Emotet Returns

Emotet Trojan


Since its initial discovery in 2014, the Emotet trojan has become an increasingly dangerous and persistent threat to users and organisations across the globe. The US Department of Homeland Security CISA division, refers to emotet as ‘among the most costly and destructive malware’ affecting from small to large scale organisations of both the private and public sectors.

Emotet started out as a way to steal users banking details, the scope and capabilities of this trojan have changed drastically.

From spreading itself across a network infecting other machines to skimming Outlook contact information to use in spear phishing attacks to stealing browser history, user credentials and installing other malware such as backdoors and ransomware, emotet can be extremely damaging to an organisation. Also, due to Emotet being polymorphic and able to constantly change and modify itself, it is increasingly difficult to detect and prevent against using typical signature-based methods with hundreds of unique payload variants discovered daily.

Phishing Email Example

Phishing Email Example

Emotet trojans will generally arrive on a user’s machine via emails like the above example. Spam emails spoofing common brands and institutions (banks, government departments) with layouts and language designed to encourage the user to click on the malicious attachment or link to sites hosting the document for download.

Crimeware-as-a-service (CaaS) helps ensure that new versions of these email attachments can be generated and distributed on a near constant basis ensuring its ability to evade traditional AV on Zero-day.

We regularly see new Emotet detections and an example of a malicious emotet attachment that one of our agents detected had been created only 4 hours prior.

VT History

In a short span of time, a new .doc attachment was generated with a new file hash value which would be unknown to a traditional AV solution was attached and emailed to an unsuspecting user ready for the morning inbox clear-out.

At the time of the detection, our threat researcher uploaded a copy of the threat file to VirusTotal where only 8 other Vendors were aware of and had the file marked as malicious.

VT Detections

This means that on many other AV solutions, the file would have been allowed to run and would not have been detected.

For this example, the user clicks on the attachment unaware as the document starts delivery of the Emotet payload.

From the attack storyline on our management console, we can see that as soon as the doc is opened, it attempts to utilise PowerShell to run obfuscated code. Code obfuscation is one of the methods used by hackers to evade static analysis engines in Anti-Virus and help disguise their activity.

Story Line

In this case, the PowerShell code attempts to create a network connection to reach out to a compromised domain online and download the additional emotet payload to the users’ machine to exploit further.

For any business, such an attack could cause severe consequences that would translate to high financial costs and reputational damage.

In this case, the threat was detected by the behavioural engine of the agent which was able to determine that the activity exhibited by the threat was malicious and then, autonomously killed and quarantined the threat from the users’ machine. After the threat was investigated by our security analysts, the threat was successfully remediated against without any disruption or compromise to the user’s machine.

Without our agent in place on the user’s machine, the result may not have been as favourable.


Alex James – Lead Security Analyst – Custodian360

5 Things Everyone Gets Wrong About Anti-Virus

It shouldn’t be news to anyone that cyber threats are on the increase, and the requirement to have an effective security solution has never been more pressing as advanced hacking techniques continue to proliferate in the wild.

With the market awash with vendors making bold claims and news stories making even bolder headlines, it can be hard to separate the fact from the fiction. If you’re new to endpoint security, here’s the five basic things to ensure that you get right about the options available.

1. Viruses Aren’t the Only Threat

Security threats have evolved beyond all recognition from the early days of the computer virus, but most security solutions still carry the term “anti-virus” in their name, which is really something of a misnomer in the modern threatscape.

The reality is that cyber attacks take many different forms that have nothing to do with being a virus, and they can range from the indiscriminate to the highly targeted. These include ransomware, spear-phishing, drive-by attacks and both software and hardware vulnerabilities that can lead to loss of customer and corporate data.

And don’t fall into the trap of thinking your business is too small to be targeted. Attackers are now weaponizing machine learning to produce highly-targeted campaigns, at low cost to themselves.

Also, don’t forget that threats can come from within; disgruntled employees know the weaknesses of your system better than any outsider. Good endpoint security needs to be able to detect bad behaviour no matter the point of origin.

2. Malicious Files Aren’t the Whole Story

Most people think that security software works by scanning files on the local computer and deciding whether they are malicious or not. Like the term ‘anti-virus’, that’s a bit of an old-fashioned way of thinking about it. Although there are still legacy AV programs that primarily work in that way, even they will usually offer some additional functions such as blocking malicious websites or detecting excessive use of resources typically used by ransomware and crypto-miners.

However, for truly effective protection, you should be looking at security solutions that do more than that. Today’s cyber criminals are able to leverage fileless attacks, change DNS settings to re-route your network traffic and inject code into legitimate processes. A legacy AV solution that primarily focuses on scanning for malicious files is, like last week’s soup, well past its sell-by-date.

