Defending Against Ransomware Means Preventing It

person drawing a sports play on a chalkboard

With the increasing rate of ransomware attacks, it isn't matter of if you will experience an attack, but when. As reported by Threatpost, the global volume of ransomware rose to 304.7 million in the first six months of 2021. That’s 0.1 million more than the total number of attack attempts recorded by security researchers in all of 2020. Organizations need to be on the offense when it comes to defending against ransomware attacks. But what does “ransomware defense” mean exactly and what does it look like in practice? Let’s break it down.  

Understanding the Costs of a Ransomware Attack 

In Ransomware: The True Cost to Business, Cybereason observed that a ransomware attack inflicts multiple points of damage against a victim. These costs make defending against ransomware difficult once an attack has begun. 

Consider the following findings from Cybereason’s study: 

  • Two-thirds of respondents indicated that their organization had lost significant revenue following a ransomware attack. 
  • More than half (53%) of survey participants reported that a successful ransomware attack had damaged both their brand and their reputation. 
  • Close to a third (32%) of organizations revealed that they had lost C-Level executives as the direct result of a successful ransomware attack. 
  • A slightly lower proportion (29%) of survey respondents found themselves in a position where they needed to lay off employees due to the financial pressures that they had incurred following a ransomware infection. 
  • About a quarter (26%) of organizations wrote that a ransomware attack had forced them to temporarily suspend operations at their business. 

Paying the ransom didn’t alleviate the costs for victims. Sometimes, victims couldn’t recover their information even after paying the requested ransom. Nearly half (46%) of respondents in Cybereason’s survey said that they had regained access to their data after fulfilling a ransom demand but that the attack had left some or all of their data corrupted. Only 51% of victims regained access to all their data without any data loss after paying the ransom, while three percent didn’t restore any of their data following payment. 

Other times, complying with a ransomware attacker’s demands just made things worse by inviting follow-up attacks. Of those organizations that told Cybereason they had paid the ransom, for example, four-fifths said they had incurred another ransomware attack. Nearly half (46%) of those respondents believed that the attack originated from the same attackers. Meanwhile, 34% articulated their belief that the attack had originated from a different ransomware group.  

Follow-up attacks aren’t uncommon with ransomware actors. As I noted in my article on double extortion, digital attackers don’t always honor instances in which victims pay the ransom for the deletion of their stolen data. Security researchers observed some gangs re-extorting victims for the same data just weeks after receiving a ransom payment—all to collect even more money. Other ransomware gangs went ahead and posted a victim’s stolen information on their data leaks website despite having already collected payment. 

Understanding Ransomware Defense

So, what do Cybereason’s findings mean when it comes to defending against ransomware? They highlight how organizations can best defend against ransomware by trying to prevent an infection from occurring in the first place. One way to do this is to reduce the risks associated with phishing emails by investing in a security solution that scans their incoming email messages for IP addresses, campaign patterns, and other threat behaviors. If the solution conducts its analysis in real time, it will also ensure that organizations can remain protected without suffering extended business disruption. 

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) agrees with the need to implement an email filtering solution to prevent phishing, but they have also issued a list of other promising recommendations to prevent ransomware attacks: 

  1. Apply best practices when using RDP / remote desktop services to prevent attackers from using this as a common entry point. 
  2. Regularly scan and audit for network vulnerabilities – CISA offers various no-cost scanning services. Also, with email being one of (if not the most) common threat vector for ransomware, you can also conduct an email security audit to help source and remediate potential vulnerabilities quickly. 
  3. Keep all software up-to-date including operating systems, servers, applications, anti-virus and anti-malware software, and every other potential software that can be abused to gain access to your network. 
  4. Secure all devices (laptops, mobile phones, etc.) that have access to your network and ensure they follow company security policies. 
  5. Employ multi-factor authentication (MFA) rather than allowing users to login with a password alone. 
  6. Implement a cyber security awareness training program for employees to know the risks of working in a digital world. 
  7. Manage access properly like limiting privileged accounts and developing an allow list for applications. 
  8. Have a robust data backup strategy in place that backs up your data regularly – this won’t necessarily prevent ransomware threats, but it will surely help you recover data from any point in time if the need arises. 

You can read CISA’s full recommendation on ransomware-caused data breaches here or continue reading about other ransomware topics by navigating to the Secure Modern Workplace blog series.