Ransomware constantly makes the headlines these days. This week, Sinclair Broadcasting saw its systems taken down, with one Sinclair reporter quoted as saying, “still no phones, file video or graphics” three days after the attack. The company’s stock dropped nearly 3 percent that day. We don’t know how the ransomware wiggled its way into Sinclair at this point, but the lesson is still evident. Everyone is a target. But here’s the real problem: today’s cybersecurity solutions can’t stop ransomware. Here’s why.
Humans Are Human
Today, social engineering schemes like phishing have become so sophisticated that they can even fool security experts. All it takes is an email from an apparently trusted source that leads to a click on a malicious link or the download of an infected PDF to let ransomware in. Even worse, you may not even immediately know that an attack has occurred. A report from security firm Sophos says cyber attackers aren’t spotted for an average of 11 days after breaching a system. That gives them plenty of time to check out your network, find your weaknesses, and do significant damage to your data and your business. Even when these hackers are discovered, the vast majority of the time, it’s because the victim finally gets a ransomware note, and then it’s too late. While you can’t prevent human error, you can minimize it. Regular cybersecurity training—and compliance testing—for employees is the first step. Educate your people as to what to look for and what to do if they see something suspicious.
Two-Factor Authentication Isn’t Fully Deployed
Two-factor authentication (2FA)—where users must provide two different authentication factors to verify their identity—is one of the most basic security improvements your organization can implement. The problem is that most organizations either haven’t implemented 2FA or haven’t implemented it everywhere. Maximize prevention with 2FA by enabling it for anything that requires a user name and password—email, applications, logins, and VPNs, for example.
Antivirus Solutions Can’t Keep Up
Antivirus software (AV) has been around since Creeper was created in 1971. While in the decades since these solutions have gotten better at preventing malicious software, many still rely on outdated, signature-based systems. That means hackers can easily bypass them. For AV software to detect malicious code, it must have a binary signature of the code or a file hash. And that only works if the code doesn’t change. Renaming functions inside the code before compiling it, or moving code blocks around inside the code, can eliminate the AV software’s effectiveness.
Endpoint Solutions Have Limitations
While today’s detection and response endpoint solutions are more effective than AV software, they have their limits. Because endpoint event logic lives in the cloud, there can be a delay of several seconds to minutes between an event’s occurrence and its appearance on an admin console. That brief gap may be all it takes for ransomware to be activated and shut down your entire network. Even worse, attackers often stage the actual ransomware payload across all of the systems in your network ahead of time, so it is executed simultaneously throughout your organization—before your detection and response solution sends an alert.
Ransomware Tools and Services Are Easy to Find
One quick search on GitHub brings up all kinds of open-source ransomware like RansomO. You’ll even find an open-source ransomware-as-a-service (RaaS) option for Linux, macOS, and Windows. Everything from phishing toolsets to obfuscation frameworks, initial access tools to credential-abuse tools can be found for free on GitHub. Security professionals often develop and release attack frameworks based on the premise that potential victims need to understand these tactics. But the reality is that these frameworks are often used by hackers, making it harder for you to stay a step ahead. Even worse, while there is documentation to support using most of these tools, there isn’t any support for detecting and stopping them.
Your Last Line of Defense
While your prevention strategies and tactics may keep your organization safe from ransomware to some degree, it’s clear there is no way to be 100 percent certain your systems and data are secure. That’s why you must establish solid backup and disaster recovery practices. You should take backups frequently. And be sure that any solution you choose takes immutable snapshots of your complete data set. Immutable snapshots can’t be altered or deleted, making them immune to the ravages of ransomware. If you are the victim of an attack, these snapshots also make recovery quick and easy.