3. Trust is a System Weak Point

As we hinted in the previous point, untrusted software is not the only danger on your endpoint. Even first-party and established software brands can be leveraged to breach your system.

While MS Office Macro attacks have a long history, Macro-less attacks such as DDE can exploit vulnerabilities that will bypass many security solutions because they appear to be coming from trusted applications. Similarly, most businesses will likely have a need for legitimate PowerShell operations, and yet PowerShell-powered attacks are becoming increasingly common. You need a security solution that’s smart enough to allow PowerShell to maintain your productivity, but also able to ensure that it can tell the difference between malicious and legitimate behaviour.

Modern malware can also run without interference on many systems running AV solutions if it is able to operate with system-level privileges, whether through a privilege escalation vulnerability or other methods of infection. This is because many AV packages take the wrong approach by granting trust by identity, rather than by behaviour. When security solutions take this kind of “whitelisting” approach, the endpoint is left vulnerable to supply chain attacks and fake certificates.

4. There’s Power in Simplicity

Security software doesn’t have to be hard to use, and you shouldn’t have to be a security expert to manage it. Unfortunately, a lot of security software gives business owners just that impression, overcomplicating things with diagnostic tools and components that require specialist training courses to master. Be sure to choose an endpoint solution that minimizes maintenance tasks, presents a clean, easy-to-understand interface and provides one-click remediation.

You want a solution that anyone in your team can quickly learn and operate. It’s important for business continuity that knowledge of your security solution is not tied to specially-trained members of staff. Who knows how long before they move on, taking their expert knowledge of your security solution with them?

5. Security is a Mindset, Not a Product

Probably the biggest thing you can get wrong about AV software is believing that it can solve all your security issues in one fell swoop. Threats come in many shapes and forms: from indiscriminate ransomware attacks to disgruntled employees. What’s your plan of action when (don’t think “if”) a breach occurs? How will you respond? Failure to have a response plan in place could mean greater damage to your customers, your data and your reputation.

This is why you need an endpoint solution that can be part of your entire response plan. A cross-platform solution like SentinelOne can provide deep visibility into even encrypted traffic across your network,  one-click remediation and rollback, and a single, holistic agent that’s simple to use.

Our Takeaway

Ignore the stereotype of sophisticated cybercriminals targeting billion-dollar businesses. Most attacks are opportunistic and target not the wealthy or famous, but the unprepared. According to a 2018 SentinelOne survey of US companies, 56 percent suffered a ransomware attack in the last year. Given that the majority of organisations will be hacked over their lifetime, it is imperative that organisations have the necessary tools to spot and stop an attack quickly and effectively.

This is why you need an endpoint solution that can be part of your entire response plan. A cross-platform solution like SentinelOne, provided by Custodian360 can provide deep visibility into even encrypted traffic across your network, one-click remediation and rollback, and a single, holistic agent that’s simple to use.


This blog was first posted by Migo Kedem

Trickbot Trojan On The Rise

Over the last month, we’ve noticed an increased amount of weaponised trojan documents detected by our Custodian360 agent.

Criminals have setup a large variety of fake email campaigns spoofing email domains to imitate genuine emails typically from financial institutions such as PayPal, HMRC, Sage, Barclays etc.  They typically use language which demand the user’s attention such as an “unpaid invoice” or “bill attached” and have a weaponised document attached for the user to open.

i Example of spoof email (Screenshot taken myonlinesecurity.co.uk)

Once opened, the threat will attempt to use exploits and vulnerabilities in Office to gain ability to create system process and download additional malicious payloads all without the users’ knowledge.

Whilst newer versions of Office have additional protections and countermeasures against this type of attach, many businesses still run older versions of Office. In a 2017 survey by Spiceworks, 68% of companies are still running instances of Office 2007 which won’t have sufficient protective measures in place against this type of threat.

Custodian360 effectively protects against this type of threat by using documents and scripts analysis engine to prevent their execution including unknown zero-day campaigns.

However, end users should still be advised to be vigilant and avoid opening unknown attachments and companies should be encouraged to move away from using older versions of office due to the vulnerabilities and increased security risk which these types of threats attempt to exploit.

Data Snapshot: The state of productivity suites in the workplace

Found on Spiceworks: https://community.spiceworks.com/software/articles/2873-data-snapshot-the-state-of-productivity-suites-in-the-workplace?utm_source=copy_paste&utm_campaign=growth

Alex James – Lead Security Analyst – Custodian360

Gartner’s New Buzzword

Gartner have a new buzzword, Endpoint Detection and Response (EDR). We want you to find the solutions that enable you to deliver it and deliver it profitably!

