Stopping Ransomware Cold: Lessons from the Front Lines

At Schneider Downs, we are all too familiar with the costly impact ransomware attacks can have on organizations of all sizes and across all industries. Our cyber team continues to respond to countless incidents, helping our clients identify, contain, eradicate and recover from a wide variety of compromises, the most common of which, and most devastating, being ransomware.

In Q1 of 2020 the reported average ransom demand was $111,605 which is significantly lower than many of the demands our team has experienced firsthand. What the monetary amount does not account for are the immeasurable costs including reputational damage, business interruption, customer perception, forensics experts and legal fees, just to name a few.

As incident responders, it’s our job to help minimize the impact of these attacks. A crucial component is having effective solutions readily available for our clients when they need it most and when it comes to stopping ransomware in its tracks, our team trusts VMware’s Carbon Black. That’s why one of our first steps in any ransomware attack is to deploy Carbon Black onto every endpoint as quickly as possible. If critical data and systems are being encrypted by threat actors, the existing antivirus clearly wasn’t cutting it and will likely be of little help.

What’s the big deal with next-generation antivirus (NGAV)?

Traditional antivirus products rely on unique file signatures, essentially just comparing each executable, attachment and web download to a list of known malware. Attackers have found that they can easily sidestep this type of solution by obfuscating their malicious code or by deploying “fileless” malware via Windows PowerShell or VBScript embedded in Office documents. These approaches either result in a new signature that the antivirus protection does not recognize as malicious or avoid antivirus scanning entirely by hiding in the endpoint’s runtime memory, or RAM.

Carbon Black’s next-generation antivirus behavioral analytics and unique, data-driven prevention technology is certified to replace traditional antivirus, using predictive modeling that identifies and stops more known and unknown threats including malware, “fileless” attacks and of course, ransomware behavior. As incident responders we appreciate the endpoint detection and response (EDR) features, such as remote quarantine and rapid triage for the quick containment and analysis of pesky malware.

As trusted cybersecurity advisors, we understand how frustrating it can be to ask all the right questions, hire the smartest people, lock everything down, perform countless audits, remediate every finding, invest reasonably at every turn, and still end up a victim of a ransomware attack because of a reliance on traditional antivirus products and their poorly communicated, yet significant, limitations.

The simple truth is that without a next-generation antivirus (NGAV) or endpoint detection and response (EDR) solution, your environment will always be susceptible to a modern ransomware attack. As countless tales have taught us, an ounce of prevention is worth a pound of cure.

How Can Schneider Downs Help?

Our team can help test the effectiveness of your existing products, offer guidance on which Carbon Black features make the most sense for your organization and even provide pricing discounts by taking advantage of our incident response team’s partnership with VMware. As with any product, configuration is key, so be sure to leverage a trusted advisor like us to ensure proper tuning and execute test payloads against it to validate its effectiveness. Just let us know how we can help.

To learn more about our team and capabilities, including our Ransomware Security Service visit our Cybersecurity Website or contact us at cybersecurity@schneiderdowns.com.

If you are experiencing or suspect an incident, our Incident Response Team is available around the clock at 1-800-993-8937.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2020 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on

Facial Recognition - Future of Law Enforcement or More of the Same?
Impersonation Attacks Targeting Microsoft Teams
ProLock Ransomware Attacks Overview and Mitigation Strategies
Introducing the Schneider Downs Cybersecurity Newsletter
Ohio Unemployment Fraud Reporting Site under Attack
Stopping Ransomware Cold: Lessons from the Front Lines

Register to receive our weekly newsletter with our most recent columns and insights.

Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us

contact us

Map of Pittsburgh Office
Pittsburgh

One PPG Place, Suite 1700
Pittsburgh, PA 15222

contactsd@schneiderdowns.com
p:412.261.3644     f:412.261.4876

Map of Columbus Office
Columbus

65 East State Street, Suite 2000
Columbus, OH 43215

contactsd@schneiderdowns.com
p:614.621.4060     f:614.621.4062

Map of Washington Office
Washington, D.C.

1660 International Drive, Suite 600
McLean, VA 22102