Event Recording

Exploring the role of Endpoint Security in a Ransomware Resilience Plan

Log in and watch the full video!

Ransomware attacks continue to increase in frequency and severity. Every organization needs a ransomware and malware resilience plan. Three major components of such plans should include deploying Endpoint Security solutions, keeping computing assets up to date on patches, and backing up data. In this session, we'll look at trends in ransomware as well as review the results of the KuppingerCole Leadership Compass on Endpoint Protection Detection & Response (EPDR) solutions.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
So, yeah, I'll, I'll start off with talking about the evolution of ransomware and where we are today, and look at the, the financial and legal landscape and what's changed, and then how endpoint security fits in as a, you know, one of the primary means for, you know, deflecting against ransomware. So I think it's always good to take a look at, you know, some of the latest facts and figures in a presentation like this. You know, ransomware has increasingly, as I'm sure everyone is aware, been targeting all kinds of different organizations around the planet. You know, maybe it started off years ago with individuals and then spread to really large organizations, but now it's just about any organization out there, you know, hospitals, clinics, schools, government agencies of all kinds. You know, a recent statistics showed that attacks against hospitals are up 94% over last year.
And I can tell you there's a, a local clinic here that has been shut down for almost a month because of ransom, where they weren't able to take appointments, You know, see patients, you know, this is a very, very serious situation when ransomware, it's, you know, any organization, but especially a medical organization, we've seen a change in the tactics. You know, you know, from stealing data to, you know, wiping out information and then gathering data and threatening to leak it. Ransomware payments are up three times in 2021 over up to 1.2 billion. And that's just what's reported. And if we think back to the colonial pipeline attack, which didn't actually hit their operational tech environment, the ransomware has the possibility of disrupting, you know, whole segments of economy for days on end. So it's, it's a very serious situation. You know, when this started out more than 10 years ago, maybe to a degree, it may have looked a bit innocuous, It would lock somebody's screen, then came to demands for ransom, then came the encryption, you know, on a local machine, first of all. But then, you know, they learned to move across the network. They learned to encrypt company information in the cloud and even get rid of online backups. So, you know, the sophistication in the attack methods has gotten, you know, much greater, unfortunately. Then a few years ago, we saw, you know, destructive wipers, which kind of masqueraded as ransomware, but the intent really was just getting on a whole bunch of machines and, and essentially wiping them out.
Now, you know, the last few years we've seen it change in the tactics too, where they're taking an a p t like approach where they get into a network, do some recon lateral movement, find all the interesting information, exfiltrate it, then encrypt, and, you know, they can then, you know, make the demand to pay up or they'll leak that information. So what are some of the factors that have enabled the growth? I think we're probably all aware of cryptocurrency, how, you know, it's become widely available, become accepted, and was increasing in value throughout the late 2010s. Then of course, there's the willingness of victims to pay the ransom, you know, without a willing payment, then, then the business would not have materialized. We've also seen the rise of cybersecurity insurance and then development of ransomware as a service business model. And this even includes specialization in that particular cyber criminal labor market.
In fact, let's, let's look at, you know, three major job types in the ransomware as a service business. First of all, you've got the service providers that are cyber criminal organizations. They, they write the ransomware, they maintain the families of ransomware. They go out and look for the operators or the affiliates, the people that are or will go out and run the attacks for them. And then on the back end, they collect the payments, the ransom payments they provide, you know, a form of tech support. Sometimes they deliver decryption keys, and then they will pay the operators. The operators are the ones that are out there looking for target companies. They run the attack and they get paid. Sometimes they interact with another job classification. The access brokers, these are the, the other malfactors that are out there looking for accounts that can be easily compromised, maybe unsecured RDP or VPN credentials, you know, accounts, maybe persons have left organizations and they haven't removed those accounts. So they find these on the dark web and they sell that access to the ransomware operator.
You know, and this, this survey shows that in 2022, the worrying about ransomware is a top concern, you know, for cybersecurity execs, just like data breaches. This, I think, is interesting because I wanted to talk a little bit about the different attack vectors that we see out there, because the, the methods that the ransomware operators have been using have been changing over the last couple years. And you can see it's kind of a rapid change as well. We have typically in the past talked about email as a, you know, a bad guy would craft an email that contained maybe an office document that had macros in it, and then send that off in phishing email. There's also, like I was mentioning, the RDP compromise where they will look for, you know, an unsecured account and, you know, just directly log into the victim network and collect information and, and load it up with ransomware that way. And we see, you know, starting in around 2020, those started to very inversely proportionally where email phishing started to decline as RDP compromise became primary means of getting it into a network.
And then, you know, mentioning macros, that used to be a, a primary way for getting ransomware in, again, you know, send it in a document. But back in about a year ago, Microsoft disabled macros by default. So the ransomware operators turned to a different tactic. They started using container files as a way to get around perhaps, you know, some security measures. So when Microsoft Disabled that, we saw a huge decrease, 66% in the drop of the use of macros. Instead, they're using ISO images, raw zip files because the files inside may not be scanned. So this may be a way to bypass other security tools and get ransomware to actually detonate when they wanted to.
So let's kind of quickly look over the political legal financial landscape and how it affects ransomware. You know, there's been a lot of volatility in the cryptocurrency market, even as late as yesterday, a pretty big drop, increased technical requirements on the part of cybersecurity insurers. They want the companies that they are insuring to have, you know, many specific security tools, which I'll talk about in a couple of minutes. But, you know, these are things that have to be in place before you can actually get a cybersecurity insurance policy. It's becoming more difficult to, to get coverage because of the increase in ransomware attacks. And then we also have seen that the insurance premiums for cybersecurity has been increasing, you know, 20 to 50%, some really high risk companies, the ones that have been hit more than once. And that happens too, If you get hit once and you pay the ransom, then these perpetrators know that you're likely to pay. Again. In those cases, their premiums have gone up, sometimes a thousand percent of those high risk customers. We also see cybersecurity insurance companies now denying claims in the event that maybe the, the insured didn't live up to what they were supposed to do in terms of a cybersecurity architecture deployment. And also heard of insurers that are deciding to not be in the cybersecurity insurance business anymore as well.
