Why Aren't Security Tools Stopping Ransomware

Ransomware... Wait, I thought we bought protection… So why are we still getting hit?

Ransomware has been a difficult nut to crack for a long time but it has been even more prevalent and damaging in recent years. It most certainly sees far more media attention now due to the scale and scope of the damaging attacks.

But why is this happening?

The main reason is one that we all can relate to… evolution!

Cyber Criminals operate a lot like a business; they continuously hone their skills and evolve their techniques and processes to be.. Well… better criminals! They want to be as efficient as possible to maximize their ROI. This probably sounds like they are running businesses instead of crime organizations… in many ways, they are doing just this.

Constant ransomware evolution poses significant challenges to businesses. It makes it quite challenging to protect themselves as the digital battle field changes almost daily! 

We all know that ransomware that can negatively lead to:

• Corrupted and stolen company and customer data
• Substantial downtime (cannot serve customers)
• Significant revenue loss
• Crippling reputation Damages
• Expensive Fines and lawsuits
• And in many cases, Bankruptcy and Business Closure!

What are some tools and strategies you implemented hoping they will prevent a ransomware attack?

Maybe you’re using:

• “Latest and Greatest” Endpoint Detection & Response (EDR) solution. 
• Relying solely on backups to save you. (You run recovery simulations right?)
• Using File Integrity Monitoring (FIM) to detect suspicious file activity.
• Network Segmentation
• Hope... we can always fall back on ransom negotiation and get your cyber insurance company to pay it.

Let’s dig into each of these tools and strategies in more detail. While you are reading, please consider where your current ransomware risk management strategy might be lacking. Don’t forget to make some notes on how it can be improved!

#1: Endpoint Detection & Response (EDR) Solutions

Today, everyone seems to use the “latest and greatest” in EDR protection. Now don’t get us wrong, it is still an effective way to detect many subsets of malware... but if it prevented modern ransomware effectively as (falsely) advertised, we wouldn’t be hearing about all the massive attacks happening in the news. 

77% of ransomware victims had the latest Endpoint solutions installed. 

"Safeatlast.co estimated in 2018 that 77% of businesses subject to a ransomware attack were up to date in their endpoint security technology. This proves that using and properly maintaining average endpoint defense software is not enough to deter the latest ransomware."

So, then why don’t these solutions / tools protect us from ransomware? 

It’s simple really: Endpoint solutions aren’t currently designed to find advanced forms of ransomware! The current trending anxiety inducing news coverage seems to indicate this. 

Ransomware needs a tool that is specifically designed to fight it. This may sound cliche… but you need to use the right tool for the job. You don’t use a butter knife to perform open heart surgery! 

#2: Backups

Many companies believe they are safe from ransomware attacks because of their loyal and persistent use of backups. While backups are critical to have in every organization, they are constantly falling short when up against Ransomware. 

Did you know that over 75% of backups fail an organization before we even factor in backup attacks from the malware authors? It is an unfortunate reality that backup plans are rarely comprehensive nor are they tested regularly. 

Recovery gaps or catastrophic failures are typically found only at the time when they are needed the most. 

If you do not regularly test (or have for that matter) your Business Continuity Plan.. you really don’t have one!

#3: Network Segmentation

Network segmentation is excellent in both theory and practice for many use cases. But we are realizing that it is an unrealistic preventative measure against modern ransomware. As with other tools, network segmentation can be a useful strategy to stop “some” attacks. This especially holds true for a new capability called “micro-segmentation”. 

“Micro-segmentation”, which provides much more granular control over even individual machine communication on the network, can prove quite useful in preventing the ransomware infection from spreading throughout the organization..

So while (micro) network segmentation can be great when executed properly we often find it to be ineffective in the real world against ransomware.

Proper Network Segmentation is extremely complex to design and configure correctly. 

We see this failing businesses for some of the following reasons:

• Lack of knowledge
• Lack of resources to implement
• Misconfiguration of operation and policies
• “Loosening” of policies due to administrative overhead hence rendering it ineffective
• Using older antiquated segmentation technologies that are “behind” the times.
• Looking for common signatures and techniques only. When attackers know microsegmentation is used, they will deploy the more advanced evasion techniques.

Note: Segmentation is not just limited to on-premise networks either; but also in your cloud environments as well. 

TIP: If you do not have proper identity and access control between the network segments… you are really just dressing up a flat network in a tuxedo!

#4: File Integrity Monitoring (FIM)

File Integrity Monitoring tools, which monitor for changes to important files, are a requirement as part of several compliance frameworks. These tools periodically scan changes to files and if a large number of files are observed as “changed” due to ransomware they may trigger an alert if configured properly.

