As ransomware attacks get faster and attackers get more efficient in carrying out the attacks, it’s critical to prevent ransomware and limit its impact. How? With early detection and faster responses.

The time to carry out ransomware attacks dropped by 94% over the last few years, according to the IBM Threat Intelligence Index (TII) 2023 report. This means that the average time it took to deploy a ransomware attack went from over two months in 2019 to just under four days in 2021.

Is there anything we can do about this? Yes, but first let’s find out more about ransomware.

What is a ransomware attack?

Ransomware is a form of malware that prevents a user or organization from accessing their own files on their computer and keeps them locked until a ransom is paid to the attacker.

Giuseppe Bonfa, Client Technical Support Engineer at IBM Security explains, “Ransomware is the final act of a full infrastructure-wide breach. Typically, the attacker will move across the network, trying to reach the most sensitive assets and data, and once they find them, they will run the attack. While the initial breach might happen by a simple workstation, it can have disastrous effects on the whole network.”

Evolving ransomware attack scenarios

Talking about the current ransomware threat landscape, Bonfa adds, “Nowadays, ransomware does not come alone—it’s followed by data exfiltration and information leakage on the dark web.”

While early ransomware attackers typically had a ransom demand to unlock the data, today, when attackers see a weakness, they exploit it. According to the TII report, whether it’s ransomware, business email compromised (BEC) or distributed denial of service (DDoS), 27% of attack vectors were extortion related. As extortion gets more personal, ransomware attacks are just the tip of the iceberg as cybercriminals incorporate severe psychological pressure in their attack methods.

The payment for the earliest ransomware variants used to be sent by snail mail, whereas today, cybercriminals demand payment to be sent via cryptocurrency or a credit card. Some ransomware attackers sell the service to other cybercriminals, known as Ransomware-as-a-Service or RaaS.

Types of ransomware

There are two general types of ransomware:

  • Encrypting ransomware (or crypto ransomware): This type holds a victim’s sensitive data hostage by encrypting it.
  • Locker ransomware: This locks a user’s entire device.

Ransomware can be further classified into subcategories like leakware/doxware, mobile ransomware, Ransomware-as-a-Service, wipers ransomware and scareware. Whichever ransomware type a threat actor uses, their primary objective is to gain access and encrypt a user’s files and data so they can’t access them.

Ransomware prevention: How to prevent ransomware attacks

Interestingly, a demand for payment is the last stage of a ransomware attack. Hackers, first and foremost, will spend months or even years gaining access to the network before finally sending a ransom note. While a ransomware attack is difficult to identify before ransomware is deployed on the system, the way to stop ransomware begins with early detection.

It is vital to understand that traditional signature-based antivirus software is not enough to protect businesses against sophisticated ransomware or malware attacks. Attackers avoid using signature-based malware that can be blocked by an antivirus or a firewall.

Leveraging a powerful endpoint detection and response (EDR) solution like IBM Security QRadar EDR can help detect and remediate advanced ransomware threats in seconds. Unlike antiviruses, EDR solutions don’t rely on known signatures and can detect unknown or fileless threats.

Four ways the IBM Security QRadar EDR solution can help prevent ransomware

The IBM Security QRadar EDR endpoint security solution can help protect your organization by detecting a ransomware attack in the early attack stages. Let’s find out how.

1. Behavioral detection helps understand ransomware attacks better

IBM QRadar EDR uses intelligent automation, artificial intelligence (AI) and machine learning to detect new and advanced threats in near real-time. IBM QRadar EDR identifies anomalous activities like ransomware behavior (e.g., an unusual backup deletion or encryption process that suddenly starts without warning and automatically terminates it upon detection).

This way, even as new ransomware variants emerge, IBM QRadar EDR uses data mining to empower security teams to automatically hunt for threats that share similarities at the behavioral and functional levels with other incidents and respond accordingly. This delivers the results in just seconds and helps facilitate the discovery of dormant threats that could dwell in an environment but may otherwise go unnoticed for months or even years, waiting to be used by an attacker. Infected devices and threat activity can also be isolated to catch lateral movement.

Moreover, IBM QRadar EDR security also provides security teams with a behavior-tree visualization that provides detailed behavioral analytics and full attack visibility. This helps analysts view the breadth of the cyberattack on a single screen, helping them respond faster.

Full attack visibility shows the scope of the ransomware attack so analysts can respond accordingly.

2. Threat hunting for ransomware helps gather actionable threat intelligence

The IBM QRadar EDR can quickly determine if new threats have entered an environment and help security teams identify the “early warning signs” of an attack and patch weak spots. IBM QRadar EDR helps track in-memory and fileless threats that are especially harder to follow when attackers use different ransomware variants and move within a large infrastructure. The threat-hunting capabilities of the IBM QRadar EDR endpoint detection solution allow a real-time, infrastructure-wide hunt for the presence of indicators of compromise (IOCs), binaries, and behaviors and remediate them.

