GUEST ESSAY: Here’s why EDR and XDR systems failed to curtail the ransomware wave of 2021

By Eddy Bobritsky

Looking back, 2021 was a breakout year for ransomware around the globe, with ransoms spiking to unprecedented multi-million dollar amounts.

Related: Colonial Pipeline attack ups ransomware ante

All this while Endpoint Detection and Response system (EDR) installations are at an all-time high. EDR systems are supposed to protect IT system endpoints against these very malware, ransomware, and other types of malicious code

Despite investing in some of the best detection and response technologies, companies with EDRs are still experiencing ransomware attacks. Surprisingly, during the same timeframe in which EDRs became more popular, not only have malware and ransomware attacks become more frequent, it now takes an average of 287 days to detect and contain a data breach, according to IBM’s 2021 Cost of a Data Breach Report 2021.

Infection required

So, why is this happening if so many companies are adopting EDR and XDR solutions, which are supposed to neutralize these threats?

In short, it’s just about the way EDRs and XDRs work. EDRs, by design, aren’t really equipped to prevent 100 percent of malware and ransomware attacks.

When most EDRs detect malicious behavior, they develop a response in order to stop the attack from causing more damage. This usually manages to stop a lot of the damage that malware and ransomware would otherwise inflict on your organization.


But because EDRs require your system to be infected before they can step in and develop a response to stop the attack, they aren’t able to actually prevent the attack from damaging your systems. They’re reducing the amount of damage, not preventing it entirely.

This is the case no matter how sophisticated your EDR or XDR is. Even XDRs that use AI and other cutting-edge technologies to detect malicious code still to have an ongoing attack so they can develop a response.

To stop malware from damaging computer network, you can’t wait for detection to take place before you start responding — you must stop the attack from executing in the first place. Think of it this way – would you rather the auto company invested in developing better airbags to reduce injury, or in better accident prevention technologies like automatic braking systems?

Fooling malware

A better approach is to prevent an attack from taking place – by using the malware’s strengths and tendencies against it to prevent it from ever executing.

For example, if a malicious software wants to avoid detection in a sandbox environment, it will often send a query to the OS to see if it’s being run in a virtual machine (VM) or try to determine what the resolution is (sandboxes usually run on 800×600 resolution since they don’t even have a screen attached to them.)

So to fool the malware into thinking it’s in an environment where it doesn’t want to execute to evade detection, you can simply indicate to the malware that they are indeed in a sandbox environment by answering “yes, you’re in a VM” or “the current resolution is 800×600” even though that’s not the case.

As another example, some threat actors prefer not to infiltrate local systems for fear of repercussions from local law enforcement. So in this case, if a threat actor from Russia, for example, wanted to prevent their malware from running on Russian networks, they could query the system and ask what language keyboards are installed

If we simulate an answer that tells the malware that we have a Russian keyboard installed, even though this isn’t the case, the malware would then decide not to execute, and simply move on to a more attractive victim.

So, we can use the very evasive tactics employed by the malware to avoid detection to prevent it from executing in the first place.

Being as EDRs are mostly reactive and not proactive, they can’t really prevent malware from infiltrating your systems and stealing your data using the above methods. That’s why in 2022 users need to start looking into solutions that stops the attacks before they occur,  rather than once they’ve started to do damage.

About the essayist: Eddy Bobritsky is the CEO of Minerva Labs, an Israeli supplier of a military-grade active threat prevention and response platform.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone