How to detect and stop ransomware attacks using endpoint protection software

Acronis
Table of contents
Understanding ransomware attacks on endpoints 
Stage 1: Delivery 
Stage 2: Command and control 
Stage 3: Credential Access 
Stage 4: Surveying and canvasing 
Stage 5: Extortion 
Introduction to endpoint protection software 
Inventory and classification 
AI-based endpoint detection and response (EDR) 
Continuous real-time monitoring 
Isolation, quarantining, kill processes, and remediation 
Attack-specific rollbacks 
Integrated backup and recovery 
Endpoint protection software best practices for MSPs 
Antivirus, anti-malware and anti-ransomware 
Vulnerability assessment and patch management 
Multi-factor authentication 
Incident response plan (IRP) 
Signs of ransomware attacks  
Final thoughts 
Acronis Cyber Protect Cloud
for Service Providers

Getting into the minds of ransomware criminals today, we see hackers develop ground-breaking ways to seize and extort sensitive data leveraging the latest technology, innovations and available resources. Over the past year, ransomware attacks have metamorphosized with the adoption of artificial intelligence and threat actors are building upon traditional adversarial techniques. From AI-powered to Royal ransomware, attackers no longer fit the stereotype of a “hoody-donned” perpetrator and victims include high-profile organizations as well as clients of managed service providers (MSPs).  

According to Acronis Cyberthreats Report August 2023, ransomware detections at the endpoint level decreased by 6% from June to July. However, at the same time, Acronis Advanced Security + EDR detected over 150,000 cyber incidents and notably new ransomware gangs emerged, including Cl0p, Play and BlackCat, which suggests ransomware threats still run rampant.  

Eventually, the implementation of effective technologies, methods and strategies to combat growing attacks is key to the success of MSPs. This article shares the importance of endpoint protection, examines how attacks work and explores cybersecurity measures most effective against ransomware for MSPs and their clients. 

Understanding ransomware attacks on endpoints 

All ransomware shares a single commonality — data is the prime target. Threat actors attempting to exfiltrate, tamper, or destroy data are motivated by monetary gain. Keeping your client’s data at the forefront of protection strategies will result in effective and impactful protection against ransomware. As your MSP develops endpoint security measures and comprehensive cybersecurity for clients, it can be challenging to find solutions that will address intrusions at every turn.  

Although adversaries may shift techniques, tactics and procedures, ransomware will remain laser-focused on your clients’ data. To help your business gain a deep understanding of the most prolific intrusions, we share the 5 fundamental stages of every ransomware infection. 

Stage 1: Delivery 

The adversary compromises the network or machine through common methods such as a phishing email, exploit, or business email compromise (BEC). Human factors are often involved in the initial steps of infection that contribute to email-introduced incidents. As noted in the Acronis Mid-year Cyberthreats Report 2023, email attacks surged 464% since 2022. 

Stage 2: Command and control 

At this stage, the attacker needs to establish communication with the infected network or machine. The adversary will need to gain control and instruct the infected device or network to complete objectives.  

Stage 3: Credential Access 

In the third stage of ransowmare, the adversary strives to obtain user credentials. Examples of ways attackers achieve credential access, include brute force attacks, forced authentication and credential stuffing. 

Stage 4: Surveying and canvasing 

Once the actor gains full control of the device and gains access, they will employ methods to try to stay undetected via lateral movement and other techniques. The infection seeks files to encrypt across the network and attempts to lock out the file owner. 

Stage 5: Extortion 

The actor completes encryption or exfiltration of hostage files and demands payment from the victim in exchange. 

Introduction to endpoint protection software 

Beyond the 5 essential stages of an attack, the added threat of AI and ML gives ransomware groups the ability to automate and scale up malware campaigns. It’s clear cybersecurity tools need to accelerate in the same direction. AI and ML-powered cybercrime is trending in parallel with technological enhancements in endpoint protection. Today’s AI and ML-based endpoint security offers cutting-edge capabilities to fight ransomware, shape threat detection and response, and better defend your clients. 

With new innovations, endpoint security has developed over time to address today’s challenges. Although traditional endpoint protection solutions prevent, protect and eradicate ranomware with antivirus, firewall and intrusion detection capabilities, these layers won’t be enough.  

When comparing modern endpoint security, here are key features most beneficial to your MSP business: 

Inventory and classification 

In order to fully protect your clients, security technichians should know what client machines, systems, servers and assets are in need of protection. This includes active directory (AD) and building an inventory of endpoints to better understand attack surfaces, crucial areas to protect and highly valuable sensitive data. 

