Reports have shown investment in security technology spending has failed to deliver effective protection against cyber crime. Organisations are spending $ millions to fight cybercrime and ransomware. Now ask yourself the question, are you 100% confident you can stop all future known and unknown ransomware from entering your organisation with your current defences?
There are many ways you can attempt to stop ransomware. Most of these have already been deployed by many organisations, yet the news still reports frequently about new companies being victimised. Why? Let’s take a brief look at some of the reasons.
Fileless ransomware – Fileless ransomware is extremely challenging to detect using signature-based methods, sandboxing or even machine learning-based analysis
Email Filtering – many ransomware attacks infiltrate via emails targeting employees so email gateway filters certainly stop a lot of threats, however you still need to rely on user education, this helps but isn’t a valid anti-ransomware strategy by itself. Targeted and highly realistic emails will continue to fool staff. Awareness training is only effective when it is top of mind with the user, it can be likened to a speeding ticket, once you get one, you drive carefully for a few weeks and then slowly revert back to old habits. Patching – eliminating vulnerabilities in your software by applying OS and application updates is probably the most effective way to reduce the attack surface and thereby reducing cyber risk updates. However, there are literally thousands of vulnerabilities that constantly need to be patched. Keeping this up across all your applications is difficult.
AV and Nextgen – threat protection are of course very critical, but traditional AV and the new Next Gen solutions does not fully protect in all situations – Fileless attacks for instance are not commonly detected by these tools as it requires the attack to be active on an endpoint/server where the agent is installed and running. In many fileless attacks this is not the case. History has also shown that these tools at times struggle with detection of Unknown and new variants of Ransomware families.
AI and User Behaviour – scanning with behavioural tools that looks for suspicious activity and abnormal user behaviour can help but can be circumvented and will not work every time as malware develops further.
Application control, DLP and Privilege Management – can reduce risk and minimise the attack surface area significantly but often not implemented regularly because of the hassle associated with implementation and the user impact.
Implementing all the above technologies requires a big security budget and not every organisation has that, resulting in many doing “the best they can” with available funds.
Backup – It is very important to have a complete Backup strategy so that it is possible to recover after an attack by restoring the infected files. However, the cyber criminals update their methods to maximise the damage an attack does. One of the biggest problems with recovery after a ransomware attack is how do you determine exactly which and how many files have been compromised? This often results in the compromised organisations having to do a full restore of all systems, which leads to longer downtime and higher costs, and often loss of data/production, since backup is configured on a schedule (typically every night), and not in Realtime. Further to this some ransomware is now designed to specifically target backup servers and encrypt your backups too.
Common for all the technologies above are that they try to detect and stop a threat from coming into an organisation and/or prevent it from executing and doing harm. Unfortunately, each of these methods have flaws, can be circumvented and cannot stop all past or future ransomware attacks. Even if you have the budget and time to implement them.
Last Line of Defence
When it comes to ransomware, having a Last Line of Defence solution in place to detect, and immediately respond to illegitimate encryption of your important files is critical. It is an inexpensive way of detecting when an attack starts and to shut down the attacked device immediately.
At the point where this solution kicks into action the ransomware has already passed all your other defences and is “whitelisted” to do damage (encrypt) to your files. It is not like organisations victimised by ransomware had not invested in or were not using any security tools. Instead they simply got infected as the ransomware found a way to bypass the existing defences without triggering detection.
By investing in a technology that recognises encryption attempts when they happen (actively) you flip the script and stop attacks before serious damage happens. It is a small investment which then becomes part of your budget, whereas downtime, lost revenue, clean up fees and GDPR fines are not.
If you have a minute spare, why not calculate the potential cost of downtime your organisation can face from a ransomware attack.