If you can't prevent ransomware, the next best thing is detecting it quickly. Up to 85 percent of victim organizations had up-to-date antivirus programs (and other traditional defenses) and still got successfully exploited by ransomware. In this chapter, the best ways to detect ransomware are discussed in an attempt to stop it immediately or to mitigate its spread and damage.

Why Is Ransomware So Hard to Detect?

Many people are surprised to learn that ransomware is so successful in organizations with all the traditional defenses enabled. Most organizations hit by ransomware had up-to-date antivirus, firewalls, content filtering, and all the normal defense controls we are all told we need in order to successfully defend against hackers and malware. There are more than a handful of reasons why ransomware can be so successful in environments you would expect to be well protected. Later in this chapter, we discuss some of the reasons why even well-defended organizations are breached.

First, antivirus and endpoint detection and response (EDR) software has never been 100 percent accurate, no matter what the ads say. Nothing in the computer defense world is both easy and 100 percent accurate (more on this later). These days it is incredibly hard for any antivirus vendor to keep up with the many millions of new malware programs created each year. It's not that there are truly millions of completely new, unique malware programs being created each year; ...