AI-based endpoint detection and response (EDR) 

AI-based endpoint detection and response (EDR) provides automated threat correlation and guided attack interpretations to save technicians time in investigation and readily move on to response activities.  

Continuous real-time monitoring 

EDRs with continuous real-time monitoring use behavioral-based detection which lends instrumental advantage against modern ransomware, especially in conjunction with signtature-based detection. 

Isolation, quarantining, kill processes, and remediation 

Isolating affected workloads is a critical component of comprehensive EDR and a pivotal measure against ransomware incidents. The ability to contain and quarantine active threats prevents infection from spreading across healthy workloads and networks. Isolation can effectively disrupt the lateral movement of ransomware and minimize the impact of destruction on your clients’ business.  

Additionally, malware kill processes allow your clients to remediate and eradicate ransomware efficiently, allowing technicians to terminate suspicious or unauthorized activity such as stopping nefarious programs from running on an endpoint device. Malware kill processes swiftly interrupt and hinder the execution of malware to pave the way for remediation and response processes. 

Attack-specific rollbacks 

Attack-specific rollbacks play an integral role in bolstering your clients’ business continuity. Following an attack, your clients can recover endpoints to a known uninfected state with attack-specific rollbacks. Ransomware rollbacks help expedite recovery processes and fast-track your clients to normalcy.   

Integrated backup and recovery 

With your clients’ data being the principal target, EDR alone won’t provide sufficient protection. Data protection is paramount to holistic cyber protection. Together, integrated cybersecurity, backup and recovery work symbiotically to fortify cyber resilience for your clients. Integrated cybersecurity and data protection not only has benefits for your clients but streamlines your MSP business’ daily operations, management and monitoring activities. Integration allows your team to provision endpoint security services with increased efficiency, reduced complexity and improved performance. 

Acronis

Endpoint protection software best practices for MSPs 

Bringing cyber resilience to your clients is a colaborative processes with many shifting aspects. At Acronis, we suggest keeping a continuous pulse on the following endpoint protection areas: 

Antivirus, anti-malware and anti-ransomware 

Ensure your clients’ antivirus, anti-malware and anti-ransomware software are regularly updated. New viruses and variants are discovered every day. This is especially important for signature-based detection tools. Most antivirus products automatically update without manual intervention.  

Vulnerability assessment and patch management 

In addition to updating antivirus software, running regular vulnerability assessments will identify any open vulnerabilities on applications. Finding vulnerabilities and applying patches is essential to mitigating cyber risk and reducing susceptible gateways that hackers use to exploit. 

Multi-factor authentication 

Implementing multi-factor authentication (MFA) is another key practice your clients should employ. MFA is an additional layer of security that combats misuse of credentials and inhibits threat actors from masquerading as legitimate users. 

Incident response plan (IRP) 

Developing a robust incident response plan is critical to maintaining strong recovery time objectives (RTOs) and recovery point objectives (RPOs). IRPs define, organize and orchestrate how your technicians will handle response activities in the crucial moments of a cyberattack. The components that outline an IRP can include incident definitions, response processes and reporting methodologies. Well-developed IRPs aid in reducing your clients’ downtime and reputational and financial harm. 

Signs of ransomware attacks  

From phishing emails, suspicious links and unusual network activity, it’s important that your clients and their employees recognize ransomware indicators and proactively avoid infection. Security awareness training programs help motivate organizations to adhere to best practices, help users stay vigilant and mitigate risk of ransomware. Security awareness training improves your clients’ phishing awareness, helps identify suspicious behavior and fosters a cybersecurity-first culture. 

Final thoughts 

In the event of ransomware, modern endpoint security is a key pillar in your MSP’s cybersecurity stack. Integration, AI and ML are game-changing to EDR solutions and revolutionizing anti-ransomware defense. With the ability to better recognize abnormal patterns in suspicious behavior, these tools are transformative to countering sophisticated attacks in real time. EDR enables your MSP technicians to catch malicious activity that would otherwise go undetected. Importantly, the integration of cybersecurity, backup and recovery creates a dynamic cyber protection ecosystem that better protects your clients’ endpoints, safeguards sensitive data and diminishes ransomware risk. Integrated cyber protection simplifies delivery of your service to ensure comprehensive protection and busines continuity to clients. 

About Acronis

A Swiss company founded in Singapore in 2003, Acronis has 15 offices worldwide and employees in 50+ countries. Acronis Cyber Protect Cloud is available in 26 languages in 150 countries and is used by over 20,000 service providers to protect over 750,000 businesses.