Ransomware is one of the most dangerous types of cyber attacks. Its aim is to block corporate data and extort ransom. What would you do if you had the opportunity to turn back time? ESET’s new Ransomware Remediation technology makes it possible to protect key data even if attackers manage to get past your defenses.
Sometimes it happens that attackers manage to deploy ransomware on a corporate network despite solid security. However, even in this case, sensitive files may not be compromised. The new Ransomware Remediation feature will protect selected data when a company falls victim to an attack.
An unpleasant feature of ransomware is its ability to encrypt and lock out users of company computers, disrupting important work processes. The result? According to IBM’s 2024 Cost of Data Leakage report, the average spend per ransomware attack is $4.91 million, rising based on whether law enforcement was involved.
In addition to causing financial hardship, recovery from an attack can take days, months or even years, depending on factors such as the persistence of the threat on the compromised systems or the readiness of the security team.
Thus, the restoration of operations and the related expenditure are a problem. Sometimes it even gets to the point that the business pays the ransom and relies on the goodwill of the attacker to provide the decryption key. Companies can thus easily find themselves in the ruins of their security failures. But what if there was a way to escape the clutches of such costly encryption schemes?
Ransomware is a bogeyman for businesses of all sizes
Given the evolving nature of ransomware malware and the existence of foreign government-sponsored attackers, the threat landscape for small and medium-sized organisations, large businesses and government infrastructure looks decidedly unfavourable as the rate of ransomware continues to rise (according to Verizon, ransomware now accounts for 23% of all security breaches).
The situation regarding small and medium-sized companies is particularly difficult due to the lower budget allocated to cybersecurity. These businesses are consistently in the crosshairs of ransomware attackers (ESET found that in the Asia-Pacific region, one in four attacks on SMEs were caused by ransomware).
Threats such as ransomware are based on forcing victims to pay high ransoms to restore systems. In addition, attackers may attempt to delete backups of data so that recovery is impossible without their help. However, relying on the goodwill of cyber criminals to restore a system is about as reasonable as a sheep trusting a wolf not to eat it when it is hungry.
The best way to stop ransomware is to prevent it in the first place. ESET understands that preventing cyber threats is the key to security. This was confirmed at ESET Technology Conference 2024, where success stories related to our ESET Managed Detection and Response (MDR) service were presented. In one case, ESET security teams stopped the Mallox ransomware in its early stages before it could do any damage. Similarly, the ESET Ransomware Shield module, which was developed as part of our Host-Based Intrusion Prevention System (HIPS), is capable of detecting and neutralising ransomware in real time.
Organizations for which prevention is not the primary and ultimate goal of a defense strategy should still avoid, under all circumstances, recovering systems with the help of attackers, and thus not pay the ransom, but focus on improving remediation plans.
Ransomware: a fight with no chance of winning?
There are three ways to respond to ransomware encrypting your systems:
- Restore systems from backup.
- Waiting for the release of the decryption key, which is often provided by cybersecurity researchers.
- Pay the ransom and hope to get the decryption key.
The problem is that none of these approaches is ideal. After prevention, backup is the second-best alternative – it’s a good choice when you need to restore your system to its original state after a malware attack, a faulty update, or even when you’re upgrading to a new device. However, backing up comes with its own problems: even the right configuration does not guarantee that all data is preserved.
Another category is freely available keys. While it is good that security researchers, such as those involved in the No More Ransom initiative (including ESET), are using reverse engineering to combat ransomware, this approach requires a lot of time and effort. Because of the traffic recovery, a company could spend years with unusable systems, which is quite an unfavorable scenario from an earnings perspective.
Security personnel therefore advise not to pay the ransom at all. However, if a company is desperate enough to send the money, it should do so in the presence of law enforcement and a cyber risk insurance provider to ensure proper record keeping and liability management.
If ransomware could turn back time
Let’s take a closer look at backup. Although useful, it can also be targeted by attackers. Deleting or modifying corporate backups results in the business being unable to return to normal operations, increasing the likelihood of paying a ransom to restore systems.
ESET experts from the MDR team recently discovered an attacker who wanted to exploit a vulnerability in backup and recovery software in order to delete the backups in question. A similar tactic is when attackers try to corrupt or encrypt backups, which happens 94% of the time. Businesses with unprotected backups face much higher costs associated with recovery, almost double.
Each threat requires a specific approach, especially if it is constantly evolving. As ransomware increasingly focuses on backups, ESET is not lagging behind and is extending the Ransomware Shield module with additional technology in the form of Ransomware Remediation to secure your future through the past.
What is ESET Ransomware Remediation?
Minimising the consequences of a potential ransomware attack on your business is key. Ransomware Remediation combines prevention and remediation into one, providing a comprehensive, multi-tiered approach to combating encryption.
The whole process starts with the ESET Ransomware Shield module, which is triggered by suspicious actions. Like other behavioural detection systems, such as HIPS, it works in synergy with ESET LiveSense technologies, breaking down and analysing malware down to its core. If Ransomware Shield determines that a process is likely to be ransomware, it flags it and starts the remediation process.
Ransomware Remediation will then begin creating file backups for all file operations that are affected by the flagged process (before the flagged process makes any changes). This is done until Ransomware Shield determines that the process is OK and then deletes the backup. If Ransomware Shield judges the process to be malicious, it terminates the process, and the files are reverted from the backup.
Such a backup process is much more comprehensive, as unlike shadow copy-based solutions, it is not a local service that could be exploited by attackers. Ransomware Remediation has its own protected section of storage on disk where files cannot be modified or corrupted, and the attacker cannot delete the backup created either, thus addressing and actively blocking one of the most common vulnerabilities of a regular backup after a ransomware attack.
Future meets past
The administrator’s role in this process is to understand the capabilities of this feature and add file types to the filter that Ransomware Remediation then applies when creating backups. The only limitation on backups is the size of the disk (and the maximum size of 30 MB per file).
For more information on how Ransomware Remediation works, visit ESET’s website.
This article is taken from ESET’s blog. Full version can be found at bezpecnevofirme.eset.com.
