We are still talking about Ransomware in 2025 for a reason

Ransomware continues to be one of the biggest cybersecurity risks for most organizations.  They are relatively easy attacks to pull off.  With Ransomware-as-a-Service, attackers don’t even have to know how to create ransomware, they just get it on commission.  Ransomware attacks are quick and can be devastating to a company, extorting organizations to pay up or have a long road to recovery, often severely impacting revenues. 

Endpoint Protection Isn’t Foolproof

The main defense companies use is some type of endpoint security product. Endpoint security can catch the commodity attacks, but the more sophisticated attacks are designed to bypass endpoint security. You may be fine against the “B team” attackers, but you won’t see the “A team” coming until it’s too late. Skilled attackers will often compromise your backups first to prevent you from recovering and hold you hostage. In short, you can’t stop what you can’t see. Don’t rely on the skill of the attackers to determine if they get in or not.

So, what are the main ways that ransomware attacks are still succeeding despite endpoint security products ?  I call these the 3 E’s of Ransomware Exploitation: Evasion, Exposure, and Exceptions.

Evasion

The top ransomware groups, accounting for most of the ransom attacks, are skilled.  They build supporting tools to ensure they can get into an environment undetected, steal data, and execute their attack without you knowing. They execute attacks by ensuring that your detection tools do not see their activities until it is too late.

• Living-off-the-Land attacks using powershell and other native tools are hard to distinguish from normal day-to-day operations.

• Fileless ransomware which doesn’t require a malicious file to be downloaded and work solely in memory.

• Remote encryption works over network shares so the execution happens away from the data. This is very hard for endpoint security products to detect or stop.

• EDR Killers. These are tools that shut down or “blind” your EDR (Endpoint Detect & Response) so it doesn’t receive activity to analyze. 

I could go on, but these types of evasion techniques have been around for a decade or more, and endpoint companies are no closer to closing that gap. BECAUSE attackers evolve too ! Remember, there would be no such thing as Threat Hunting if endpoint security products caught it all.

How RansomStop is different is that instead of focusing on what an executable might do, RansomStop focuses on your data to see how it changes, i.e. outcome. If a file gets encrypted in an abnormal way, we know it’s ransomware.

Exposure

Exposure comes down to coverage gaps - both the knowns and unknowns.  Not all your devices and data will have coverage from an endpoint security tool. Technologies like hypervisors, kubernetes and containerized apps, and cloud data, typically can’t have endpoint products installed.  

Then there are the unknowns that your team may not even know are connected - shadow IT, lab environments, and BYOD which can provide an attack surface where you may not have any protection installed.

A couple good examples of this is the DaVita attack from early 2025, one of the largest this year. Aside from phishing and domain takeover to harvest credentials, some analysts think a Cisco IP phone that was exposed to the Internet and had an unpatched vulnerability may have been used for access.

There was also a famous incident you may remember, where a US casino got breached from their internet connected fish tank thermometer. 10 GB of high roller data was exfiltrated out. This was not a ransomware incident, but it does highlight the exposure of IoT and other systems that have zero security tools installed.

Exceptions

What I mean by exceptions is exceptions to your desired security policy. Some of these are accidental, i.e. misconfiguration, which is often cited in root cause analysis of major breaches. Exceptions also include intentional exceptions. Everybody has servers or apps that for business reasons can’t or don’t have your full security stack or need certain security features disabled. Do any of these apply to your organization ? 

• Server types like database or linux servers that don’t run endpoint security or have major functionality disabled ?

• Developers run as admin on their desktops and admin access to servers and environments ?

• Not disabling powershell, PSExec, or Office macros because some business activity requires it ?

Configuration issues, both intentional and unintentional, create gaps in your posture that are often overlooked, ignored and alerts suppressed. Attackers are experts at finding these gaps and exploiting them.  It’s no surprise that Security Misconfiguration rose from #5 to #2 in the latest OWASP Top 10 list this year.

Summary

The reason I focus on the 3 Es is that these are not really defects in your endpoint security tools. The security vendors can’t magically fix this with a new feature or patch because they are architectural or environmental based risks.

RansomStop is focused on detecting and stopping these types of attacks by detecting changes to your critical data.

For every dollar you spend on your endpoint security product, you can spend a nickel more to harden your mission critical data, lower your operational risk, and prevent business disruption. As an added bonus, it is simple to install and fully automated response in the event of an attack.