EDR – is the acronym for Endpoint Detection and Response which is one of the hottest topics for 2018 in the industry. 2017 saw the real emergence of EDR but 2018 is shaping up to dwarf last year.

Industry analyst Gartner, spawned the concept in 2013 has concluded that a more proactive approach is now needed, no longer can we simply attempt to block attacks, we must provide early and effective detection to minimise dwell time and damage and quite simply, this is what EDR provides.

EDR allows service providers, resellers and IT companies to climb the value chain by adding this solution to their portfolio and providing a valuable new layer of protection to customers’ security infrastructure.

All of this is great, but it only works of your chosen EDR is rapid to deploy, easy to use and manage and most importantly, profitable.

How do you make EDR profitable?

Complexity jumps straight out as a consideration; most solutions require multiple agents, and this adds a huge overhead into your management of the solution on your customers behalf. If they are managing themselves then it’s likely they won’t have the resource need to manage to solution.

Most EDR solutions, because of the way that they work are very “noisy”, huge amounts of alerts are generated, and these then have to be sifted through by a human. As has always been the case with other ground-breaking solutions, this makes them useless because of the time it takes to get to the right alerts.

It sounds as though all we are offering here is a complex and noisy solution. Unless this becomes a tick box on a compliance form will it ever offer value to you or your customers?

It’s a simple answer, and that answer is yes. Many new players are releasing their versions of EDR but the market leader is still SentinelOne and as their MSSP Partner Custodian360 simplifies the solution even more.

Custodian360: Giving you the tools and resource to provide value

Custodian360 is the only way to obtain SentinelOne as a fully managed service.

What does this mean for you? It means you can deploy the market leading EDR solution to your customers with no need to “skill up” or recruit new staff to manage a deluge of alerts every day or setup your own SOC to manage operations. Once the single agent is deployed, your job is done and Custodian360 take over operations entirely.

There are a number of features that Custodian360 provide and some of these are critical elements in any EDR solution:

  1. Rapid Deployment – Cloud Based Console up and running in minutes.
  2. Simple – There is only one agent, not many.
  3. Ease of use – A single console shows you everything you need to know.
  4. Automated Mitigation and Remediation – No need for you to manually intervene. Our analysts do that for you and remediate threats whenever necessary ensuring downtime is kept to an absolute minimum.
  5. Compatibility – Works with all Operating Systems and can co-exist with existing AV solutions.
  6. Artificial Intelligence and Machine Learning – Enables the agent to learn to identify false positives to reduce alerts and focus is given to real and dangerous threats.
  7. Automated Reporting and Alerting – Configure once and receive your reports monthly or weekly along with notifications of all alerts if required.

But do customers even want EDR?

I don’t think we’d be exaggerating if we said that customers’ demand for EDR is about to go stratospheric.

An EDR article in eSecurity Planet describes the growth in EDR as “explosive” and they report that Gartner’s forecast “is for almost 50% annual growth for EDR at least through 2020, putting it way out in front of most areas of IT”.

From this it’s a small step to work out the market value, again, according to Gartner’s EDR Estimates of some $1.5 billion – very likely when you consider that out of some 711 million devices that can make use of EDR, only 40 million currently do!

“Alert Fatigue” is already a well used term but a recent global EDR survey found that 72% of respondents report that their teams already suffer “alert fatigue” so if you can take away that fatigue for them and provide an effective and market leading solution, you can see why they will want to buy.

The message from the market is clear: for service providers, resellers and other IT partners, EDR is a revenue boost waiting to happen.

Just make sure you choose to sell solutions that are actually usable!

What is the Difference Between Traditional and Next-Generation Anti-Virus?

What is the Difference Between Traditional and Next-Generation Anti-Virus?


APRIL 12th, 2018 BY Andy James


One of the lessons learned by many businesses over the past three years of the ransomware age is that traditional signature-based anti-virus solutions are lacking the power to combat today’s flood of evasive malware.

This is why Custodian360 is excited to offer our Managed Security Services, a client security solution that leverages not only the SentinelOne Endpoint Protection engine but also Lookouts Mobile Threat Protection, powered by static and behavioural artificial intelligence, to deliver next-generation anti-virus (NGAV) capabilities.

So, what exactly is a NGAV solution, and why does it matter?

No signatures

Traditionally, anti-virus solutions (AV’s) have required frequent (daily or weekly) updates of their signature databases to protect against the latest threats. Custodian360 uses a static artificial intelligence (AI) engine to determine if new files are threats before they can execute. In addition, it has a behavioural AI engine to protect against file-less threats (e.g., PowerShell scripts, macros within documents, lateral movement, etc.).

