Adapting tools & tactics to fight modern ransomware

In today's cybersecurity landscape, ransomware continues to be a potent adversary, disrupting business and shaking trust in organizations globally. Many businesses have responded by investing in threat intelligence and protection options, but it’s virtually impossible to lock down a modern enterprise.

Security vendors are continually making progress to integrate their security solutions and better protect against cyber ransomware attacks. But those attackers continually retool their cyber weapons and adapt their strategies to find an opening. As the adage goes, a business needs to be “right” 100 percent of the time, but an attacker only needs to be right once.

Businesses, unfortunately, can’t afford to let down their guard for a second. As CSO recently reported, “A massive spike in ransomware activity in May and June 2023 has been attributed to a relatively unknown ransomware group called 8Base.”

While attackers may occasionally target specific organizations, the Center for Internet Security warns that the “majority of ransomware is propagated through user-initiated actions such as clicking on a malicious link in a spam e-mail or visiting a malicious or compromised website.” In some cases, attacks don’t even require user engagement to be successful.

Organizations typically focus on protecting high-value assets, such as data center servers, but that’s often insufficient. “Ransomware doesn’t typically land in the data center,” says AJ Shipley, a Cisco vice president responsible for threat, detection, and response products. “It lands on the edge and then has to move laterally through a network to get to those high-value assets. When it hits, you really only have two options: either pay the ransom and hope they’ll unlock your data or restore to the most recent backup snapshot and hope your recovery point objective isn't too large.”

Many businesses have invested in sophisticated backup and restore products and services, but nobody can afford to back up data every minute of the day. It’s more typical for those snapshots to be taken every 24 hours, or perhaps as often as every four hours. But that leaves a substantial amount of data at risk in the event of an attack.

That’s where extended detection and response (XDR) comes in. “On the very first indications of ransomware on low-value assets out on the edge, XDR can tell backup vendors and administrators to immediately back up the high-value assets before the ransomware can get to them,” Shipley says. "Then once the ransomware has been remediated XDR can trigger restoration to the last known good restore point minimizing the recovery point objective to near zero."

XDR, according to Shipley, sources telemetry from multiple locations and can initiate preventative or responsive remediation capabilities to minimize the threat and orchestration to help organizations shore up defenses and enable the restoration of data as quickly as possible.

At the RSA conference earlier this year, Cisco announced its new XDR offering that allows SOC teams to quickly remediate their most critical incidents across their Cisco and third-party security stack. It followed that up on August 1 with the announcement of its first backup and recovery third-party integration with Cohesity’s DataProtect and DataHawk solutions.

“When we detect ransomware, we can in real-time tell the Cohesity backup system to back up all those high-value assets, and once the threat has been remediated, we're partnering with Cohesity to restore those backups and get those organizations back up and running very quickly. Now organizations no longer have to choose between paying the ransom or hoping they haven't lost too much data.” Shipley explains.

That integration of XDR and backup and recovery solutions can potentially slam shut the window of opportunity for attackers to extort their victims.