Overview of Ransomware Solutions from Protection to Detection and Response

Ransomware remains a top threat in 2023 and the Verizon Data Breach Investigations Report (DBIR) 2022 states that over 25% of breaches were caused by ransomware.  

 Threat actors are continuously creating ransomware variants; as a result, governments worldwide are finding and disabling the ransomware gangs from operating these criminal businesses. Even as the proliferation of ransomware-as-a-service lowers the entry point, the attack sophistication increases, and they are increasingly targeting MSPs. In fact, cybersecurity authorities in the United Kingdom (NCSC-UK), Australia (ACSC), Canada (CCCS), New Zealand (NCSC-NZ), and the United States (CISA), (NSA), (FBI) are observing an increase in malicious cyber activity targeting managed service providers (MSPs) and expect this trend to continue.

Read more in this helpful alert from CISA  https://www.cisa.gov/news-events/alerts/2022/05/11/protecting-against-cyber-threats-managed-service-providers-and-their  

There is no letup in attacks for businesses of all sizes. Of note, there have been increases in smaller businesses in the services, manufacturing, construction, legal, financial and retail establishments as well as larger organizations in the telecom, technology, utilities and governments. 

The biggest losses continue to be data exposure, time to resource normal operations, loss of revenue, brand reputation, employee reputation, and insurance. 

It is important to have a full cybersecurity program to protect your clients and their environments – that means prevention, detection, and response. There are plenty of vendors with solutions that solve some of the aspects of the ransomware problem. However, we’ve noticed that many of the potential partners we talk to have focused most of their efforts to date on prevention and response, which is a reactionary posture. 

Prevention of ransomware is usually focused on email, endpoint, web, and employee awareness training and a much bigger focus on data and endpoint backup. This generally requires a number of solutions from email security and endpoint security vendors to be deployed and configured consistently on all client endpoints and email accounts. The response program has mostly been limited to data restores, which are increasingly automated now that many backup vendors have tightly integrated ransomware detection capabilities. 

However, as highlighted above, ransomware continues to cause problems for MSPs and MSSPs, and their clients. This has consequences for client trust and confidence in their service providers’ services to protect them from ransomware. 

Ransomware detection solutions generally focus on DLP, intrusion detection, anomaly detection with User and Entity Behavior Analysis (UEBA), and deep, real-time application of threat intelligence. These capabilities are generally the only way to proactively stop ransomware before it detonates. For example, monitoring email systems and networks for ransomware indicators may be the best way to prevent ransomware attacks from being successful. 

We’ve noticed that many MSPs and MSSPs are focusing on these challenges – and implementing network segmentation, better backup software, widening the patch and config management programs for on-premises and cloud systems, DLP, and endpoint and network UEBA. They are looking more closely at their attack surfaces and the ability to detect issues for both North-South and East-West network connections. 

While the biggest roadblocks to making these improvements include the difficulty in implementing new tools, the lack of finding and hiring skilled security team members, client end-user awareness, and overall cost models to accommodate the solutions needed to protect clients.  

Some MSPs and MSSPs are increasing their prices or creating a second tier of service that includes a cybersecurity service schedule that adds additional capabilities for detection, threat intelligence, and response. This higher monthly fee schedule is often offset by a lower cyber insurance premium that the client would experience. 

Seceon aiSIEM and aiXDR powered MSPs and MSSPs are able to better protect their clients with our advanced, AI/ML powered detection and response capabilities including: 

Detection at Host: In the case of an attack based on email phishing, Seceon aiSIEM and/or aiXDR quickly swing into action, correlating logs from the email server with endpoint activities to find traces of unusual or suspicious process spawned on the endpoint. 

Detection at Host Connecting with C&C: When the the ransomware’s components try to establish a connection with the Command and Control Center (C&C) from the affected host, Seceon aiSIE and/or aiXDR platform steps in to detect the auto-generated domain names and correlate that information with other threat indicators to raise an alert. 

Detection of Lateral Movement: The introduction of an infected host in the network could lead to a network scan conducted by the malware for the purposes of identifying a potential target before propagating to other endpoints/servers, like a worm. Seceon aiSIEM and/or aiXDR can detect this activity rapidly and correlate with contextual events to raise a “Potential Malware Infected Host” alert, followed by an automated or press-of-a-button response to quarantine the infected host. 

Learn more about Seceon’s powerful abilities to detect and respond to ransomware attacks. Schedule a demo today to see how leading service providers and IT teams are efficiently running their security operations.