Strange Measure of Success: Repelling a Ransomware Attack But STILL Having to Pay a Ransom

A very interesting article came across the wire recently that had us wondering how the measure of success has seemingly changed recently; especially as it pertains to preventing malware and, in particular, ransomware.  ZDNet posted an article outlining how Blackbaud, one of the world’s largest providers of financial and fundraising technology for non-profits, had been hacked.  In this case, Blackbaud’s security team was able to detect and “successfully” prevent the blocking of system access for users as well as prevent the encryption of their files.  However, as is the case now with ransomware groups, they tend to pursue two avenues for extracting ransom; either for decrypting files, or in the case where the victim refuse to pay and intend on rebuilding their systems from scratch, the hackers will demand a ransom for NOT publishing the data that they have accessed and exfiltrated.  Unfortunately, the attack on Blackbaud was a prime example of “today’s double-extortion ransomware attacks”.  Blackbaud, concerned that a subset of their data had been stolen by the hackers, and not wanting this data to be published, still ended up paying an undisclosed amount in order to ensure that the hackers confirmed that the data they copied had been removed or destroyed.  So, although there was a measure of success by the company’s security team to prevent encryption and lock-up of their systems, this “success” is questionable since they still had to pay out a ransom.

And so, this is the reality for organizations when it comes to their network security; a single attack can provide several avenues for hackers to extort their ransom.  In some cases, these nefarious groups will actually double-dip; requesting one fee for decrypting files and ANOTHER fee for deleting the files that they were able to steal during the attack.  Either way, we feel that having to pay any sort of ransom does not count as successfully thwarting a ransomware attack.  In any case where a hacker has been able to successfully gain access to a network, it is a failure of the Detect and Remediate methodology that so many companies still utilize.  We feel that the only real “success” would be the case where an attack has been Detected and Blocked, BEFORE any network incursion has taken place.  
At Wedge, we are firm believers that the Detect and Block approach is the only true way that networks can be protected.  There are just too many consequences that organizations face once their network has been breached.  The Real-time malware prevention approach is the basis behind Wedge’s Absolute Real-time Protection (WedgeARP) orchestrated threat management platform.  Using a proactive, rather than reactive, way of dealing with all malware (including APT, zero days, known and never-before-seen), WedgeARP utilizes patented Deep Content Inspection techniques, along with orchestrated threat management with multiple layers of protection, to provide its real-time threat protection.  WedgeARP is the first and only platform that applies deep learning / machine learning based threat detection to network content.
 
If you feel that the only true measure of success in dealing with malware and ransomware attacks is by having your network fully protected and by NOT having to pay ransom, you may want to look at the Detect and Block approach that Wedge Networks espouses.  Find our more by contacting our team at: info@wedgenetworks.com.  Having a real-time orchestrated threat management system that can successfully detect and BLOCK attacks before they happen can save your organization time and money by not having to deal with the clean-up efforts that a Detect and Remediate approach requires.