Ransomware: Fail to Prepare, Then Prepare to Fail

As ransomware threats become more frequent, targeted and ruthless, Gavin Knapp, Cyber ​​Defense Technical Lead at Bridewell, explains why business leaders can’t afford to rely solely on cyber insurance as a silver bullet.

Ransomware is now an inescapable business problem. What started out as a relatively opportunistic method of extorting money from individuals and organizations has morphed into a complex and sophisticated attack mechanism, from skilled human actors who will do whatever it takes to achieve their goals.

As a result, the dynamics are changing within companies. Where security teams used to compete for the attention of the board, it is now the board that actively engages security teams. The evolution of ransomware has highlighted the importance of cyber resilience – and companies are stepping up and increasing their security budgets in response.

However, as always, more can be done. A new study from Bridewell reveals that only a minority of critical national infrastructure organizations in the UK implement critical measures to protect, detect and respond to ransomware. This suggests that some companies may rely on reactive measures to help offset the damage caused by an attack. But as ransomware becomes more frequent, targeted and ruthless, business leaders must look beyond the silver bullet of cyber insurance. It pays to have a plan – and there are clear steps organizations can take now to ensure they are better protected against this persistent threat.

How did ransomware evolve?

Ransomware is a threat that has been in the works for decades. Traditionally, attackers have capitalized on human error to breach an organization’s defenses, but the rise of human-operated (HoR) ransomware now sees criminal groups quietly infiltrating organizations for long periods of time before attacking. exfiltrate data and launch debilitating attacks on data and systems. Several initial attack vectors are now used to gain access to victim organizations, including exploiting vulnerabilities in external systems, compromising the supply chain, using initial access brokers, stealing information from identification and phishing.

Once inside, attackers typically escalate privileges, install persistence, steal credentials, and repeat the process as they move laterally through the environment. Finally, they will execute their goals, which are to steal and encrypt data, before extorting the victim. Unlucky victims can sometimes find themselves in a double extortion scenario where they end up paying twice; once to decrypt the files and a subsequent payment to prevent confidential data from becoming public.

Ransomcloud is also on the rise. These attacks exploit weaknesses or legitimate features of cloud resources to deploy malware, encrypt data, and extort money from organizations. As more businesses embrace the cloud to improve efficiency and operational agility, security risks inevitably increase. Organizations that rush headlong into the cloud without designing secure cloud services are particularly vulnerable to attack.

Any ransomware attack can lead to significant data loss and operational downtime for businesses. To stay ahead of a growing threat landscape, security strategies need to be built on a stronger foundation than cyber insurance alone.

Strengthening defenses against ransomware

Many organizations are realizing the need to prioritize and plan to mitigate the threat of ransomware. However, opportunities for improvement remain. The Bridewell study revealed that only 36% of them have a security information and event management (SIEM) platform, a crucial tool for detecting and alerting against intruders. Additionally, only 43% have technical controls in place to prevent unauthorized access and prevent deletion, overwriting or encryption of key directories and files. And while no one likes to think about those tough times immediately after a cyberattack, more than half (62%) don’t even have a plan to make a decision on whether to pay the ransom.

But the picture is not all bleak. Organizations have the opportunity to strengthen their cybersecurity posture in the face of these growing threats. The first step is to educate end users about the evolving risks of ransomware, how they work, how they can be mitigated, and how any incidents should be reported.

With education in place, organizations must implement the technology necessary to identify opportunities within the kill chain to detect adversary activity and then expel it from the environment. This includes robust endpoint, email and cloud application detection and response capabilities, backed by a central SIEM platform and a managed detection and response (MDR) service that monitors alerts around the clock and 7 days a week and implements an automated response if necessary. This proactive and multifaceted approach will go far beyond the reactive limits of cyber insurance and should be augmented by threat intelligence services to provide early warning of an attack.

The correct answer is essential

A solid cyber strategy should not rely solely on detection. How a business reacts to a breach is also critical in defining the success of its security posture. When defenses fail and operations are threatened by a ransomware attack, organizations that already have a clear and effective incident response plan in place have the best chance of mitigating the damage. The incident response plan should be tested and ideally executed on the table to ensure everyone is aware of the plan and their individual responsibilities. It is also essential that a robust IT disaster recovery plan is in place and regularly tested. Backup controls should be protected using approaches such as backup segmentation, strong authentication requiring multi-factor authentication, backup pins, or dual authorization mechanisms to prevent backups from being disabled or overwritten .

Having a robust data protection strategy is equally essential. Strong data governance practices ensure that key data remains in known, risk-assessed locations, with measures in place to provide quick access to data. In some cases this may prevent the attacker from gaining access, but if the worst case happens and he does get in, it may slow the attacker down until the incident response capability can identify and contain the threatens.

To pay or not to pay?

Finally, the question of whether to pay the ransom should be considered. This decision should not be taken lightly. The legal and ethical implications of payment must be addressed and assessed long before the actual criminal act takes place. Data can help organizations make the right decision on this contentious issue: weighing the lost operational cost per day against the cost of paying the attacker can provide much-needed clarity, while the level of confidence in being able to bring systems back be a factor in the decision-making of many organizations.

As the risk of ransomware mounts, preparation must take center stage. Basic cybersecurity hygiene practices, such as asset inventory, configuration management, application control, endpoint protection, regular testing and patching of all Internet-connected systems, and network segmentation, still have an important role to play. However, organizations need to plan for all eventualities. The security and success of every organization will depend on its ability to predict, prevent, detect and respond to ever-evolving ransomware threats.

Click below to share this article

Mary I. Bruner