GUEST ESSAY: Defending ransomware boils down to this: make it very costly for cybercriminals

By Derek Krein

From financial institutions to meat producers, it seems every industry has been impacted by ransomware in the past year — maybe even the past week. The world’s largest enterprises to the smallest mom-and-pop shops have been devastated by cybercriminals who are looking to hold assets hostage for a big pay day.

Related: Tech solutions alone can’t stop ransomware

Why the stark increase? Put simply, ransomware attacks are on the rise because of profits. This return on investment is bringing in new players, and the ransomware monster continues to grow…and we’re not ready to fight it off. Why? We’re not prepared to defend against persistent threats.

With ransomware-as-a-service (RaaS) as popular as it is, the attribution conversation becomes more difficult. Most of the ransomware attacks that use RaaS are done by affiliates who bounce from service to service, often using two to four different services at the same time. Shutting down a service doesn’t stop the attacks – the affiliates move to another RaaS provider, the RaaS owners just rename, retool, and go again.

While it’s nice to see law enforcement and governments go after the gangs, that won’t stop the monster that has grown out of control, that we, as an industry, continue to feed. While attribution and following the money can get a few wins, we need a multi-pronged strategy to slay the ransomware beast.

Low cost attacks

Understanding the root cause of these attacks is crucial so we can adjust defenses to protect against them. Actionable forensics on how these attacks were carried out go a long way into understanding the attack methodology and innerworkings of these affiliates and criminal gangs.


The living off the land/fileless attack methodology has not changed in years, despite the uptick in attack severity and frequency. Behaviors change and tools change, but the methodology remains the same. Yet, at the macro level, we don’t stop known malware, known malicious behaviors, remedy commodity tools that are used maliciously, or patch known actively exploited vulnerabilities immediately.

We’re failing as an industry to make it difficult for attackers to reach their goals. We spend millions to defend while attackers spend as little as $100 to conduct an attack with a potentially huge return on that investment.

Small-to-medium-sized businesses make up 99 percent of all businesses in the United States, and are a big ransomware target. Roughly 60 percent of successful ransomware attacks are against SMBs.

Enterprises have higher payouts, but ransomware gangs know they’re likely to face higher scrutiny after major attacks, especially when the impact of those attacks extends past the company (think the Colonial Pipeline attack).

Because of this, ransomware gangs are starting to focus more on SMBs. They’re easier to attack and provide moderate consistent payouts with little retribution from law enforcement or governments. Most SMBs don’t have the resources to defend against persistent threats and are more vulnerable than large enterprises that have more resources.

Bricks in the wall

There is no silver bullet in an industry that’s evolving (both in good and bad ways) as fast as cybersecurity. However, starting with a strong security foundation goes a long way. A security program built on a strong foundation will be strong, a security program built on a shaky foundation will be shaky.

A few things that are involved in most attacks include social engineering, passwords, and vulnerabilities. At the macro level, password hygiene is abysmal. Avoiding password reuse and using strong hard to guess passwords goes a long way. The use of multi-factor authentication (MFA) that is not easily socially engineered is critical.

Vulnerability management with proper prioritization is also a must. The US CERT has a database of actively exploited vulnerabilities that is consistently updated. If you patch nothing else, patch vulnerabilities you’re affected by that are or have been actively exploited.

BAS technology allows you to test and tune your security controls, exercise your people and processes, and provide visibility not previously available into how your security program is working. Having a security tool such as endpoint protection isn’t enough. You must understand if it’s configured correctly and if you’re getting what you’re paying for.

While there is no one tool that can slay the ransomware beast for good, focusing on areas that are highly exploitable can help prevent the bad guys from reaching their goals. The more expensive it is to attack before a profit, the closer to eliminating the ransomware monster we are. Until the profits diminish to a point that running the criminal organizations is no longer viable, we’ll be stuck in the fight.

About the essayist: About the essayist: Derek Krein is Security Services Director at SafeBreach, supplier of a patented platform that enables security teams to conduct offensive security maneuvers.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone