[Veserv]

You are both correct and incorrect. By following simple procedures you can likely stop the majority of ransomware attacks that have occurred recently, but that is because most of the ransomware attacks were likely done with a budget on the order of $1k-$10k since that is all you need to get a $1M payout from these organizations. No point in running a mission impossible style attack when walking in the front door works just as well.

The problem is that they are getting $1M payouts on a $10k budget. That is a staggering ROI of 100! If you could magically improve the security of every system on the market by 1000% you would wipe out the current forms of attack, but it would still be insanely profitable to run $100k attacks to get $1M payouts. To actually stop attacks from continuing to escalate exponentially at their recent pace of >100% per year that any VC darling would be proud to achieve, you need to make it cost more on average to attack than they can get.

We are literally orders of magnitude away from that in the average case at current returns. And even worse returns per attack keep escalating. Just 4 years ago during WannaCry the ask was $300 per computer which can be a painful chunk of change for an individual which is who most ransomware attacks were targeting before, but nothing for any company. They were attacking companies for ~$10k payout and still making enough money to expand their operations doing it.

As the focus has moved to industry the payouts have increased exponentially since there are many companies whose operations are so valuable that they are willing to pay millions or tens of millions or even hundreds of millions per day. At those payouts there are 0 commercial IT systems that can make attacks unprofitable. So, when those attacks become the ones with the best risk-adjusted ROI you better believe they will occur. And when the attackers have a $10M budget simple defenses and techniques that worked on $10k attacks will not work because the attackers will have literally 100,000% more resources at their disposal in much the same way that defenses that work against a rock thrown at 10 m/s do not work against a ICBM traveling 1000x faster at mach 30.

So yes, simple mitigations would stop the simple successful attacks now, but do not solve the actual problem that it would still be profitable to attack even if they were all implemented everywhere since payouts are so much higher than cost.