6 reasons why the need for ransomware protection is not going away

| By:
Migo Kedem, VP, Growth, SentinelOne

We all know that ransomware is bigger than ever before, and the managed service providers (MSPs) are no more immune to ransomware attacks than any other organization. With their deep client lists that can provide criminals with valuable data to leverage for extortion, it’s no surprise that MSPs are valuable targets for ransomware operators.  

Despite welcome moves by the U.S. government to increase our ability to tackle ransomware, there are good reasons why the ransomware will not be solved by federal action alone, and it is up to businesses to take the appropriate steps to ensure they are not the next victims to hit the headlines. Here’s six reasons why we all have to ensure our businesses take ransomware protection seriously. 

Broken windows can’t be fixed 

Microsoft Windows and associated enterprise software is everywhere in our technology stacks, and they are full of vulnerabilities. In the previous three months alone, Microsoft has had to patch over 200 bugs, with 27 of those rated Critical and the vast majority of the rest rated as Important in severity. At least six were under active attack prior to the release of a patch. 

In March of this year, four separate zero days in MS Exchange software led to breaches in thousands of organizations. One of these flaws had existed in Microsoft Exchange since 2013, while others date back to 2016 and 2019. 

The recent remote code execution PrintNightmare vulnerability in the Windows Printer Spooler service was rapidly folded into popular hacking tools like Mimikatz and Metasploit. Even after being initially patched, researchers quickly discovered a full bypass. Similar vulnerabilities like FaxHell, Print Demon and Evil Printer were discovered in 2020 and it is likely that attackers will continue to look for and find systems exposed to such vulnerabilities for years to come.

In the hands of threat actors, any of these vulnerabilities could be used to aid a compromise and help spread a Ransomware attack.

Sophisticated attacks beat simple security, every time 

Bugs aside, Windows Defender – the built-in security of Windows devices – is simply not good enough to stop today’s sophisticated ransomware attacks. The recent Sunburst/SolarWinds attack was not stopped by Windows Defender, according to NETRESEC.   

Of course, sophisticated attacks are designed to beat simple security controls, but the days when anything less was sufficient for businesses are long behind us. Sophisticated tools are no longer the sole provenance of nation-state backed threat actors.   

Threat actors want your data, and your customers’ data – either to sell or to ransom back to you, or both. – and they have the muscle to buy, develop and steal the tools required to get it. Ever since the Shadow Brokers leaked the NSA’s own powerful hacking tools, crimeware gangs have had access to both the tools and the knowledge of how such tools can be built. An entire ecosystem now exists on the Dark Web for the less-sophisticated to access powerful tools developed and sold by others.   

Until organizations improve their defenses to match the tools used by attackers, we will continue to see high-profile ransomware attacks. 

The rewards are greater than the risks 

Buggy software and weak security controls also combine with low risk and high rewards to make ransomware an attractive proposition to criminals. Today, ransomware extortionists collect huge sums through double extortion: file encryption on the one hand, coupled with exfiltrating data and blackmailing victims on the other. REvil ransomware operators recently exploited a bug in Kaseya VSA software and then requested a lump sum of $50 million for a universal decryption key.   

The history of crime teaches us that people will take big risks for much lower rewards. A ransomware attack on a U.S. institution – conducted from home in a nation that is not particularly concerned about cracking down on such computer crimes – carries minimal risk to the perpetrator. 

Cryptocurrency makes payment easy 

Cryptocurrency is booming. Prior to the pandemic, Bitcoin was trading at a little over $7,000, but by December 2020, it was trading at $24,000, hit a peak of $64,000 in April 2021 and is currently hovering at around $46,000. The bubble doesn’t look like it’s about to burst, and for cybercriminals extorting businesses, every price rise is just more incentive to keep attacking.  

It’s not just the rising prices, of course, that makes cryptocurrency attractive to criminals. Cryptocurrency offers anyone involved in crime an easy way to get paid with far more anonymity than a bank account. 

Business inertia means legacy AVs just won’t die 

Too many businesses are still hanging on to legacy Anti-Virus technologies that were defeated long ago. AV security suites continue to hold market share because many businesses were locked in years ago to aging technologies relying on malware file signatures and hashes. 

Despite the prevalence of these legacy AV security controls, there were an estimated 9.9 billion malware attacks in 2019 alone, up from 8.2 billion in 2015. While this can be regarded as a huge success for cybercriminals, it is a damning indictment of the failure of cybersecurity’s incumbent vendors.  

The evidence is clear: Threat actors have adapted to and evaded these old approaches to security. Supply chain attacks, fileless attacks, and exploit kits with known bypasses or evasions for such security controls are common fare among ransomware operators and their affiliates. 

Attacks happen on devices, not in the cloud 

If legacy AV hasn’t really changed that much, our network infrastructure certainly has. The cloud – on-prem, hybrid, IaaS, PaaS, containerized workloads and more – has changed our environments beyond recognition since those old AVs were first thought of.  

In response, both old and new vendors have thought to exploit the cloud for the purposes of defense, but the key to endpoint device security cannot lie on a remote server or with a remote analyst. Ransomware encryption speeds are a source of great pride among crimeware developers, with each new service claiming to encrypt and exfiltrate faster than competitors.  

When the endpoint itself cannot respond automatically and without minimum delay, the problem of ransomware will not go away.  

Don’t despair, the answer is out there 

But there is hope for ransomware protection. More people are figuring out how to win this war and that time – or more accurately, speed – is of the essence. For too long, attackers have had the element of surprise in their favor, easily beating defenses that rely on either having seen an attack before or waiting for a human analyst to return a verdict.  

There is nothing wrong with either of those strategies if they are supplemental to a more robust, behavioral AI that is trained to act autonomously on the battlefield. It might sound like science fiction, but the reality is already here and defending some of the world’s leading and largest enterprises today. 

Migo Kedem is the VP of Growth at SentinelOne. Before joining SentinelOne, Mr. Kedem spent a decade building cybersecurity products for Palo Alto Networks and Checkpoint.