As ransomware typically affects a large number of files, File Integrity Monitoring tools can be used to see when a ransomware attack is underway, and some even have specific checks for known and specific ransomware.  

Now, it sounds like this is a perfect solution to our problem but unfortunately there are some limitations to consider as an effective ransomware prevention asset::

• These tools are built for compliance, not automated security response, so they have varying degrees of usefulness to a security team.  
• In some organizations, alerts may be sent to a compliance team, instead of the security team. It may take a phone call from the compliance team to the security team. Even if the security team receives alerts, many times the alerts are not of great importance to the security response team due to their compliance focus.
• Being compliance focused the response times and abilities are more limited
• A large number of files are usually corrupted before the tool detects the problem and triggers an alert. Then there is a delay waiting for the alert to be analyzed.
• Many FIM tools are mainly built for monitoring and could require manual intervention and mitigation. This is a time consuming process and reacting manually in an active ransomware attack event is extremely stressful and prone to mistakes.
• We have seen many cases where FIM tools are “silenced” by the attackers rendering the tools useless and the organization oblivious to the active threat unfolding. 

In summary, FIle Integrity Monitoring tools can provide an important compliance function to many organizations. They can and do observe some ransomware activities, but due to their “late to the party” discovery, plus limitations in security response and automation and lack of zero-trust hardening they are not an adequate tool for ransomware prevention. 

#5: Vulnerability Management

Vulnerability management can help pinpoint problems quickly, but it also has some major downfalls or caveats which you must be made aware of. 

For example:

• Detecting problems in real-time is great but we still need skilled programmers available to fix the issue which “let them in”. Patches must then be tested and deployed to those in need. All the while, the ransomware malware is spreading. 
• False positives can be a huge problem with vulnerability scanners. While you are chasing ghosts, the real infection(s) are wreaking havoc on the network. 
• Lastly, advanced ransomware attacks we see today are becoming less reliant upon exploiting known vulnerabilities. They are equipped with a large arsenal of tools and techniques with the goal of breaching companies and networks using any means possible. 

Cyber Criminals and their current tools and techniques are frankly too advanced now. This renders traditional vulnerability scanners ineffective against them on their own.

#6: Ransom Negotiation 

We must be transparent here… we are writing this section with a heavy heart!

At Cyber Crucible we are strongly opposed to negotiating with criminals and paying the ransom. 

On top of the ethical and moral challenges we must remember that:

• Ransom negotiation does not prevent attacks or extortion! 
• You are choosing to negotiate with criminals… so expect a large ransom payment and a buggy or fake decryptor. The decryptor may even be weaponized and while decrypting it plants additional malware. Criminals don’t like to leave! 
• They may still sell the data for use in further attacks on your business and your customers.
• Follow-up attacks of your business and customers from hidden malware strategically hidden in the network.
• Cyber Insurance may not even cover the ransom nor the massive fines and customer lawsuits commonly seen post breach today.

Paying the ransom should always be the absolute last resort

What do we do about ransomware then?

So, if none of these methods listed above are effective in preventing ransomware attacks and file corruption, then what are organizations supposed to do? 

Well, we at Cyber Crucible asked ourselves that very same question! We took it even further and asked ourselves:

• How can we prevent misery, without profiting from it?
• How can we build a tool that is extremely effective for the total prevention of file corruption?
• And finally, how will our tool succeed where other tools are failing or supplement other tools where they are lacking? 

What is our answer to Ransomware? 

Ransomware Rewind!

As we’ve mentioned above, each of these tools and methods have a time and place, but none are designed to specifically prevent ransomware attacks. 

Ransomware Rewind is very different!

How is Ransomware Rewind Different?

Ransomware Rewind was specifically designed and engineered to detect advanced ransomware and isolate it within milliseconds NOT seconds. A second is a LONG time during an attack event!

This is made possible by using a crypto-behavioral detection model that is able to detect even the most advanced forms of “zero-day” ransomware quickly and efficiently. 

Ransomware Rewind does not rely on backups of any sort! It prevents the corruption of files completely using its automated response technology. In Real-Time!

Ransomware Rewind stops the Ransomware attack dead in its tracks! Not only that, it allows you to keep working with ZERO DOWNTIME. 

Now, we know we’re biased, but if you are going to invest in additional tools for 2021, make sure you’re choosing Ransomware Rewind. 

If you would like to see Ransomware Rewind in action against an actual advanced ransomware attack please contact us for a demo.