An annoying “feature” of ransomware is its ability to encrypt and lock out users of business computers, disrupting important work processes.
The result? According to IBM’s Cost of a Data Breach Report 2024, the average cost of a ransomware attack is USD 4.91 million, with the cost rising depending on whether law enforcement was involved or not. The financial costs are joined by the fact that recovery from an attack can take days, months, or even years, depending on factors such as a threat actor’s persistence in the affected systems, or the preparedness of a security team.
Thus, recovery and related expenditures are problematic, even to the extremes of a business paying a ransom and relying on a threat actor’s goodwill to provide the decryption key., Playing these odds can easily leave businesses standing among the ashes of their security failures. But what if there was a way to escape the clutches of this costly encryption scheme?
A critical landscape for businesses of all sizes
Due to the evolving nature of ransomware and entry or re-entry of nation state actors, the threat landscape looks decidedly unfavorable to small and medium-sized businesses (SMBs), enterprises, and state infrastructure, as the incidence rate keeps rising (now accounting for 23% of all breaches as per Verizon).
Threats such as ransomware seek leverage by pressuring leadership into paying a hefty ransom to recover their systems. Moreover, bad actors might also try to delete data backups to prevent “unassisted” recuperation. However, chancing system resuscitation on the goodwill of criminals would be like having a sheep trust a wolf not to eat it when it’s starving. |
The situation for SMBs are especially fraught due to lower budget allocations to cybersecurity. They are fixed in the crosshairs of ransomware actors (in Asia and Pacific, ESET found that 1 in 4 attacks against SMBs were ransomware).
Hence the best option to stop ransomware is first and foremost to prevent it. ESET is aware that prevention is the first step to cybersecurity success, as evidenced by our ESET MDR success stories from ETeC 2024, wherein ESET security teams were able to stop Mallox ransomware in its earliest stages before it could do any damage. Likewise, ESET Ransomware Shield was previously developed a as part of the ESET Host-based Intrusion Prevention System (HIPS), a module able to detect and neutralize ransomware in real-time.
Conversely, those businesses that aren’t keen on prevention being the be-all end-all focus of a defense strategy, should still forego criminally assisted recovery, i.e. paying a ransom – and turn to improving their remediation tactics.
Typical ransomware recovery: A losing battle?
There are mainly three ways to respond to ransomware encryption:
- Restoring systems from backups
- Waiting for a publicly released decryption key, often provided by cyber researchers
- Paying a ransom and hoping for the provision of a decryption key
The problem is that none of these approaches are infallible. Firstly - backups. They are the second-best bet after prevention – a great card to play whenever one needs their systems restored to a previous stable state – after a malware attack, a bad update, or even when moving to a new device – turning back time on their systems, so to speak.
Also, backups, are not infallible. Even when properly configured, backups do not guarantee the preservation of all data.
Moving on, another issue arises with publicly released keys. While it’s all well and good that security researchers such as those that are involved with the No More Ransom initiative (including ESET) keep reverse engineering ransomware, it takes a lot of time and effort. For recovery purposes, a firm could spend years having its systems locked down – not a revenue-favoring scenario, is it?
Lastly, not paying the ransom is the actual advice given by security actors. However, if one is desperate enough to pay it, do it so alongside the presence of law enforcement and cyber insurers, for liability and record keeping purposes.
If we could turn back time (on ransomware)
Let’s focus on backups a bit more. While they’re useful, they can also be targeted by threat actors, since the less likely a business is to return to normal operation, the more likely it is to pay a ransom to restore its systems.
In a recent example, the ESET MDR team detected a threat actor wanting to exploit a vulnerability in backup and recovery software to delete the backups. A similar tactic is when attackers seek to corrupt or encrypt backups, which happens in 94% of cases. Reportedly, firms with unprotected backups face much higher recovery costs by almost double the amount.
Each threat requires a specific approach, especially as they evolve, and due to ransomware’s growing focus on backups, ESET is answering the call and augmenting its Ransomware Shield with additional technology in the form of ESET Ransomware Remediation – securing one’s future via the past.
What is ESET Ransomware Remediation?
Minimizing business impact in the event of a ransomware attack is paramount. Thus, ESET Ransomware Remediation (RR) combines prevention and remediation into one – providing a comprehensive multi-staged approach to combating encryption.
It all starts with the ESET Ransomware Shield (RS), which is triggered by suspicious actions. Like other behavioral detection systems such as HIPS, it works in concert with ESET LiveSense technologies, dissecting and analyzing malware to its core. In case ransomware is likely, RS flags it and initiates remediation.
ESET Ransomware Remediation then starts creating file backups for any file operation of that process (before it can make any modifications) and keeps doing so as long as RS says to stop and either kill the process and restore files, or lets the process run and discards the backup.
This backup process is much more robust, as unlike Windows Volume Shadow Copy-based solutions, it is not a local service that can be abused by the attackers. RR has its own protected storage section on the drive, where files can neither be modified, corrupted, nor can the backup be deleted by the attacker. This solves and actively blocks one of the most common failings of regular backups following a ransomware attack.
Days of future past
The role of the admin in the RR process is to understand the capabilities and add file-types to the filter that RR applies when creating backups. The only limit to the backups is disk size (and a max 30MB single file size).
While ESET Ransomware Remediation is very powerful, having other backups as described by the 3-2-1 rule is still a best practice. Always remember to have at least 3 different copies of data (including the original), 2 different media types (disk, tape), and 1 offsite copy (cloud).
All in all, ransomware can be quite sophisticated and troublesome, but it can still be combated. And thanks to secure backups, time travel is not so sci fi anymore.
About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security, to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real-time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET becomes the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information visit www.eset.com or follow us on Facebook, YouTube and Twitter.