No weekly updates

These AI engines do not require daily/weekly updates, as they “degrade” very gracefully over time. This is because the behavioural analysis engines do the work instead of matching files to an ever-aging database of file ID’s and signatures.

Even if customers upgrade their agents only once a year, they will have much greater protection than what traditional AV is able to provide. With the power of SentinelOne’s AI models, today’s zero-day attacks are instantly convicted by models developed in the past. This is the benefit of a mathematical approach to malware prevention, detection and response versus legacy, signature-based approaches.

No recurring scans

Apart from the management overhead of updating signatures, traditional AV’s also recommend recurring disk scans to make sure threats did not get in. These recurring scans are a big source of frustration for the end users, as their productivity is impacted during the scans. With Custodian360, these recurring scans are not required at all. End-users get much better performance and, in many cases, do not even know that the solution is installed.

No performance overhead

Another reason for the poor performance of traditional AV’s is that they became bloated by implementing many features, such as endpoint firewall, full-disk encryption, etc. Many of these features are now available on modern operating systems. Custodian360 was designed to orchestrate OS functionality instead of replicating it. This also translates into a much better end-user experience.

No cloud dependence

Another limitation of traditional AV’s is their reliance on cloud connectivity for best protection. Signature databases have grown so large that it is no longer possible to push the entire database down to the device. So, they keep the vast majority of signatures in the cloud, and only push the most prevalent signatures down to the agent.

Furthermore, end users frequently work in cafés, airports, hotels and other commercial facilities. In most of these cases, the Wi-Fi provider is supported by ad revenues, and encourage users to download the host’s tools (i.e., adware) to get free connectivity. These tools or the Wi-Fi access point can easily block access to the AV cloud, which poses a huge security risk. Custodian360 is fully autonomous and protects the user in these situations. The efficacy of the agent isn’t impacted by its connection to the internet.

NGAV for endpoints

I invite you to learn more about Custodian360, which not only provides NGAV capabilities, but also cloud-based reporting and real-time forensics.

To learn more, download the “Custodian360 powered by SentinelOne” data sheet.

Does Security as a Service Make Sense?

We hear a lot these days about everything as a Service and certainly, some of it makes sense. With services such Amazon Web Services and Microsoft’s Azure platform available it’s so cheap and easy to create a server that provides Public Applications, why would you bother hosting them in-house yourself?

But what about Security, surely this is something you need or want to have control of and there’s no real model for buying this as a Service is there?

That all depends on who you are of course, if we look the largest companies that span the globe they deliver many different types of services to their users, but they tend to provide it as a Service to them. If the business as a whole invests in setting up a Security Operations Centre (SOC), employing staff to run it and purchasing software and tools for them to use, then they don’t just swallow this cost. Different business units are often charged for using these services making them “as a Service”. It’s a good business model to recoup the millions of pounds that you’ve just spent on building the service and the SOC.

The big difference here though is that these business units don’t get a choice about how they buy these services, they are mandated and added automatically to their budgets.

Not really a fair market for them but you start to see how they consume everything as a service.

Once we move down the ladder a little and get to the mid-size businesses it starts to get a little more interesting. There’s not quite so much money available here, go to the MD or CEO and ask for £1,000,000 to build a SOC and there’s a predictable answer. Why would you go to the effort of building all of this when big providers have already done it? Why not use your OpEx budget to buy Security as a Service?

For some there are problems with compliance, data not being able to leave region or territory can make it difficult to find a provider who can accommodate all of your needs; if you’re big enough, you can generally find a provider who will put some effort into winning your business and investing in their infrastructure in order to accommodate you.

So, the big guys have it easy. If they want this, then they can get it but that also means that everything we have seen so far is all about providing Security as a Service for those that can pay a premium for it.

We are now left with those businesses with say, less than 350 employees, this includes everyone from sole traders up to that though. What should they do? Well that clearly varies with size so let’s pick a sweet spot and focus on a business with 150 employees. It’s a good size business, revenue is likely to be in the high millions at this point and you’d hope that net profit is good too as this is the bit we are going to start eating into when we look at new services.

I hear your groans, asking for money that comes out of profit at this size company is never easy and we’ve all been there before. Something has to give before you get increased budget so let’s have a think at what we are going to need.

Top of the list is a product or set of products to tell us when something bad is happening. At 150 licenses nobody is going to do us a good deal so let’s say we need 3 products to deploy to give us the ability to detect threats and breaches. Let’s now pick an average price for a product and settle on £75.00 per seat per year, that quickly becomes £225.00 per seat per year because we have 3 products remember. We also have 150 users so now we’re up to £45,000.00 just for the products and we aren’t being extravagant here.

