#HowTo: Protect Your Organization From the Increasing Threat of Ransomware

We all know ransomware attacks pose a serious – sometimes even fatal – threat to businesses. Big-name attacks have dominated headlines, but the scale and depth of the problem are perhaps less clear to some. In a major survey of 2200 IT decision-makers, CrowdStrike discovered that more businesses than ever – 32% of all those surveyed – were attacked multiple times in 2021 alone, with a further 25% having been attacked just once in the same period. Only 23% said they have not yet experienced a ransomware attack. This untouched proportion is down a massive 10% since the same questions were asked in 2020.

Industry pundits often blame COVID-19 – emergency changes to protocols, ungoverned devices and remote working – for the ransomware crime wave. That made sense twelve months ago, comparing 2020 with 2019, and indeed bore some responsibility for the cybercrime wave in that period. But the difference in working conditions between 2020 and 2021 was relatively small. One would expect businesses to have achieved some maturity in dealing with remote connections and offsite security.

In fact, the pandemic did provide an opportunity for cyber-criminals to grow in experience and sophistication. That growth led to continued confidence and development in criminals’ tradecraft moving forward. Thus, acceleration in cybercrime has become decoupled from the pandemic, having achieved its initial boost. Meanwhile, organizations have frequently failed to catch up, and the range of threats has expanded.

This increased confidence is reflected in the size of the ransoms asked, which has increased by 63% in a single year to an average of $1.79m, according to the survey. Similarly, the likelihood of multiple attacks against the same targets has increased, either through separate breaches or further extortion attempts beyond the initial ransom. Paying up the ransom might sometimes seem the only available option: but it is almost always the wrong choice – 96% of organizations that pay an initial ransom are extorted for further sums equating to $792,493 each, on average. New forms of attack – particularly those conducted through third-party software and its components such as supply chain attacks – have become more prevalent, thanks to the efficacy with which it has often managed to side-step conventional defenses.

"Paying up the ransom might sometimes seem the only available option: but it is almost always the wrong choice..."

So how should businesses respond in this ever bleaker threat landscape? The first part of the response should be a reassessment of the company’s technology armory. Old-school, signature-based antivirus applications have not been a viable countermeasure. It’s entirely ineffective against the targeted, malware-free types of attacks that have become most prevalent in recent years. Next-generation tools will still detect these types of attacks. Still, the focus has moved on to detecting characteristics and behaviors and mining vast amounts of data in the cloud for anomalies and spreading events.

Alongside endpoint detection and response tools, organizations need to deploy a suite of connected tools that complement these and fill in the gaps in their capabilities. We know, for example, that many attacks begin with legitimate but stolen credentials and are undetectable as hostile using conventional means. Thus, authorization based on usernames and passwords is inherently suspect. Companies should therefore be investing in MFA and taking this further with zero trust architectures and solutions. Every user and agent on the network remains under scrutiny even after initial authentication. A bad actor with stolen passwords might lie low for months after gaining access, but systems need to be ready to react immediately when they break cover.

Similarly, endpoint detection and response need to be extended to cover everything that isn’t an endpoint – cloud servers, connected printers and screens, mobile devices, etc. This calls for both cloud-specific security solutions and extended detection and response (XDR) implementation. Yet, these added technologies need to work together. A plethora of notifications and reports from different solutions won’t improve an organization’s security posture but rather compromise it because it becomes too hard to see the one vital alert that needs urgent action from a human administrator.

Finally, speaking of humans, we should never disregard their importance in maintaining cybersecurity and creating resilience in organizations. The current state of advanced cybersecurity technology is largely very good, and considerable automation is available. Yet, even as a technology supplier, we’re honor-bound to say over-reliance on technology is always a mistake. The survey shows organizations are becoming slower to respond to threats than has historically been the case. It seems likely that this over-reliance on technology, creating an expectation that nothing bad will happen, is to blame here – but it’s turning serious security issues and events, which should be manageable, into full-blown crises.

Trained and experienced people still underpin everything. On the vendor side, human experts continually feed and refine AI models, conduct threat intelligence analysis, respond in person to events and test systems for their vulnerabilities. In organizations, people-driven policies and processes are still vital to avoiding and surviving attacks: passwords need to be safe and secured; devices need to be physically secured; disaster response and recovery need to be tested rigorously, emulating the conditions likely after an attack. While cybercrime has evolved and become stronger, so has our range of defenses: organizations need to rigorously and proactively implement the full range of security and resiliency practices to be effective.

What’s Hot on Infosecurity Magazine?