So I think on the good side, more organizations are not paying ransoms. They get hit, they're, they're trying to restore from backups. They're, they're take some of the wind out of this market by not paying the ransom. And, you know, studies have shown that the ransomware operators, service providers are not actually providing working decryption keys in many cases, so you can pay the ransom and not get a working decryption key. So we see this trending downward, and I think that's a really good thing. You know, over the last three years, the number of organizations that are admitting to paying ransoms, there are reporting and transparency requirements. GDPR N two in, in Europe, if, if an organization suffers a data breach with a loss of personal information, or, you know, organizations that are in critical infrastructure in the US now are subject to a CSUN regulation that says that they have to provide notification about cyber attack and if they pay ransom. And we've learned from fairly recent high profile case that covering up a data breach is potentially punishable by jail time in the us.
You know, five, 10 years ago when, when this started, there were not that many prosecutions and there's still not nearly enough prosecutions. But I think it's good to say that over the last few years there have been some high profile arrests and things like sanctions have made at least a, a temporary dip in the ransomware market. So what will happen, you know, ransomware attacks reached an all time high last year. There's some evidence that says maybe it hasn't been quite as bad in 22, but we, yeah, we believe this is just a temporary situation, and the frequency and severity of ransomware will increase in mass, you know, in the next few months.
So what are we supposed to do? What, what does endpoint security do for us? I think it's, you know, the number one means, or at least you know, the top two means for helping prevent ransomware attacks in the first place. So we've had endpoint protection for quite a while. This is a field I call endpoint protection, detection and response. It's the combination of endpoint protection and endpoint detection and response. We think of endpoint protection as like next generation antivirus, plus a lot of other sort of secondary tools that go along there to help prevent infections from happening in the first place. And they do this by looking at the code. I'll get into the, the specifics here in a minute, but they, they try to prevent execution of any kind of malware before it gets a chance to run. Secondary capabilities are things like managing the endpoint firewall, URL filtering, keeping keeping users from going to known malicious URLs, doing application, allow listing or deny listing, don't let any given application run without proper privileges.
And then system file integrity monitoring. On the EDR side, this is more about looking for signs of attack after they've happened, just looking for the indicators of compromise, integrating with cyber threat intelligence, and then providing means for security teams to do investigations and forensic analysis and then take response actions, whether manually or in some cases, automating part of the response and automating part of the investigation process to How does EPD R stop brand similar? Well, on the, the pre-execution side, the signature method still works. That's sort of been around for 30 years. It's not as sophisticated. It doesn't work all the time. You know, it's actually a fairly low percentage of the time these days, but it, it is still utilized by many of the products in the E P D R space. The more complicated ways of looking for ransomware, things like memory analysis, sandboxing, you know, you get a new file, you send it to a sandbox, let it run, let it see what happens.
There's an an absolute need for AI slash you know, machine learning to identify the thousands and thousands of new variants of all kinds of malware every day. It's just not possible for human security analysts to categorize all the malicious codes discovered every day. But looking really at ransomware, what does it, what does E P D R look for? It looks for things like trying to encrypt every, every file in a specific location, like see my documents, for example, or encrypting all types of files by the file type or changing. Many of them used to change file extensions just prior to doing encryption. Even looking for enumerating the files by type. Any attempt to zero out the data in a file is, is a potential sign. Ransomware and getting ready to operate, deleting the volume shadow copy on Windows, there's sort of an automatic backup system that, that the operating system has for keeping data in what they call a volume shadow copy. Many ransomware programs start off by saying, delete that, and then there's also deletion of online backups. So EPD R systems, again, looking at the code, hopefully before it runs or as it's running to see if any of these kinds of activities are taking place. And then having the ability to shut that down, terminate that process so that a, hopefully, you know, there isn't mass encryption or be, try to contain it as much as possible and certainly don't let it spread.
You know, we've been very focused on detection for the last 10 years with the rise of endpoint detection and response, network detection and response, and now xdr, you know, extended detection and response and that's kind of, you know, thinking, well, it's inevitable that we're all gonna get hit at some point, which is probably true, but, you know, prevention, doing what you can to prevent an attack will certainly save a lot of effort rather than waiting until you see signs of it and then how to recover. So I think we need to emphasize prevention and we can do that through E P D R. So wrapping up here, you know, the ransomware, risk mitigation, technical measures, I said I think there are really two that are really top. E P D R I, I think is key, but there's also operating system and application patching, vulnerability management.
Many of the forms of ransomware they've been in use for the last five years have, you know, really depended on known exploits and the operating system application vendors have been really good at getting out patches that close these exploits. So if you can keep your machines patched with the latest, you know, versions, that will do a lot to decrease the risk of ransomware. Zero trust architecture. This is to prevent, you know, bad guys coming in through those exploited RDP VPN accounts, Data security, and I'm running outta time, but privileged access management. This is, you know, many ransomware types need, you know, escalated privilege to not only execute on a machine, but then move around. So if you have privilege management that can help decrease the risk and contain it offline backups. And then since some still come in through email, email and security gateways. And with that, I will stop and see if there's time for question.
Perfect. Thank you very much, John, for this great insight and especially starting with some real good numbers and figures about ransomware and the effect of paying it or not paying it. Also used that in a presentation earlier this morning. So this is really interesting stuff and shows a little bit if you have, if you are victim of a ransomware, a tech does not necessarily make sense to pay the, and also means that you not necessarily get access to your data again, so you lose your data and your money at the end. So ED, E P D R is really essential. We have one question from the audience. John, how do you, or how would you integrate E P D R in your security strategy for an organization, for an existing organization? What are the first steps to go into that directions,
How to integrate? Well, I would look for, you know, a, depending on the, the kind of organization, you know, one that has good enterprise support, if you have a, so a security operations center, do you want to integrate that with soar? If you have soar, look for the ones that are compatible with that. You know, check, We do have reports on e e PDR where you can see sort of a rating of vendors. I'd recommend taking a look at the, the researcher on that. And then, yeah, if you've got any questions, feel free to reach out.
Yeah. Perfect. Thank you very much, John, for this great presentation.
Thanks Christopher.

