilities of antivirus software. The VB100 signifies that a product is legitimate and can generally be trusted to provide a certain level of protection against malware. Click here to see the full report, or click here to have a look at some of the other awards we’ve won in the past. The post Emsisoft awarded VB100 in June 2019 tests appeared first on Emsisoft | Security Blog. View the full article

Emsisoft Cloud Console, our new web app for centrally managing endpoint protection, received some significant improvements this month. While the console is still in Beta stage, it’s getting more useful every day and we encourage you to give it a try. Important: This release requires a restart of Windows to activate support for Retpoline, a critical fix against the Spectre Variant 2 vulnerability. New Workspace Dashboard We have enhanced the main starting point for most Cloud Console users, the Workspace Dashboard. Now it not only shows a list of devices and their protection status, but also highlights things that require your attention. It provides you with all the useful information you need to get a quick overview of what’s going on. New Emsisoft Cloud Console Workspace Dashoard Highlights: New search box to filter the devices list by device name, policy name, user or custom comments. New “Unresolved issues” section that provides quick access to fix protection issues such as disabled components or missing updates. New charts for device activity and license information. New chart for recent real-time protection alerts on your devices. New detail lists for recent scanner and real-time protection findings, including related quarantine actions. Beta feedback Let us know what you think at [email protected] We are thankful for any input, be it positive or negative. Note that the Emsisoft Cloud Console is still in the Beta testing stage, which means unexpected errors may occur and some things may not be completely finished or fully translated yet. New functionality is being added every month. Please check out our Beta Testing Instructions and the User Guide for details on all features. All 2019.5 improvements in a nutshell Emsisoft Anti-Malware Several minor tweaks and fixes. MyEmsisoft New Workspace Dashboard with extended information on device activity, findings, quarantine actions and licensing. Several minor tweaks and fixes. How to obtain the new version As always, so long as you have auto-updates enabled in the software, you will receive the latest version automatically during your regularly scheduled updates, which are hourly by default. Note to Enterprise users: If you have chosen to receive “Delayed” updates in the Update settings for your clients, they will receive the new software version no earlier than 30 days after the regular “Stable” availability. This gives you time to perform internal compatibility tests before a new version gets rolled out to your clients automatically. Have a great and well-protected day! The post New in 2019.5: Improved MyEmsisoft Dashboard (Beta) appeared first on Emsisoft | Security Blog. View the full article

Our development teams are making good progress with Cloud Console, Emsisoft’s brand new web app for centrally managing your malware protection on all your devices. It’s still in beta stage but getting more useful for the most common tasks day by day. Check out the latest improvements! Connecting Emsisoft Anti-Malware to the Cloud Console Open the software, go to Settings and select the ‘Remote Management’ section. Click the ‘Join workspace’ button to log in with your user account and select your preferred workspace. Connecting Emsisoft Anti-Malware with Emsisoft Cloud Console If you can’t see any workspaces with valid licenses, you’ll have to create one first. Open MyEmsisoft in your browser, go to ‘Workspaces’ – ‘Dashboard’ and click ‘Create workspace’. Note that your workspace requires a valid license, so you can transfer your personal license to the new workspace or apply a new license. Connect your existing device by using the installer Alternatively, if you want to avoid the login action in Emsisoft Anti-Malware, you can also use the ‘Add device’ button in your workspace to get a little installer download that automatically connects your device with the Cloud Console. This is also the recommended way of migrating devices from Emsisoft Enterprise Console to Emsisoft Cloud Console. Beta feedback Let us know what you think at [email protected] We are thankful for any input, be it positive or negative. Note that the Emsisoft Cloud Console is still in the Beta testing stage, which means unexpected errors may occur and some things may not be completely finished or fully translated yet. New functionality will be added every month. Please check out our Beta Testing Instructions and the User Guide for details on all features. All 2019.4 improvements in a nutshell Emsisoft Anti-Malware New: Installer support to connect existing installations with Cloud Console. Merged license activation and workspace selection. Several minor tweaks and fixes. MyEmsisoft Improved deployment: Installation tokens are now defined in protection policies so you can select which policy groups newly installed devices will be automatically assigned with at installation time. Improved remote malware scan interface to match what’s visible on the device. Several minor tweaks and fixes. How to obtain the new version As always, so long as you have auto-updates enabled in the software, you will receive the latest version automatically during your regularly scheduled updates, which are hourly by default. Note to Enterprise users: If you have chosen to receive “Delayed” updates in the Update settings for your clients, they will receive the new software version no earlier than 30 days after the regular “Stable” availability. This gives you time to perform internal compatibility tests before a new version gets rolled out to your clients automatically. Have a great and well-protected day! The post New in 2019.4: Improved Emsisoft Cloud Console connection (Beta) appeared first on Emsisoft | Security Blog. View the full article

Independent certification body Virus Bulletin recently released the results of their latest rounds of VB100 tests. Once again, we’re happy to announce that Emsisoft Anti-Malware aced the tests and walked away with a perfect score! What is the VB100? The VB100 is a certification test designed to evaluate the detection capabilities of antivirus software. To perform the tests, each antivirus product is installed on a physical computer or virtual machine with specifications you would expect to find on a business PC. The products are installed with default configurations on a clean, dedicated instance of Windows. Each test is performed on two different systems, one running Windows 7, the other running Windows 10. The security products are then exposed to a range of malicious samples taken from various malware sets, including: The WildList set: A set of a few thousand samples curated by the WildList Organization. The AMTSO RTTL: The Real-Time Threat List is a continuous feed of 1,200-3,000 new samples collected by malware experts around the world and managed by the Anti-Malware Testing Standards Organization. The Diversity set: A set of 1,000-2,000 recent malware samples. The products also scanned a subset of 100,000 files taken from the clean sample set, which is a collection of 400,000 non-malicious files. To achieve VB100 certification, a security product had to be able to meet the following criteria: Identify at least 99.95 percent of malicious samples. Generate no more than 0.01 percent false positives. How did we do? We’re delighted to report that Emsisoft Anti-Malware achieved a perfect score in every category. Our flagship software identified 100 percent of the 2000+ malware samples used in the tests while generating zero false positives along the way, earning it VB100 certification. We’re pleased to see Emsisoft Anti-Malware excelling in test conditions, and we’ll continue working hard to provide the best malware protection on the planet! About Virus Bulletin Virus Bulletin a security information portal, testing and certification body based in the UK. VB100 certification tests are designed to assess the detection capabilities of endpoint security solutions. A product that has been awarded VB100 certification can generally be trusted to provide a certain level of protection against malware. Click here to see the full report, or click here to have a look at some of the other awards we’ve won in the past. Have a good (malware-free) day! The post Emsisoft Awarded VB100 certification in April 2019 tests appeared first on Emsisoft | Security Blog. View the full article