Next, we need Security Analysts, not only are they not cheap but they are getting harder and harder to find. Again, let’s make some assumptions, a good Analyst is going to command a £50,000.00 salary, don’t forget NI to go with that and we are now at £56,900.00 and it’s fair to say we should add a bit more for all those costs of employing that nobody knows about until they employ staff, so we’ll call it a £60,000.00 salary. How many do we need though? At a very minimum it has to be 2 and this is the absolute minimum and won’t give us coverage or response outside of our normal working hours. If we want 24×7 we need to look at 6 Analysts but we’re trying to do this on cheap aren’t we and this means we stick with 2. So, we are at £120,000.00 for our Analysts, plus the products brings us to £165,000.00 per year and that’s a number that is going to keep rising, we also have to retain staff and with the cyber security recruitment market the way it is currently that’s never going to be easy.

It’s also not going to be that cheap either, there’s so much we haven’t included in our budget, training, monitoring software and associated consultancy etc. etc. We are also now committed to products, if they aren’t as good as we were led to believe then we are stuck with them, no chance of more budget so we now have increased costs associated with responding to threats and alerts. Our staff may now start to get a bit annoyed and look to see if the grass is greener elsewhere.

You start to see the bigger picture here, securing yourself against the ever-changing threat landscape is becoming harder and harder to do, it’s taking more and more tools and the talent pool we can choose from to “drive” our tools is effectively becoming smaller.

Providing effective Cyber Security in-house is fast becoming a unicorn.

The time has come not only for solutions providers to provide Security as a Service at a price that businesses can afford and not only that, it is time for them to become flexible. Rather than getting fat off the growing demand why don’t we all work towards a common goal, build services that are easy to consume and drive good Customer Service by making it easy for people to change provider.

Bad business model I hear you shout. You’d be right too but isn’t it more important to carry out your business with integrity and give customers the choice.

This thinking drove AVR International to partner with SentinelOne to launch Custodian360 last year to deliver a Managed Endpoint Protection platform to the masses. Custodian360 is aimed at the SMB market and businesses using this service no longer need to employ security analysts to manage systems and respond to alerts as our SOC team proactively monitor, analyse and respond to every alert we receive.

To find out more about Custodian360 you can call us on 01189 346635, email us at info@custodian360.com or come and meet us in Portsmouth

Ransomware criminals extort $1 Million From South Korean Company


If ever there was a flagship incident to demonstrate the power of ransomware, this is it. Ransomware, a particularly infamous form of cybercrime where business critical data is restricted until payment is made, has been in the headlines for all the wrong reasons.

This story is a little different. While ransomware can attack businesses both large and small, many criminals utilising the numerous viruses available target low hanging fruit: small business. It’s a simple numbers game, with many small companies having little to no cybersecurity in place. This tendency makes a volume approach attractive to cybercriminals.

A million dollars is, of course, slightly different from this approach. High profile attacks aren’t exactly uncommon, with the recent strike on the UK’s healthcare system with ransomware virus WannaCry drawing international attention.

 The details

Nayana, an established web hosting provider that located within the South Korea, was the victim of the attack. Believed to have occurred on June 10, weaknesses in the overall cybersecurity arrangements of the company made them a prime target for exploitation.

 As is usually the case, the ransomware itself came in the form of a premade virus named Erebus. Able to target over four hundred file types, the sophisticated code easily penetrated the company’s assets. The attack spread through 153 Linux servers owned by the web hosting company, leaving owner Chil-Hong facing an absolute disruption to provision of service.

As is often the case, negotiations occurred. The criminals initially demanded a staggering 550 bitcoin payment; well in excess of the $1 Million dollars that Chil-Hong bargained the criminals down to. With the CEO already having liquidated assets, two instalments of the total are claimed to have been made.

Hoping to conclude the ‘deal’ as quickly as possible to restore his customers data, Chil-Hong quoted on Twitter that the ‘probability of recovering all the data will be higher’ once the last instalments are made.

This notion, while understandable, sets a dangerous precedent. As you might imagine, criminals don’t exactly obey the law, nor will they reliably honour a personal agreement. Many victims of ransomware attacks who have paid up find themselves subject to further demands.  While it is common for modern ransomware to incorporate a payment system, there is no guarantee that any form of response will be even received should a payment be made.

Protecting your assets

 Fortunately, it is not an exhaustive or costly process to protect your business assets from being exploited by cybercriminals. Ransomware works by restricting access to vital information and data that cannot be found elsewhere; this makes safeguarding simple.

Backups of all business-critical assets is a simple first step. This ensures that should you be targeted in an attack, you will be able to restore your documents to working order separate from the attack itself. With the need for payment removed, recovery can subsequently take place.

