Network Security

INVITED ESSAY: Defending ransomware boils down to this: making it too expensive for cybercriminals

INVITED ESSAY: Defending ransomware boils down to this: making it too expensive for cybercriminals
Written by ga_dahmani
INVITED ESSAY: Defending ransomware boils down to this: making it too expensive for cybercriminals

From financial institutions to meat producers, it seems like every industry has been affected by ransomware in the last year, maybe even in the last week. The world’s largest companies and smaller mom-and-pop stores have been ravaged by cybercriminals looking to hold assets hostage for a big payday.

Related: Technological solutions alone cannot stop ransomware

Why the sharp increase? Simply put, ransomware attacks are on the rise due to profit. This return on investment is attracting new players, and the ransomware monster continues to grow…and we are not prepared to fight it. Why? We are not prepared to defend ourselves against persistent threats.

With ransomware as a service (RaaS) as popular as it is, the attribution conversation becomes more difficult. Most ransomware attacks using RaaS are carried out by affiliates hopping from one service to another, often using two to four different services at the same time. Shutting down a service doesn’t stop attacks: Affiliates move to another RaaS provider, RaaS owners just rename, reorganize, and go back online.

While it is good to see law enforcement and governments go after gangs, that will not stop the monster that has grown out of control, which we as an industry continue to feed. While money attribution and tracking can make some gains, we need a multi-pronged strategy to kill the ransomware beast.

low cost attacks

Understanding the root cause of these attacks is crucial so that we can adjust defenses to protect against them. Actionable forensic analyzes on how these attacks were carried out go a long way toward understanding the attack methodology and inner workings of these criminal affiliates and gangs.


The living off the land/fileless attack methodology has not changed in years, despite the increase in the severity and frequency of attacks. Behaviors change and tools change, but the methodology remains the same. However, at a macro level, we do not stop known malware, known malicious behavior, repair basic tools that are used maliciously, or patch known vulnerabilities that are actively exploited right away.

We are failing as an industry to make it harder for attackers to reach their goals. We spend millions to defend, while attackers spend as little as $100 to perform an attack with a potentially huge return on that investment.

Small and medium enterprises make up 99 percent of all companies in the USAand they are a big target for ransomware. Approximately 60 percent of successful ransomware attacks are against SMBs.

Companies have higher payouts, but ransomware gangs know they are likely to face increased scrutiny after major attacks, especially when the impact of those attacks extends beyond the company (think Colonial Pipeline attack). ).

Because of this, ransomware gangs are starting to target SMBs more. They are easier to attack and provide moderate and consistent payouts with little retribution from law enforcement or governments. Most SMBs don’t have the resources to defend against persistent threats and are more vulnerable than larger companies that have more resources.

bricks in the wall

There is no silver bullet in an industry that is evolving (both for better and for worse) as fast as cybersecurity. However, starting with a solid foundation of security goes a long way. A security program built on a solid foundation will be solid, a security program built on a shaky foundation will be unstable.

Some things that are involved in most attacks include social engineering, passwords, and vulnerabilities. On a macro level, password hygiene sucks. Avoiding password reuse and using strong, hard-to-guess passwords is very helpful. The use of multi-factor authentication (MFA) which is not easy to design socially is essential.

Vulnerability management with proper prioritization is also a must. The US CERT has a database of actively exploited vulnerabilities that is constantly being updated. If you don’t patch anything else, patch the vulnerabilities that affect you and that are or have been actively exploited.

BAS technology enables you to test and adjust your security controls, exercise your people and processes, and provide previously unavailable visibility into how your security program is performing. Having a security tool like Endpoint Protection is not enough. You need to understand if it’s set up correctly and if you’re getting what you’re paying for.

While there is no one tool that can take down the ransomware beast forever, focusing on areas that are highly exploitable can help prevent bad guys from reaching their targets. The more expensive it is to attack before profit, the closer we are to eliminating the ransomware monster that we are. Until profits decline to the point where the management of criminal organizations is no longer viable, we will be locked in the fight.

About the essayist: About the essayist: Derek Kerin is Director of Security Services at sure Rape, provider of a proprietary platform that enables security teams to perform offensive security maneuvers.

*** This is a syndicated Security Bloggers Network blog from the last watchdog written by bacohido. Read the original post at:

About the author


Leave a Comment