Cyber threats are nothing new. I remember back in the late 80s my brother and I managed to infect our parents’ x86 computer with a ping pong virus which simply placed an annoying ping pong ball on the screen which would tenaciously bounce around the screen and annoy the crap out of whoever is trying to work on the computer.

Fast forward 25 years or so, and cyber threats have not only advanced technologically and become more complex, but they have also become much more sinister in nature, trying not only to merely annoy and upset the victim, but to actually perform malicious actions, which have slowly slowly turned into financially incentivized coordinated attacks with devastating results.

Threat actors are no longer just amateur pranksters trying to create little islands of mayhem, but have evolved into complex criminal organizations that behave like regular tech organizations with almost start-up like structures and behavior.

These are today’s ransomware groups. Most of the larger and well-known groups today have clear business models and strategies which entail extorting millions of dollars from organizations which they manage to penetrate.


How does all this make ransomware behavior different?

Unlike other attack types, the commercial aspect of ransomware dictates different behavior, so when a ransomware threat actor performs an attack on an organization, they don’t just go in an encrypt one single computer and ask for ransom. They’ll need to go through a few stages (a variation of the cyber kill chain). The short version of this is that after they manage to gain initial access to the network, they’ll want to spread out and infect as much of the network as possible through something known as lateral movement.

Think of it this way, let’s say you have an organization with a thousand computers. A threat actor manages to penetrate one of these computers and immediately encrypts it and asks for a ransom.

While this might mean you’ll have one employee having a bad day, the organization is not very likely to dish out a large sum of money to get that data back (or even to prevent the attacker from exposing that data to the world).

If however, the ransomware actor gains initial access, and then slowly manages to trickly through to additional computers in the network, reaching let’s say 800 of the 1000 computers, and then one day BAM! Encrypts all 800 computers at once. This is now a very different story and pretty much everyone is having a bad day. In this case, shelling out a few million dollars to get your files back doesn’t look like such a far fetched outcome anymore does it?

This is what makes ransomware different and so much more dangerous than other cyber attacks.


Ransomware is a business

In order for to be able to get the best “income” from a victim, ransomware threat actors need to make their ransomware as stealthy as possible in order to bypass security measures so they can infect as much of the network as possible without being detected.

So instead of just focusing on infecting a single computer, ransomware actors work on getting in and staying in as long as possible. In order to do this, they develop the ransomware with the security measures in mind and implement many different techniques purpose build to bypass traditional security products and detect and response solutions. If they can’t detect the ransomware, they can’t stop it.

Encryption is the final step

The actual “ransom” part of the process, which includes exfiltrating and encrypting the victims’ files , and demanding the ransomware, is the final stage of a long journey for the ransomware. While this stage might appear to most people as “day 1”, and they’d say things along the lines of “we’ve just suffered a massive ransomware attack”, the reality is that they’d most likely actually began to “suffer” that ransomware attack months beforehand, but are only now seeing it because the detonation stage is the most visible… and devastating stage.

Asset 1

The Ransomware Attack Chain


Once the ransomware has detonated, it’ll most likely then be discovered by the security solution. Its hash and behavior signature will then be added to the security solution database, making it easier to stop the next time. This means we’re mainly talking here about unknown, or “zero day” ransomware attacks that are yet to be discovered and are therefore the most dangerous.

New methods require a new approach

With ransomware running rampart all over the world, it is clear that current solutions are not enough. While EDR/XDR/EEPs are all great and detecting and stopping traditional (known) threats that try to cause immediate harm without any real end-game, they are simply not able to keep up with a threat which has security solution evasion embedded so deeply within the core of its business model. A completely different approach is needed on top of existing solutions to combat this historically malicious attack vector in order to keep organizations safe. One that is purpose built to manipulate the very core of what makes ransomware so effective, and turn its evasive properties against itself to not only stop the ransomware before it can spread inside the network and do any damage, but also protect the EDR/XDR/EPP agent from manipulation and disablement by the ransomware , and close the critical gap in the organization’s security stack which can be the difference between business as usual to a best-case scenario of business being shut down for a few weeks, or at worse complete closure as we saw in the case of Lincoln College recently.

Minerva Anti-Ransomware bridges the gap

Minerva’s ransomware prevention solution ticks all the above boxes and more. It works alongside current EDR/XDR/EPP solutions, not only bridging the critical ransomware gap, but also protecting and keeping the agent secure from tampering.