Employee awareness is also a practical measure. Many data leaks and cybersecurity issues, including susceptibility to ransomware, can be avoided by cascading information on security processes and information on attacks. With many attacks being caused by internal sources, mandating a greater level of awareness of the threats posed by ransomware and other cyberattacks can provide remarkable results.

Investment in professional support and software, however, remains a powerful measure in the fight against ransomware and cybercrime. Although the above measures can ensure an acceptable level of overall security, many businesses cannot afford to be remotely susceptible to an attack.

Just as modern ransomware has evolved and become more sophisticated, so has software that protects against it. A combination of investment in this software, combined with professional consultancy services such as a data and security audit, can ensure a level of protection that removes your business as a viable target in the digital world.

Custodian360 -The UK’s only SentinelOne Managed Service Provider


The UK’s only SentinelOne Managed Service Provider is showcasing at InfoSecurity Europe 2017

6th June 2017 – Twyford, UK – Independent Information Security and Mobility Solutions Provider AVR International will be exhibiting its new Managed Endpoint Security Platform Custodian360 at InfoSecurity Europe 2017, the region’s leading information security event which takes place at Olympia, London from 6th to 8th June 2017.

Launched in January 2017, Custodian360 (custodian360.com) is a Complete Managed Endpoint Protection Service and is proud to still be the UK’s only Managed Service Provider for SentinelOne.

Custodian360 was built with SME business in mind. Cost has traditionally been a barrier; denying many access to the Enterprise Grade Security Products we all need when facing up to the current threat landscape. Custodian360 packages a fully managed service around the SentinelOne product, backed by industry veterans and makes this service available to businesses of all sizes.

The service is led by Andy James (Director), bringing a wealth of Cyber Security knowledge and experience backed by a history of providing global, managed service solutions. With Partner Management and Operations Support provided by Kevin Baker (Partner Manager) and Chris Knight (Support Manager) respectively coupled with forensic analysis and remediation performed by a team of analysts, you can rest assured that your EndPoints are in safe hands.

Andy is “hugely excited to be bringing Custodian360 to InfoSecurity Europe this year” and “is proud to be able to offer this ground breaking service to protect small businesses at a crucial time ensuring that everybody can now be protected from the myriad of threats we face daily”.

With many businesses unable to maintain the resource necessary to constantly monitor and track threat intelligence, Custodian360 takes away this problem and our analysts become part of your team. Our swift response and reporting feeds threat information back into your organisation, allowing you to track incidents and responses without having to employ expensive full time resources.

A service of this type is only made possible because of the near 100% detection rates provided by SentinelOne. With its advanced Deep File Inspection to detect threats before execution, and its behavioural analysis engine detecting all threats whether they are file-based, file-less, browser exploits or good old fashioned exploits Custodian provides a full Endpoint Protection and Remediation Platform that allows businesses to concentrate on running their business while Custodian360 deals with the threats.

With 2016 recording a record number of over 400,000 ransomware attacks, the demands on businesses to protect themselves from cyber-attacks and data breaches have increased exponentially. Custodian360 detects, protects and repairs instantly and with full Ransomware detection, prevention and roll back capability, encrypted files no longer means having to pay a ransom or restore from backup.

Custodian360 will be exhibiting at Stand No. L09 at InfoSec, presenting the Managed Service solution and demonstrating its wide range of features and capabilities live and with real malware.  Stop by and say hello to the team and visitors will be invited to enter a prize draw to win an iPad Pro tablet.


About AVR International Ltd

AVR International Ltd is an independent provider of IT security and enterprise mobility solutions.  Founded in 2002 by Helen Hall to provide an agnostic approach to Anti-Virus products and their sale, the business has gone from strength to strength and applied this founding agnostic approach across all solutions offered. Helen has recently taken a new role within AVR International, having been a hugely successful Managing Director, she is now AVR’s Chairman, perfectly positioned to hold a strategic view and support the Management Team as they go on to develop the business further. With Nick Kellaway taking the reins as Managing Director, it’s an exciting time as we work hard to build and provide solutions and services to our rapidly growing customer base.

AVR’s team of solution and technical specialists and strong vendor partner relationships enable it to provide individually tailored solutions for businesses and organisations. With more and more solutions being added to the portfolio, AVR is well placed to advise businesses of all sizes where they should focus their attentions to achieve effective security and mobility strategies.

AVR offers expert Threat Protection services coupled with a broad range of protection against cyber-attack and data breach in addition to Data Compliance solutions.  In January 2017, AVR introduced Custodian360, a complete managed endpoint security platform specifically targeted to small and medium sized businesses.

