Ransomware Defense

Cybercriminals not only encrypt files for ransom, but also steal and sell them to the highest bidder.

Threats are escalating.

Successful ransomware attacks have increased at an alarming rate and is the top concern for many IT professionals. Ransomware attacks have evolved from simple scattergun encrypt-and-demand to very targeted, comprehensive, and sophisticated attacks that are intended to both steal the most critical data assets of an organization and then encrypt documents. Ransomware attacks have evolved to not only encrypt files but also steal and auction unencrypted data on the dark web, causing enormous risk to brand reputation, fines, etc. They also disrupt production, health care services, research, and more.

Costs are high.

As an industry, we are struggling to develop solutions that prevent ransomware attacks, despite over $30B in endpoint security spend alone. Ransomware is being used at scale by nation states, criminal organizations, and activists to fund their cyberwarfare programs to the tune of billions of dollars, and cybercriminals could continue to blackmail organizations for years to come. Ransomware is a huge tax on our economy and has so crippled many small companies that they have gone out of business.

Assessing the Traditional Two-Pronged Approach

IT leaders have attempted to thwart ransomware attacks with a two-pronged approach: detect and block the ransomware at the device level and protect the data itself.

1. Sensitive Data Protection

Data Backup

A common approach to defending against ransomware attacks is to implement a comprehensive back-up solution that can restore encrypted data to its pre-ransom state. Unfortunately, adversaries know that most organizations have back-up systems in place and attempt to access and encrypt the backed-up data. In addition to trying to encrypt the back ups, ransomware has evolved to steal unencrypted files that contain sensitive data that can be used as blackmail against the victim. Unfortunately, there are no guarantees that adversaries who steal data are actually deleting it once victims pay to get their data back.

Encryption of Data at Rest

In an attempt to prevent the exfiltration of sensitive data, IT organizations have implemented encryption solutions that protect data at rest, whether on the local device, a shared storage device, or in the cloud. The limitation of this approach is that sophisticated threat actors know this and focus on stealing files when they are in an unencrypted state. For example, full disk encryption protects data at rest, but once the user logs in, sensitive files are no longer encrypted. Similarly, files may be backed up and encrypted in the cloud, but when they are synched to a local folder, they are no longer protected with encryption.

2. Detection and Response

Multiple Solutions

IT leaders attempt to thwart ransomware and data theft attacks in part by installing multiple detection and response solutions with an average of 8–12 agents installed per endpoint (with larger organizations having as many as 20). This has a significant impact on device performance and user experience and makes it difficult to manage the PCs.

Detection Rate

In addition, relying solely on detection and response technologies to thwart ransomware attacks relies on a very dangerous assumption—that you will detect 100% of the ransomware attempts. This is a theoretical impossibility, as attackers always find new and novel ways to bypass organizations defenses. Mistakes, errors and unintended misconfigurations can go unnoticed by IT staff and be successfully exploited by threat actors to gain access to your network resources and plan a successful ransomware attack.

Proper ransomware defenses require layers of defenses so that cascading failures and/or bypasses of prevention, detection and response solutions do not lead to the unrecoverable encryption or the unauthorized exfiltration of sensitive data.

Traditional defenses are not close enough to the data.

The New Approach to Ransomware Prevention

Existing endpoint ransomware defenses are not effective because they are too far removed from the data itself. They focus on the adversary's tools—those used to breach a system, establish command and control, exfiltrate the data, and more—as opposed to simply protecting the data itself from encryption, prior to both data exfiltration and ransomware.

See how Cigent D3E protects data from attacks.

Perpetual Data Protection

Cigent D3E focuses only on protecting all of your valuable data, whether unencrypted or encrypted, at all times. It does this by ensuring only trusted, authenticated users can access sensitive files while simultaneously blocking ransomware encryption attempts.

Only one or two agents per endpoint are required to prevent ransomware (Cigent D3E and AV/NGAV). AV should still be deployed to meet regulatory requirements, stop spyware and other nuisance malware, and prevent known and zero-day malware and ransomware that can be detected by machine-learning based AV solutions.

Miniscule Overhead

D3E uses next to no overhead (less than 1% CPU) and is safe to use for both corporate and personal files. Other endpoint detection solutions can be added, but in fewer numbers and better focused on pan-network/cloud attack tactics including, credential theft, privilege escalation, lateral movement, and more.

Layered Defense-in-Depth Protections

Additional layers of protection can be added to D3E to protect against more advanced and well-funded persistent threat actors and nation states by storing data on Cigent Secure SSDs. By locking sensitive files in Secure Drives on Cigent Secure SSDs, data theft and ransomware attempts are prevented using firmware to cryptographically lock sensitive files and prevent them from even being seen by adversaries. Furthermore, Cigent Secure SSDs use a Keep Alive capability built-in to firmware that always ensures D3E is running and protecting data. These added layers of defense give the most holistic set of protections against practically every known data theft and ransomware attack by moving data protection as close as physically possible to the data itself, focusing on what matters most: protecting your data from theft and malicious encryption attempts.

Learn more about Cigent endpoint defense.

Explore related cybersecurity articles.

Cyberthreat Assessment FAQ

No items found.