Ransomware despite antivirus solutions
Ransomware remains one of the most popular attack methodes used by cyber criminals. Files are encrypted in order to extort a ransom. Companies that fall victim to a ransomware campaign can comply with such ransom demands in the hope that the encrypted data will be restored in a reasonable amount of time. It should be noted however, that the actual decryption of data or the restoration of data from backups is a smaller problem. The downtime of IT systems that provide basic services often requires significantly more time for a successful recovery. Since 2019, attackers have gone one step further. With the so-called double extortion tactic, the data is not only encrypted, but also stolen. A customer who refuses to pay a corresponding ransom is now also threatened with the publication of the data. Companies with appropriate backup and recovery processes are remain vulnerable to the new tactic as the publication of their customer data and corresponding damage to their image.
Switzerland is an attractive target: 46% of Swiss companies surveyed by Sophos stated that they had been the victim of a ransomware attack at least once in the last year. That is 9 percent more than the global average. The National Cyber Security Centre (NCSC) also warns SMEs in particular about the dangers of ransomware. This is because 80% of the reported attacks in Switzerland were carried out on SMEs.
Why do so many companies fall victim to a ransomware attack and why do conventional antivirus solutions not offer adequate protection against ransomware?
In the early days of antivirus programs, viruses were detected by their signature. However, this detection method can be easily circumvented by attackers by slightly modifying the malicious code.
The next step in the evolution was the introduction of Endpoint Protection Platforms (EPP). In addition to signatures, they also use machine learning, behavioural analyses, sandboxing and other means to ensure endpoint protection. Modern EPP solutions offer the highest protection against known and unknown threats, but represent the last line of defence.
Ransomware attackers are not satisfied with encrypting individual endpoints or their accessible data. They move around the network, gain higher privileges and compromise critical systems. The encryption software is thus distributed to all accessible systems. To coordinate and control the attack, command and control servers are used.
Endpoint Detection and Response (EDR) and Network Detection and Response (NDR) systems can enhance EPP systems. They bring more visibility and can detect attacks or unusual events. However, many alert-messages without further context make it difficult for security teams to react effectively and quickly to an attack. The focus of EDR and NDR solutions is mainly on the technological side and not on the operational needs of companies.
What does state-of-the-art protection against ransomware look like?
In the evolution of endpoint protection solutions, another big step was taken in 2018: Extended Detection and Response (XDR). With XDR, different data silos are broken down and merged to provide holistic protection. In addition to endpoint data, data from the network, cloud resources, IAM and other systems are additionally taken into account. This consolidation of disparate data provides greater visibility and context. Threats can thus be detected more quickly and eliminated before damage occurs. Palo Alto Networks coined the term XDR in 2018 and remains the leading manufacturer of XDR solutions today.
Cortex XDR from Palo Alto Networks offers companies the tools that were previously only available to specialists in Security Operation Centres (SOC). It provides you with a powerful platform that gives you visibility across all channels and the tools to intervene in the event of an attack. Asecus can help you configure Cortex XDR effectively and support you in its operation and maintenance.
Get in touch with our security experts today!