The Need For New Approaches To Ransomware Prevention

Zack Link
11-16-2024 09:33 PM Comment(s)

Ransomware continues to be a risk to every company. It hasn’t gone away, and, if anything, it’s getting worse. As AV has merged with EDR, our ability to detect, and even block, ransomware has gotten better. But the attackers aren’t sitting on their hands either. Every time we defenders get better, the attackers find a weak link to take advantage. As good as your detect and prevent tools are, they generally do really well at yesterdays ransomware, and much less so with todays ransomware. Attacker techniques change faster than we can build better detections.

 

Virtually every company’s solution to Ransomware is to use AV/EDR to try and prevent ransomware from executing, and then use a backup solution to recover when prevention fails. All the AV/EDR vendors use similar techniques, they analyze executables and processes to identify malicious code and behavior. That’s great, no knock on AV/EDR, but it’s really only half the picture. Ransomware is only successful if it can modify data at rest. So doesn’t it make sense to analyze the data at rest to see if it is being ransomed, regardless of the executables or techniques used by the attackers. From a pragmatic standpoint, why try to figure out every way an attacker can encrypt your data ? Instead keep your eye on the prize, and monitor if your data being encrypted.

 

That is exactly what RansomStop does, analyzes data at rest and looks for what matters, is your data being ransomed. RansomStop can detect ransomware activity at the first file encryption, and respond automatically, in real time, and lock the compromised account, as well as block the source IP address.

 

In addition, according to the Microsoft Digital Defense Report for 2023(1), 80-90% of ransomware attacks come from unmanaged devices. These can be BYOD devices with access to your network, departmental servers set up that your security team isn’t even aware of, and attackers have figured out many techniques to disable AV/EDR to make a device effectively unmanaged (one example)(2). In these situations, your only line of defense is gone. There is nothing to stop data exfiltration, and your only response is to try and restore data from backups after the fact.

 

RansomStop can be deployed in the cloud to protect cloud storage, and deployed on file servers to protect file shares, to detect and immediately respond to in-progress ransomware attacks. RansomStop can reduce the blast radius, and block compromised endpoints and user accounts from further damage.

 

 

References:

  1. Microsoft Digital Defense Report 2023
  2. Dark Reading: Microsoft-Signed Malicious Drivers Usher In EDR-Killers, Ransomware

Zack Link