An endpoint security platform like IBM QRadar EDR helps reduce investigation time from minutes to seconds with threat intelligence and analysis scoring. Analysts can identify potential threats with metadata-based analysis to expedite triage.

3. Mitigating cyber threats with offline ransomware protection

With the shift in work trends and an increase in the number of endpoints, employees are used to working on the internet or a virtual private network (VPN) connection that ensures secure access to the network. Unlike some EDR security tools that require a connection with a back-end server to offer full protection, IBM QRadar EDR helps protect against ransomware even if there is no working internet connection. This capability is critical when the user may accidentally open a document with a ransomware infection while traveling. An AI-driven EDR solution like IBM QRadar EDR blocks the ransomware automatically upon detection and prevents encryption.

4. Detecting and responding to processes downloaded from phishing emails

Phishing, a form of delivery for ransomware or malware, is the top infection vector for attackers, with more than half of phishing attacks using spear-phishing attachments to gain access, according to the TII report. The IBM QRadar EDR solution helps protect organizations against malicious emails by providing deep visibility into processes and applications that run on endpoints. With IBM QRadar EDR, security teams can detect any binary or process that is downloaded and launched from faulty links or malicious attachments and block them. It also provides protection against malicious software that is auto-downloaded to your endpoint or runs in the background.

With its fast endpoint detection and malware reporting, IBM QRadar EDR can help reduce the overall impact of any type of malware attack to save both time and expenses for businesses. This blog post demonstrates how IBM QRadar EDR can detect and respond to malware the minute a suspicious email is clicked.

While endpoint security should not be the sole protection to your threat detection cybersecurity strategy, it should still be the initial mechanism (along with an extended detection and response security solution) to identify suspicious malware behavior.

Best practices for ransomware prevention

  1. Enhance your security posture by conducting a security assessment, minimizing your attack surface and mapping against known and potential vulnerabilities.
  2. Establish security awareness among employees about the risk of macros in email attachments and ensure email security is maintained by blocking macros from running in Microsoft Office apps.
  3. Adopt a zero-trust framework to make it harder for attackers to move laterally throughout compromised assets.
  4. Maintain an aggressive and current security patch management policy, particularly with browser vulnerabilities like Adobe Flash and Java that are commonly used by employees.
  5. Use multifactor authentication (MFA) whenever possible to ensure stolen passwords or default login credentials aren’t readily usable to attackers.
  6. Develop and rehearse an incident response plan so your business can act quickly and effectively if a stressful situation relating to threats or disruptions arises.
  7. Maintain offline data backups to prevent data loss and recover quickly in case of emergencies.
  8. Implement an email security solution that conducts attachment sandboxing and URL filtering before malicious links containing ransomware can be delivered.

Get started with IBM QRadar EDR


More from Security

Closing the breach window, from data to action

6 min read - Accelerate threat detection and response (TDR) using AI-powered centralized log management and security observability It is not news to most that cyberattacks have become easier to launch and harder to stop as attackers have gotten smarter and faster. For those defending against cyberthreats, things continue to get more complicated. The list of challenges is long: cloud attack surface sprawl, complex application environments, information overload from disparate tools, noise from false positives and low-risk events, just to name a few. The…

Spear phishing vs. phishing: what’s the difference?

5 min read - The simple answer: spear phishing is a special type of phishing attack. Phishing is any cyberattack that uses malicious email messages, text messages, or voice calls to trick people into sharing sensitive data (e.g., credit card numbers or social security numbers), downloading malware, visiting malicious websites, sending money to the wrong people, or otherwise themselves, their associates or their employers. Phishing is the most common cybercrime attack vector, or method; 300,479 phishing attacks were reported to the FBI in 2022.…

IBM Tech Now: September 18, 2023

< 1 min read - ​Welcome IBM Tech Now, our video web series featuring the latest and greatest news and announcements in the world of technology. Make sure you subscribe to our YouTube channel to be notified every time a new IBM Tech Now video is published. IBM Tech Now: Episode 84 On this episode, we're covering the following topics: The IBM Security X-Force Cloud Threat Landscape Report The introduction of IBM Intelligent Remediation Stay plugged in You can check out the IBM Blog Announcements…

Data breach prevention: 5 ways attack surface management helps mitigate the risks of costly data breaches

5 min read - Organizations are wrestling with a pressing concern: the speed at which they respond to and contain data breaches falls short of the escalating security threats they face. An effective attack surface management (ASM) solution can change this. According to the Cost of a Data Breach 2023 Report by IBM, the average cost of a data breach reached a record high of USD 4.45 million this year. What’s more, it took 277 days to identify and contain a data breach. With…