Why is Ransomware Still a Thing?
Ransomware remains top-of-mind for vendors and industry folks, at least if my discussions over the past two weeks and visits to our editorial sites are any indication. I spoke to two separate companies that were putting all of their wood behind a ransomware recovery use case. We’ve had a slew of articles (here, here, here and here) on ransomware, the latter two dealing with ransomware-as-a-service (RaaS) and the implications of ransomware on the IoT environment.
So yeah, ransomware is still a thing. It is not surprising that companies of all sizes still get hit frequently with ransomware, but it is rather surprising that the industry hasn’t moved on to the next shiny object as they usually do.
To be clear, the risk presented by ransomware is no joke. It puts a hurt on larger companies and can drive smaller companies out of business entirely. Employees remain vulnerable since they continue to click on pretty much everything, regardless of how many phishing simulations you send them. Backups don’t work as often as they should, so even when you think you’re protected, it could easily turn out that you aren’t.
Compounding the attack surface, making it too easy to contract a malware infection, it’s cheaper and easier than ever to launch an attack. That’s what RaaS is about, and it works. Thus the continued carnage.
But here’s the thing—organizations have multiple opportunities to block a ransomware outbreak and prevent the damage. And while some CISOs may be demoralized and feel like there’s nothing more they can do, that’s not actually the case. To be clear, it’s hard work. It takes skills and investment. But it’s possible. It involves the defenses we’ve been talking about for years:
- Advanced endpoint protection: You need to protect your devices, and old-school AV just isn’t cutting it. These solutions have lots of cool endpoint detection and response (EDR) capabilities for when an attack actually happens, but you also need the prevention functionality. You can’t respond fast enough once you’ve got ransomware proliferating through the environment, so you must prevent it.
- Network detection and response: Unfortunately, you can’t prevent everything, even with shiny new endpoint protection. So you’ll need to detect it, and the network continues to be the best place to detect ransomware. NDR is the best tool to monitor and identify these attacks. The compromised device will connect to the command and control (C&C) channel to get instructions. It will do additional recon within the network to find other vulnerable devices and look for network storage, so the attackers know what to encrypt when the time comes.
- Reliable and protected backups: Notice that I didn’t just say backups. Many ransomware gangs will encrypt their targets’ backups as well—or just delete them altogether. So, you’ll want a recent backup in an isolated environment that can’t be accessed from the corporate network. You also want to test to ensure you can restore from the remote backup, since protected backups don’t help if they can’t be restored.
- Negotiation/payment plan: You hope your defenses allow you to prevent or recover quickly from an attack, but sometimes the adversary wins and successfully deploys the ransomware. What then? Do you pay them? If that’s the decision you make, do you need an experienced negotiator on your side? Do you have access to payment in whatever currency the attacker requests? I’m not saying that paying the ransom is the right choice, but you should have a plan if that’s the business decision.
As much as we’d like to wish it away, ransomware is and will continue to be a scourge on organizations for the foreseeable future. But you can blunt its impact by focusing on the security fundamentals of prevention, detection and response/recovery. But as long as there are organizations that don’t do the necessary blocking and tackling, we’ll have plenty to write about at Security Boulevard.
