Less ransomware, same risk. How can it be prevented?

Just because ransomware attacks have decreased doesn’t mean that the risk has disappeared. Indeed, it remains one of the most disruptive threats to any organisation. 

Headlines can convey a false sense of relief: Ransomware attacks are down 15%, according to Verizon's latest DBIR report. But for those of us who work in cybersecurity, we know that this doesn't tell the whole story, especially when the real issue isn't how often an attack occurs, but what happens when it does.

What happens, in most cases, has a direct and critical impact on business continuity: massive encryption of information in seconds, prolonged service interruptions, and significant financial and reputational losses. Today, an innocent click on a malicious link or erroneous settings is all it takes for ransomware to run and spread laterally across the network, overcoming traditional defences before they can deploy an effective response. Consequently, the key no longer lies in simply detecting the attack, but preventing it from running.

Reactive approaches are obsolete. In an increasingly distributed corporate environment and dependent on cloud applications, proactive protection measures are essential. The critical question is: How can organisations secure their infrastructure in such a dynamic and exposed context? 

Evaluate every application, every time an application is run and protect at every step

In cybersecurity, trust is often synonymous with risk. Especially when it comes to ransomware. So each application should be evaluated as if it were a threat, only allowing what has been explicitly validated as safe to be run. Along this line, to strengthen endpoint security and reduce the risk of a ransomware attack, three key components need to be taken into account:

1. Constant monitoring from the cloud:

   Applying a default deny policy on endpoints automatically blocks any process that hasn’t been explicitly validated as safe. This goes beyond simply allowing what “doesn’t look malicious”; only applications that have been actively classified as safe at the time are run. This approach is essential against threats such as supply chain attacks, where a legitimate application may change its behaviour after an update. So having cloud technology that can monitor, classify, and update the status of each application in real time is key to blocking threats before they act.

2. Automatic classification with artificial intelligence: Zero trust without overloading the team: 

   Manually classifying every application or process running on an endpoint is not only unfeasible in real-world environments, but leads to fatigue, errors, and security breaches. That's why the Zero-Trust Application Service included in WatchGuard EPDR and Advanced EPDR automates this process through artificial intelligence and continuous analysis in the cloud. This validation is performed in real time from the cloud using an automatic classification service based on artificial intelligence, which combines multiple machine-learning models to analyse each executable from different perspectives: static, dynamic, and contextual. This classification system is further strengthened by expert human review to ensure optimal accuracy and reliability.

Unclassified and suspicious processes are automatically blocked before they even run, without requiring manual intervention or mass alerts. This reduces the risk of infection, avoids lateral movement, and frees up the security team so they can focus on truly critical incidents. WatchGuard's zero trust approach isn’t based on trusting what doesn’t appear to be dangerous: it is based on allowing only what has been proven to be safe.

Rapid recovery, minimal impact

When it comes to applications, a zero trust model that automatically monitors, classifies, prevents, and blocks untrusted processes on the endpoint prevents threats such as ransomware from running before they have an impact, even if they are new or not yet catalogued. Being 100% managed and automated with AI, WatchGuard's Zero-Trust Application Service helps organisations to proactively protect themselves without overloading their IT and security teams, reducing their operational burden and ensuring continuous protection by elevating proactive security, and accelerating effortless detection and response.

In addition, other ransomware recovery mechanisms are also key to having a robust endpoint security strategy. With Shadow Copies, for example, companies can generate automatic copies of their files to restore them to their previous state in the event of an attack. 

In summary, if your goal is to maximise protection against ransomware ‒ one of the most persistent and damaging cybersecurity threats ‒ WatchGuard EPDR and Advanced EPDR offer a superior combination of prevention, detection, and response.

Thanks to their zero trust approach and artificial intelligence-based automation, these solutions can block attacks before they are run, reduce the risk of infection and downtime, and significantly accelerate incident identification, containment, and mitigation.

In an environment in which every second counts, proactive and automated protection makes all the difference.