Raz-Lee Simulates Ransomware Attack on IBM i
August 12, 2020 Alex Woodie
How would your IBM i server react to a ransomware attack? Would it successfully repel the invaders, or would it give the bad guys what they’re after: chaos and bitcoin? Simulating a ransomware attack is the gist of a new feature in Anti-Ransomware from Raz-Lee Security, which recently shipped a new release of the software.
Raz-Lee Security debuted Anti-Ransomware back in 2018, a year after a pair of widespread ransomware attacks (WannaCry and Petya) made the computing world sit up and take notice of the new security threat blossoming on the Internet.
Anti-Ransomware uses a rules-based approach to detect the presence of active ransomware on IBM i servers. It specifically looks for activity involving IFS, the Windows-like file system that is susceptible to Windows malware, and which is the most common target of ransomware attacks on IBM i.
The software monitors the customer’s IFS for any unusual activity or changes to file names or extensions, which can be signs that a ransomware is active. If it detects potential ransomware activity, the software stops the attack by disconnecting the IBM i from the network. It also sends alerts to administrators and SIEM (security information and event management) systems, and can also shut down the PC that’s the source of the attack.
With the new release of Anti-Ransomware unveiled last month, Raz-Lee is including a new PC-based component that launches a simulated ransomware on the IBM i server. The attacks, which can emulate attacks known as Sodinokibi, Ryuk, CryptoLocker, or WannaCry, can help to pinpoint problems in the company’s ransomware response ahead of time.
“Simulated attacks are completely safe, but the IBM i sees them as realistic ransomware attacks,” the company states. “With these combined capabilities, organizations can have confidence that their IBM i is well protected.”
Running a simulated attack helps IBM i shops fine-tune the product, says Shmuel Zailer, CEO of Raz-Lee Security.
“It is the only way to verify that Anti-Ransomware is properly installed and working,” he tells IT Jungle via email. “It helps you learn how many files you would allow to be compromised before reacting, eliminating false positive alerts.”
IBM i shops aren’t immune to ransomware. There are no reports of data stored in the Db2 for i database being corrupted by a ransomware attacks, but several customers have reported the contents of their IFS stores being encrypted.
In a 2017 webinar, representatives of HelpSystems related stories of two IBM i shops that fell victim to ransomware attacks, including one that paid the $200,000 ransom to get the encryption key; the other had good backups, but still required a month to rebuild the system.
IBM i shops should continue to be vigilant regarding potential Internet-born threats during the current period of unrest, Zailer says.
“During this COVID-19 pandemic, ransomware and other cyber-attacks have increased, targeting healthcare, financial, and government organizations,” Zailer states in a press release. “Cybercriminals are looking to take advantage of this global crisis. Now more than ever, it is important to ensure that IT systems are safe.”
Zailer pointed out that Sapiens, a developer of decision management software that runs on IBM i and other platforms, recently fell victim to a ransomware attack. The company, which has operations in the United States and Israel, paid $250,000 in bitcoin to get the decryption key, according to an article in CTech.
It’s unclear what systems at Sapiens were involved in the attack, but there is some speculation that the work-from-home mandate instituted by many companies in response to the COVID-19 pandemic may have played a role.