Ransomware is a common threat most companies face today. While the relevant departments should take steps to combat and even prevent ransomware, decision-makers should understand the threat at a high level. Here, Ray Steen, CSO, MainSpring, answers a few questions about ransomware.
Ransomware has become one of the most ubiquitous and deadly threats facing businesses today. According to Verizon’s Data Breach Investigation Report (DBIR), ransomware incidents have increased by 13% in 2022, which is more growth than the past five years combined.
According to a survey of 1,100 cybersecurity professionals, 80% of organizations were impacted by ransomware in 2021 — in 2022, there will be more.
As cyber actors become more sophisticated — embracing double extortion ransomware models and sophisticated techniques to dodge protection mechanisms, ransomware can also shut down small businesses, infiltrate government organizations, take down critical infrastructure and threaten national security.
In light of these facts, it goes without saying that today’s cyber defenders must be prepared to protect their organizations from ransomware. Meanwhile, executives and decision-makers need to understand the threat at a high level and what their organization needs to survive. In this article, we answer key questions surrounding ransomware and ransomware defense.
The best response to ransomware is to prevent it from ever entering your network. The next best response is to stop the attack in its tracks. However, on average, cyber defenders have less than an hour to neutralize a ransomware attack in progress before files become inaccessible.
When every minute counts, having a response playbook on hand can mean the difference between rapid recovery and a costly disaster situation. Today, organizations need to pivot from reaction to prevention. By the time ransomware hits, it is too late to do anything unless you have planned for the event.
It matters whether ransomware is present across multiple endpoints because operations cannot resume until ransomware is fully eliminated from an organization’s network. If it is removed from every system except one, it will likely spread from that system back to the others.
As soon as a ransomware attack hits, the first step is to take all endpoints offline and power down — this will buy cyber defenders some time. Detection can proceed in several directions depending on what solutions an organization has invested in. Endpoint detection and response (EDR) systems will record data that can be analyzed from a central location; security information and event management (SIEM) systems will flag suspicious events that could signal ransomware jumping between endpoints.
In general, signs of ransomware activity include unexpected file transfers and an unusual volume of file renames. If an endpoint shows any of these signs at the time of a ransomware incident, organizations should proceed on the assumption that they have been compromised. If network data is unclear or unavailable, they should scan potentially affected devices before bringing them back online.
To build resilience against ransomware and other forms of cyberattacks, organizations should have a data backup system in place, air-gapped or otherwise isolated from an organization’s main networks. For backups, the cloud is a great option, but it will not automatically protect against ransomware attacks unless it is used for offline data storage. More traditional forms of on-site or off-site storage (tape and disk) also work well.
Backups should also be performed frequently — how frequently depends on an organization’s Recovery Point Objective (RPO), but every 13-24 hours is common. Finally, organizations should do a test restoration at least once a year to ensure their backup system works and that files can be restored within a reasonable time frame.
Schofield’s Second Law of Computing states, “data isn’t real unless it exists in two places.” Given the business risk of data loss, all businesses should already have a regular backup system in place, and those backups should be easily accessible/restorable within a rapid time frame.
Ideally, restoring the most critical files for business operations will take minutes to hours, and restoring all files will not take more than a few days. Unfortunately, the speed of networks and long-term storage media impose a hard limit on how fast full restorations can actually be performed.
A business continuity plan is something every organization should have long before a ransomware attack hits. Without one, mobilizing quickly enough to restore business functionality without a long-term impact on revenue and operations is nearly impossible.
Business continuity plans establish how cyber defenders will respond in the immediate aftermath of a ransomware incident; they also provide business impact analysis, maximum tolerable downtime, and recovery time objectives. Making these decisions ahead of time will save precious time in a disaster scenario, giving your business a fighting chance to recover and resume operations quickly.
Paying the ransom should be a last resort. In the first place, ransom fees can be exorbitant, approaching $1 million in 2022, according to Palo Alto Networks. Furthermore, today’s ransomware actors are charging extra to avoid leaking any data stolen from businesses.
Second, paying ransomware actors encourages them to continue their activities. It also paints a target on your back, with 68% of successfully extorted ransomware victims being targeted a second time the same month as their first attack, according to Cybereason.
Finally, businesses rarely get all of their files back after paying a ransom — a study from Tripwire shows that only 4% of all organizations who paid a ransom in 2020 got all of their data restored, with some only getting 61% of their data back.
“Never pay the ransom” is a good principle. But in the real world, and when highly valuable data is at stake, paying a ransom may be the only option an organization has to recover its data. In that case, they should acquire cryptocurrency through a reputable and insured exchange like Coinbase.
Ideally, businesses will transfer a certain amount of cryptocurrency to a password-protected wallet for emergency use ahead of time. But when time is of the essence, they can make payments directly through their exchange.
At this very moment, many businesses are in the process of adopting zero-trust security architectures (ZTAs). A ZTA treats every user, device, and application like a potential threat, requiring multi-factor authentication to access devices and switch between applications. Although they might be seen as a radical upgrade, ZTAs are significant barriers to many forms of malicious activity, including but not limited to ransomware attacks.
On the horizon, AI and machine learning show great promise as techniques for effective threat detection, which can learn in real-time from changing tactics, techniques and procedures (TTP) in the developing cyber landscape. Organizations should be willing to share threat intelligence with upstream vendors and cybersecurity providers to help them develop better ML-driven cybersecurity tools.