Named a Visionary in Gartner Magic Quadrant for Secure Web Gateways (SWG)

Back to blog

Why ransomware is now beyond a CISO concern

Share this article

In an unprecedented move, President Biden publicly and privately has been putting pressure on global leaders for harboring known cybercriminals who have launched attacks on U.S.-based organizations. FBI Director Christopher Wray likened today’s cybersecurity threats to the September 11 attacks in New York and Washington, D.C., and other officials, including Secretary of Commerce Gina Raimondo, have hinted that military action would be considered if it would protect the U.S. from cybercriminals backed by nation-states.

The federal government’s focus makes it clear that ransomware is a rapidly growing problem with huge potential consequences. Over the past several months, high-profile attacks have targeted critical infrastructure in the U.S., including a global meatpacking plant and a major oil pipeline. The SolarWinds hack made millions of government and commercial endpoints vulnerable to attack, and many experts note that these events could be dress rehearsals for a larger, more disruptive attacks—for example, potentially shutting down the electrical grid of a large city, causing dam failures that flood a populated river valley, or shutting down major e-commerce sites such as Amazon or Walmart.

The threat to critical infrastructure is real, but most ransomware attacks continue to target enterprises and individuals for monetary rewards. Fujifilm recently announced it was the target of a ransomware campaign. Quanta, the manufacturer of Apple’s laptop computers, was also hit this year, as was the University of California, Royal Shell, and the Broward County School District. In fact, the six most active ransomware gangs are linked to attacks on 292 enterprises in 2021. Although not all attacks are successful, many enterprises simply pay whatever ransom the attackers want—perpetuating the problem. According to Atlas VPN research, malicious actors bring in $1.5 trillion per year through ransomware, cryptojacking, and stolen data—a figure more than the combined annual earnings of Tesla, Facebook, Microsoft, Apple, Amazon, and Walmart.

Why threat actors are winning

In addition to its high success rate, ransomware is a popular threat tool because it’s very difficult for enterprises to protect themselves.

  • All it takes is a single click. Cybercriminals are getting really good at spinning up legitimate-looking campaigns using readily available personal information gleaned from social engineering campaigns. It’s fairly easy to get a high-profile user to click on a link in an email that looks like it’s coming from a colleague or a trusted brand. Once that click is made, the attack is set in motion. Ransomware can also be embedded in ads or content modules on trusted sources such as news sites, which means that URL filtering and white/black lists won’t prevent the attack.
  • The threat surface has expanded. Security teams have limited visibility into cloud service providers’ environments, making it extremely difficult to detect threats. In fact, 80 percent of work today is done over the Internet, and most attacks are aimed at browsers because knowledge workers spend more than 70 percent of their time at work using a browser. As users, devices, applications, and data continue to spread out from the data center as part of extensive cloud and digital transformation initiatives, it’s going to get increasingly difficult to detect and stop these types of attacks.
  • Ransomware is growing more sophisticated. A new category of ransomware attacks, called double-extortion attacks, are embedded with counter–incident response tools baked right into the malicious code. Tactics such as security tool disablement, distributed denial-of-service (DDoS) attacks, security tool bypass, and log destruction are growing more common. As a result, 68 percent of breaches remain undetected for months.

The federal government is strongly advising the private sector to step up ransomware protection. The deputy national security advisor for cyber and emerging technology sent an open letter to the business community to start using commonly advised security practices to defend against ransomware, and the Transportation Security Administration (TSA) issued an order aimed at curbing attacks on critical infrastructure.

It’s not like they’re not trying. Many organizations introduced work-from-home policies in the last 18 months that came with mandates to log in through a VPN. However, the sudden explosion in traffic overwhelmed VPNs and opened up new ways for malicious actors to infect networks. In fact, it’s recently been reported that the SolarWinds hack was perpetuated through stolen VPN credentials.

Enterprises use a variety of tools to detect and stop the initial infection that kicks off a ransomware attack, but traditional security solutions that rely on a detect-and-remediate approach are broken. Given the reasons above, it’s increasingly difficult to detect ransomware, and you can’t stop an event you can’t detect. The alternative of just blocking everything on the Internet or requiring a separate device to connect to the Internet is counterintuitive, only serving to frustrate users and disrupt their productivity. These harsh tactics tend not to work anyway, encouraging users to create workarounds or simply ignore security policies. Remember, all it takes is one click.

How can enterprises respond?

Not all is lost. There are security approaches that can stop ransomware in its tracks, all while preserving the user experience and protecting productivity. An isolation-powered approach to Zero Trust can prevent all malware—yes, including ransomware—from infecting endpoints. Isolation works by creating a protective layer around users as they navigate the web, effectively creating a virtual air gap between the Internet and enterprise networks. By coupling isolation with a Zero Trust approach, both known and unknown potentially malicious activity is blocked, ensuring that attackers never gain a foothold in the network and ransomware has no avenue for reaching endpoints.

Critically, isolation-powered technology never disrupts the user experience, and web pages look identical to how they would normally. The only difference is transparent: There is zero risk of malware exploiting vulnerabilities. All email and web traffic goes through this isolation layer, where the content is visible but never actually downloaded to the endpoint.

Ransomware is quickly emerging as the number one threat to enterprise security. It’s gotten so bad that two nuclear powers are squabbling over the new cyber battlefield—putting enterprises in the middle. An isolation-powered approach to Zero Trust is the only way ransomware can be defeated. Cutting off access to the endpoint eliminates any opportunity for infection, without disrupting the way people work. It’s time to ditch the outdated detect-and-remediate approach of the past and rethink how you protect users, applications, data, and the business from ransomware attacks.

For additional insight, download this Gartner report on best practices for protecting your enterprise from ransomware attacks.

Share this article

Make the secure way to work the only way to work.

To talk to a Menlo Security expert, complete the form, or call us at (650) 695-0695.