Stay Connected

KuppingerCole on social media

Related Videos


Recap Cybersecurity Leadership Summit 2022


Key Findings on Malign Information, Misinformation, and Cyberattacks

Ksenia Iliuk, Head of Research at Detector Media, Ukraine tells us about some key findings of their research in the media landscape of Ukraine. Find out what she has to say about Telegram and what it has to do with #cybersecurity .

Analyst Chat

Analyst Chat #150: Clear and Present Danger - Ransomware Threats to Healthcare Providers

Only a week has passed since John Tolbert, our Cybersecurity Research Director, spoke at CSLS about ransomware and how to combat it. Today, he reports on specific threats posed by ransomware attacks to the healthcare industry, particularly in the US. But in the end, these are just examples…

Analyst Chat

Analyst Chat #149: The Top 5 Cybersecurity Trends - Looking Back at CSLS 2022

Deep Fakes, AI as friend and foe, Business Resilience, Mis-, Dis- and Malinformation: The Cybersecurity Leadership Summit has taken place in Berlin and covered all of this and much more. Martin Kuppinger and Matthias look back on the event and identify their Top 5 Trends from CSLS2022 in…

Event Recording

Assessing your Cybersecurity Tools Portfolio: Optimize Cost, Increase Security

Most organizations don’t suffer from a lack of cybersecurity tools. They suffer from the cost and administrative burden of running too many of these. They suffer from the lack of integration. They suffer from the lack of skills in optimally configuring the tools and analyzing the…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00