Whilst AVR cover some 48 security and mobility areas, the core services that drive the business are: :


    • Threat Protection – Anti Virus, Firewalls, Endpoint solutions
    • Mobility Solutions – Enterprise Mobility Management and New Tech solutions
    • Managed Services – Bespoke fully managed services for major High Street Brands across the UK
    • Professional Services – Tailored Consultancy, Security Posture Audits, Managed Service Contracts, Proof of Concept, Configuration and Deployment, Training, Technical Telephone Support, In-house Mobility Device Helpdesk


www.avr.co.uk| LinkedIn | Twitter

Ransomware Blog Post

What do you know about Ransomware?

Ransomware is blazing its way across the front pages of news sites and the primetime anchor spots on TV, and for good reason; WannaCry has been an attack that has stunned the world with its reach and disruptiveness. Perversely, the WannaCry attack has been welcomed by some professionals in the cybersecurity industry. While the damage is entirely lamentable, it has highlighted the extent of unpreparedness that is common to the digital world. With modern ransomware able to devastate national infrastructure such as the NHS in the United Kingdom, more is clearly required to reach a secure level of operation. With this said, there are details to ransomware that many are entirely unaware of. Being a nuanced and technical subject, we have brought together a list of informative points to bear in mind.

The amount of money made by ransomware is staggering.

Ransomware wouldn’t be as prevalent as it is if there wasn’t a huge amount of money to be made! While there are many forms of viruses and hacks online that exist purely as toys, the most telling indicator of how widespread an attack will be is the potential it has to make profit and ransomware are no exception.

This is partly since a ransomware attack can ‘blanket’ target both large and small industries and companies with ease. While large corporations are just as vulnerable to being caught, it’s also true that small businesses are being hammered every day with demands to pay up to access their suddenly ‘encrypted’ data. Cryptowall 3.0, a salient example of this potential for income, made $325 million in 2015 alone.

Payment doesn’t guarantee the release of your files

To quote author Terry Pratchett, “Criminals don’t obey the law. It’s more or less a requirement for the job.” The same disregard for the very agreement in their ransomware is commonly seen. Many individuals have been the victim of a ransomware attack, suddenly finding that their business-critical files are beyond use and must be paid to be accessed. The problem? They don’t release the files. Many accounts exist across the internet of people who have ponied up the funds as demanded by their local cybercriminals, after which the files remain encrypted. This behaviour of giving in to the criminal’s demands is dangerous; many perpetrators of ransomware attacks make their best money by repeatedly targeting and ‘squeezing’ those who have initially paid in the hopes of restoring access to their files.

Ransomware is easily accessed

The two pillars of ransomware success in recent years are the ease of its access and the simplicity of its use. We’ve explained how ransomware can attack both small and large businesses en masse. With many small businesses woefully underprepared for an attack, often with little to no defence at all, penetration is easy. Second to this is the ease at which an individual can ‘get involved’ in ransomware themselves.

Ransomware can be downloaded easily online in a relatively anonymous manner, particularly if the individual masks their presence with the use of software such as VPN managers. This allows any interested individual access to some of the most damaging and widespread forms of ransomware available. On a more sinister note, however, is the ‘as a service’ approach to distribution. It’s important to remember that cybercriminals are in it for the profit; it isn’t done just for fun!

The SaaS model allows individuals to acquire the most efficient forms of ransomware at no cost, instead directing a portion of their ill-gotten gains back to the producer of the ransomware each time they succeed. This low barrier to entry in terms of both cost and simplicity in using the products themselves is a large factor in the sheer rate of attacks witnessed over recent years, as well as a significant contributing factor in the continued growth of the cyber phenomenon as a whole.

Custodian360 is one of the only truly managed ransomware protection solutions available in the UK, using state of the art real time detection & prevention software backed up by a team of security analysts dedicated to the protection and remediatin of your network.

Get in touch with us today to find out more about us.

WannaCry Interface

WannaCry – See It In Action

This week we are running webinars at 3pm GMT every day where we will talk about the current threat landscape and show Wannacrypt in action before taking a deep dive into the forensics of the attack. To register for one of these, send an email to info@custodian360.com or leave you details at https://custodian360.com/contact-us/

Friday the 12th of May 2017 saw the first Ransomware worm that we have seen in the wild wreak havoc across the globe, striking indiscriminately at those running Windows XP, Windows Server 2003 or unpatched Windows 7 Operating Systems. This worm has exploited the vulnerability MS17-010 allowing it to spread through a network at alarming speed and with no user interaction.

The first that many of us heard about this was when it was announced that a number of NHS Trusts were experiencing some kind of cyber-attack. As it then transpired, Telefonica had already suffered the same fate in Spain and then reports started to come from many different sources alerting us to the fact that this was much more widespread than just the NHS Trusts or a few larger companies.

