Ransomware and the Need for NDR to Provide Robust Protection

Ransomware Detection for Businesses - Exeon Blog

Ransomware is one of the most worrying cybersecurity threats for organisations worldwide. In February 2022, the Cybersecurity and Infrastructure Security Agency (CISA) issued a Cybersecurity Advisory cautioning organisations against the "increased ransomware threat" in 2022. Without proper security controls in place, any organisation is vulnerable to the catastrophic impact of ransomware attacks.

Here's one example that made headlines in 2021: In May 2021, the European insurance company AXA became victim to a major ransomware attack by the notorious Avaddon group. The attack happened soon after the multinational insurer announced to reframe from reimbursing ransomware payments for many of their clients. In this somewhat ironic heist on a cybersecurity insurance firm, the hacker group was able to gain access to 3 TB of sensitive data, including passport copies and medical reports of customers.

What is Ransomware?

Ransomware is a type of malware that gets installed on a victim's system when they click on a link or open an attachment in a malicious email. This is one reason why phishing is a prevalent attack vector for ransomware attackers.The malware encrypts the victim's files or data using asymmetric encryption and locks them out of the system. In order to decrypt the encrypted files and restore access, the cybercriminals demand a ransom. In this regard, the attacker may claim that they have generated a unique decryption key pair (public and private) which they will give to the victim in return for a hefty ransom.

These attacks often succeed because they play on the victim's fear of losing sensitive and business-critical data, which can significantly impact the business continuity and reputation. Consequently, many victims usually pay the ransom demanded.

Why Should Organisations Worry About Ransomware?

There are many reasons why organisations should implement ransomware detection.

Anybody can be a victim

One key reason is that companies of any size or type could be targets and victims of cyber attacks. Ransomware is also an industry-agnostic type of cyberattack, affecting companies in healthcare, financial services, industrial manufacturing, IT, energy, utilities, and even education.

Ransomware affects many types of devices

Another worrying aspect is that ransomware can infect any type of device – desktops, laptops, mobile devices, enterprise network routers, and even IoT devices. Modern IT environments tend to include all these devices, leaving firms at the mercy of clever and opportunistic cyber attackers.

Multiple attack vectors

Cybercriminals have many attack vectors at their disposal. Apart from malicious links or attachments in phishing emails, they can also use stolen remote credentials or take advantage of the adoption of cloud services to launch an attack.

In the post-COVID era, many organisations have adopted remote work models, cloud-based services and tools to maintain business continuity and service delivery – making them increasingly vulnerable to ransomware attacks.

Many attack types

Another increasing problem is that attackers have many options for launching a ransomware attack. For instance, they can author crypto-malware which encrypts hard drives, folders and files. They can then demand a ransom in cryptocurrency, which is more difficult to trace.

The adversary may also infect device operating systems with lockers, completely locking the victim out of the device until they pay the ransom. Other common ransomware types include:

  • Scareware: Fake software that forces a victim to pay a ransom to resolve a so-called security issue
  • Leakware: The attacker threatens to leak the victim's sensitive information after hijacking their device
  • WannaCry: A well-known ransomware variant that has already infected 100K+ organisations in 150+ countries
  • Locky: A ransomware variant that spreads through email messages disguised to look like genuine invoices

The Adoption of RaaS

The Ransomware-as-a-Service (RaaS) outbreak is another key driver of ransomware attacks in 2022. In the past, attackers needed technical or coding skills to author ransomware and perpetrate cyber attacks. But now, RaaS solutions are readily available on the dark web as subscriptions, enabling attackers to launch large-scale, highly damaging ransomware attacks against organisations effortlessly.

This is tempting for cybercriminals as ransomware attacks are easy to set up, launch and can yield a massive pay-out for attackers. The threat actor only needs a Tor browser and access to underground markets on the Dark Web to buy ransomware "toolkits" (pre-packaged bundles of malicious code). This enables attackers to easily author and launch ransomware to any number of organisations independent of their industry.

The Consequences of a Ransomware Attack

Following a ransomware attack, victims lose access to their systems and data. Many companies pay the ransom to restore access, even though government agencies like the FBI discourage the practice.

But even after paying the ransom, there's no guarantee that the attackers will release all encrypted systems or data. In 2019, 45% of attacked organisations paid the ransom and only half of them got their data back, resulting in an estimated 10.1 billion EUR in ransom payments.

In 2020, a ransomware attack cost organisations $1.85 million on average. This amount included the ransom paid and the actual cost of addressing the attack and minimising the damage. However, ransom pay-outs are not the only effect on breached organisations. Due to business downtime and lost opportunities, the affected firms also lose their business reliability and potential revenues. According to the EU Agency of Cyber Security the average downtime of organisations has increased from 15 days in 2020 to 23 days in 2021. In addition, a survey conducted across 30 countries showed that the overall cost of remediating a ransomware attack has vastly increased, from $761,106 in 2020 to $1.85 million in 2021.

Another problem is that a ransomware attack could be the precursor to a larger, more long-term attack. Once the attacker is in the enterprise system, they can move laterally through the network to gain access to even more business-critical files and sensitive data, which can be exfiltrated and encrypted – causing massive chaos and damage to the organisation.

Protection Against Ransomware with NDR

One reason it's so difficult to defend your organisation against ransomware and implement ransomware detection is that malicious code can effortlessly enter any enterprise network or system by hiding in harmless-looking links or email attachments. Clever attackers also leverage RaaS to author large-scale cyber attacks and encrypt enterprise files.

To stay ahead of such threat actors, organisations need a proactive ransomware detection, quickly and effectively, before they cause any damage. Here's where Network Detection and Response (NDR) comes in.

An NDR solution continually observes network behaviours and understands what constitutes "normal" behaviour. Network communications that veer from this normal as suspicious or unauthorised are automatically flagged, providing an early warning system against network anomalies and attacks.

With NDR, network admins spend less time searching for network loopholes and more time strengthening the organisation's security posture. This allows organisations to prevent ransomware attacks instead of simply reacting to them and suffering through business downtime and costly ransomware pay-outs.

Exeon’s NDR Solution for Ransomware Detection

With Exeon, companies have a proactive and future-proof means to detect ransomware attacks early. Exeon's advanced NDR software uses AI-driven analytics to monitor all network operations, immediately detect cyber threats, and respond faster and more efficiently to local and cloud-native incidents.

Unlike traditional NDR providers, Exeon relies on log data analysis (NetFlow/IPFIX, firewall, DNS, proxy and application logs), requires no traffic mirroring, is completely hardware-free, unaffected by encryption and compatible with multiple network device vendors. Exeon provides detailed visibility and superior analytics for holistic ransomware threat detection within the entire IT/OT network. Article Image - Exeon Parsers - Screen Visibility.png ExeonTrace platform: parsers and network visibility


Today's organisations can't afford to take a laidback approach to the growing threat of ransomware. As preventive security measures no longer suffice, companies require a capable security solution to detect ransomware within the network before it causes any damage. With Exeon's NDR solution, security teams are equipped with a powerful tool to monitor all network activities and immediately respond to malicious network behaviour, indicating a potential ransomware attack.

Loris Friedli


Loris Friedli

Content Specialist




Published on: