Successful ransomware attacks have increased at an alarming rate and is the top concern for many IT professionals. Ransomware attacks have evolved from simple scattergun encrypt-and-demand to very targeted, comprehensive, and sophisticated attacks that are intended to both steal the most critical data assets of an organization and then encrypt documents. Ransomware attacks have evolved to not only encrypt files but also steal and auction unencrypted data on the dark web, causing enormous risk to brand reputation, fines, etc. They also disrupt production, health care services, research, and more.
As an industry, we are struggling to develop solutions that prevent ransomware attacks, despite over $30B in endpoint security spend alone. Ransomware is being used at scale by nation states, criminal organizations, and activists to fund their cyberwarfare programs to the tune of billions of dollars, and cybercriminals could continue to blackmail organizations for years to come. Ransomware is a huge tax on our economy and has so crippled many small companies that they have gone out of business.
IT leaders have attempted to thwart ransomware attacks with a two-pronged approach: detect and block the ransomware at the device level and protect the data itself.
A common approach to defending against ransomware attacks is to implement a comprehensive back-up solution that can restore encrypted data to its pre-ransom state. Unfortunately, adversaries know that most organizations have back-up systems in place and attempt to access and encrypt the backed-up data. In addition to trying to encrypt the back ups, ransomware has evolved to steal unencrypted files that contain sensitive data that can be used as blackmail against the victim. Unfortunately, there are no guarantees that adversaries who steal data are actually deleting it once victims pay to get their data back.
In an attempt to prevent the exfiltration of sensitive data, IT organizations have implemented encryption solutions that protect data at rest, whether on the local device, a shared storage device, or in the cloud. The limitation of this approach is that sophisticated threat actors know this and focus on stealing files when they are in an unencrypted state. For example, full disk encryption protects data at rest, but once the user logs in, sensitive files are no longer encrypted. Similarly, files may be backed up and encrypted in the cloud, but when they are synched to a local folder, they are no longer protected with encryption.
IT leaders attempt to thwart ransomware and data theft attacks in part by installing multiple detection and response solutions with an average of 8–12 agents installed per endpoint (with larger organizations having as many as 20). This has a significant impact on device performance and user experience and makes it difficult to manage the PCs.
In addition, relying solely on detection and response technologies to thwart ransomware attacks relies on a very dangerous assumption—that you will detect 100% of the ransomware attempts. This is a theoretical impossibility, as attackers always find new and novel ways to bypass organizations defenses. Mistakes, errors and unintended misconfigurations can go unnoticed by IT staff and be successfully exploited by threat actors to gain access to your network resources and plan a successful ransomware attack.
Proper ransomware defenses require layers of defenses so that cascading failures and/or bypasses of prevention, detection and response solutions do not lead to the unrecoverable encryption or the unauthorized exfiltration of sensitive data.
Existing endpoint ransomware defenses are not effective because they are too far removed from the data itself. They focus on the adversary's tools—those used to breach a system, establish command and control, exfiltrate the data, and more—as opposed to simply protecting the data itself from encryption, prior to both data exfiltration and ransomware.
Cigent D3E focuses only on protecting all of your valuable data, whether unencrypted or encrypted, at all times. It does this by ensuring only trusted, authenticated users can access sensitive files while simultaneously blocking ransomware encryption attempts.
Only one or two agents per endpoint are required to prevent ransomware (Cigent D3E and AV/NGAV). AV should still be deployed to meet regulatory requirements, stop spyware and other nuisance malware, and prevent known and zero-day malware and ransomware that can be detected by machine-learning based AV solutions.
D3E uses next to no overhead (less than 1% CPU) and is safe to use for both corporate and personal files. Other endpoint detection solutions can be added, but in fewer numbers and better focused on pan-network/cloud attack tactics including, credential theft, privilege escalation, lateral movement, and more.
Additional layers of protection can be added to D3E to protect against more advanced and well-funded persistent threat actors and nation states by storing data on Cigent Secure SSDs. By locking sensitive files in Secure Drives on Cigent Secure SSDs, data theft and ransomware attempts are prevented using firmware to cryptographically lock sensitive files and prevent them from even being seen by adversaries. Furthermore, Cigent Secure SSDs use a Keep Alive capability built-in to firmware that always ensures D3E is running and protecting data. These added layers of defense give the most holistic set of protections against practically every known data theft and ransomware attack by moving data protection as close as physically possible to the data itself, focusing on what matters most: protecting your data from theft and malicious encryption attempts.
While all businesses should take advantage of modern cybersecurity measures, there are some for which data security is of particular importance.
On December 8th, 2020 Fireye, one of the worlds largest Cybersecurity companies, reported the unauthorized access and exfiltration of their red team tools. How can Cigent help?