WannaCry InterfaceOver the next few hours I personally watched the spread of the worm around the globe, more and more infections were reported, social media was alight with comments and pictures for many hours as more and more people fell victim to Wannacrypt which was soon dubbed Wannacry.

Very soon we were looking at numbers as high as 200,000 infections worldwide, had this been a traditional Ransomware campaign this wouldn’t have been too bad for many organisations as they would have been facing a ransom payment of hundreds of dollars.

Many would see this as acceptable to quickly recover files and many would pay the ransom quite quickly. Instead, what we had was organisations facing huge ransom payments totalling many thousands of dollars. For the majority, the only option was to start a massive clean-up operation of rebuilding affected computers and restoring files (where possible) from backup.

This leaves many IT staff facing a long weekend working day and night to try and put their business back to a position where they are operational on a Monday morning. As this has been such a high-profile incident we can clearly see that for many this just hasn’t been possible and many organisations are still in Disaster Recovery situations or are limping along, many reverting to using paper as a means of communication.

It’s clear to see that it doesn’t get much worse than this. As the person responsible for providing IT services within an organisation this is absolutely the worst nightmare situation.

We should sympathise with some of these larger organisations though. Many use bespoke applications that were developed to run on Windows XP or Windows Server 2003 and are not compatible with later, more secure operating systems and the cost of both re-developing applications and migrating to new operating systems is prohibitive.

This, unfortunately makes them sitting ducks. As exploits are discovered they are dependent on their security measures and vendors being good to their claims about protection levels. We have seen Microsoft release an emergency patch to prevent the spread of the worm on these systems but we can’t rely on Microsoft doing that in the future as these systems are well beyond end of support. Even if Microsoft do release patches for found exploits in the future, we have just seen that it takes a couple of days for these to become available, what option do you have then, shut down all of your systems until you can apply patches?

That’s just not an acceptable approach. Security vendors and suppliers must step up and work with these organisations to provide the level of protection that is now needed. Many new vendors are doing this and are thinking of new ways to detect malicious behaviour and stop it in its tracks.

The old approach of detecting threats and attacks by using signatures to identify known behaviours is woefully outdated and leaves many potentially exposed to the huge cost of remediation and consumption of huge engineering hours. Recently, NSS Labs performed a Total Cost of Ownership and Effectiveness test across a number of EndPoint Protection vendors. This showed us that a 500-user company can potentially spend $1,250,000 on cleaning up a cyber-security incident. This is a big enough number for any organisation to “lose” and it is sure to rise after this most recent incident.

At AVR International we have championed a move towards analysing behaviours in real time and preventing threats as they occur rather than before they happen. This may sound like a risky approach but when you look at what is actually happening these days it is absolutely the right approach. Having run versions of Wannacrypt myself and looking at the forensics following execution it is frightening to see how quickly this particular threat works, the Ransomware itself seems to have one failing though, it creates new files and encrypts them but doesn’t delete any files until it has finished encrypting. Every piece of Ransomware I have analysed up until now follows a simple pattern, create, write and delete.

This means that if you can stop the Ransomware while executing then you won’t lose any files, the system doesn’t look pretty but you can still carry on working. Many “next generation” vendors will be able to do that and this allows us to not only avoid paying ransoms but allows us to remediate at a more leisurely pace.

One vendor goes further though, SentinelOne is currently the only “next generation” vendor to offer protection and full remediation in a single lightweight, autonomous agent. Moreover, they are the only vendor I am aware of that can say that none of their customers were affected by Wannacrypt. That is some claim to be able to make but as SentinelOne’s only UK Managed Security Service Provider, Custodian360 can also make that claim.

SentinelOne’s powerful Deep File Inspection identifies Wannacrypt in all of its forms before it has a chance to execute meaning you are never at risk.

With support for Windows XP and Windows Server 2003 it would seem to be the obvious choice for EndPoint protection given the current threat landscape.

So obvious in fact that I am running a series of Webinars to demonstrate how Wannacrypt works and what it does when executed, this is an educational webinar in the most. We will demonstrate how SentinelOne remediates and recovers from the threat after executing and we are running these webinars every day, 3pm GMT is the Managed Service offering and 4pm GMT is SentinelOne as an owned solution, to register, just drop us an email at info@custodian360.com

All are welcome and we will discuss the current threat landscape, how we see it changing and where it could go before looking into the forensics of this specific attack and what we can do to not only detect these threats but stop them in their tracks.

Cyber Security is changing at a rate never before seen, don’t let yourself become the one that got left behind as that sitting duck.