How to Build a Ransomware Security Strategy

How to Build a Ransomware Security Strategy

In News by Adam Porroni

Cyber attackers are becoming more aggressive about their ransomware activities. We’ve recently seen these bad actors not just locking data — be it corporate IP or customers’ private information — but also threatening to copy it and leak it on the internet. In fact, it seems to already have happened: The criminals behind Maze ransomware released a link to a purported 700MB of linked files from security staffing firm Allied Universal, according to BleepingComputer.  That said, we’re going to tell you how to build a ransomware security strategy.

The SophosLabs 2020 Cyber Threat report warns that attackers will make ransomware even more dangerous with automated active attacks. In these cases, the criminals use system management tools trusted by the business to evade security monitoring measures and ban backups with the greatest impact in the shortest time.

Even more reason to feel unease: Ransomware-as-a-service is making it easier and cheaper for cybercriminals to launch attacks on targets. Consider the capabilities of cloud-based aggregation tools and analytics tools: They can process large amounts of data and offer insights based on that data — and at a relatively low cost. Now, imagine how similarly advanced tools could enable criminals to spread ransomware and launch other low-cost attacks.

And there’s always the risk that attackers won’t unlock your files even if you’ve paid the ransom — which many companies do. One report noted that 45 percent of U.S. companies that experienced a ransomware attack paid off the hackers, but only 26 percent had their files unlocked. So whether you’re part of the 55 percent who doesn’t pay, or you’re part of the majority of companies that don’t get their files unlocked, there’s a significant chance your company will not fully recover from the attack.

In addition, businesses must account for recovery time. Whether your company has a backup or is successful in getting the files unlocked, you’ll have to spend valuable time restoring those files — ultimately adding to your downtime.

The price of ransomware is getting higher, too. Average ransomware payments in the last three months of the year more than doubled from the previous quarter from $41,198 to $84,116, according to a recent study. On average, a ransomware attack cost victim organizations 16.2 days in downtime, and overall, ransomware cost businesses more than $75 billion last year. And there’s nothing keeping these costs from continuing to rise.

Small businesses, which tend to spend less on security, are big targets; more than 40 percent of cyber-attacks are aimed at them. The 300 or so employees of telemarketing firm The Heritage Company found themselves without jobs right before Christmas because the company had to suspend operations due to the effects of a ransomware attack. It cost the company hundreds of thousands of dollars.

It’s clear that ransomware poses a serious risk to companies, so here’s what you can do to protect your business from these threats.

Build a Comprehensive Resiliency Strategy

Conventional wisdom says that performing backups will help your business survive a ransomware attack. That’s true, but there’s room for error. For example, your backups may not be scheduled to take place daily, so any new data wouldn’t be accounted for. Or, a backup could fail to restore, or the restoration time may exceed the maximum downtime the organization can sustain. And to add to the challenge, ransomware authors are increasingly targeting backups — for encryption, prevention, or destruction — as part of the attack, as they understand that backups are often a company’s primary ransomware defense and response. So, ultimately, a backup isn’t enough.

Most businesses also employ early detection solutions, which can help — but it’s important to recognize that like any other system, these may fail to catch signs of an attack.

In the case of an attack, you don’t want to be so consumed by fear that you make a payment faster than you can verify how far the attack has gone in your systems or what impact it has had on your data. That’s why these components are just part of a comprehensive resiliency strategy to keep ransomware at bay and prevent it from taking a financial toll on your business.

A Checklist of What to Do

An intelligent and comprehensive approach to dealing with ransomware attacks will prepare your company for such an event, enabling you to be focused and calm during the attack. Employing the right methods and technology can even help you catch the signs of an attack before the criminals catch you, so you can minimize damage and recover quickly.

Put these steps at the top of your resiliency checklist:
  • Find your weaknesses. ISACA, the independent non-profit organization that provides research, education, and certifications for information governance, control, security, and audit professionals, recommends that all stakeholders — not just IT — be part of the risk assessment process. It is essential to create a cross-executive or cross-department strategy. Management must identify the data that is most valuable to the organization, and the storage mechanisms of that data and their associated vulnerabilities. In addition, IT should understand the relative significance of different sets of systems, applications, data, storage, and communication mechanisms.
  • Create a security program strategy based on that assessment. The assessment “should be able to produce a quantitative statement about the impact of the risk and the effect of the security issues, together with some qualitative statements describing the significance and the appropriate security measures for minimizing these risks,” according to ISACA.
  • Follow the strategy to build out a security program that covers threat intelligence, evaluation, optimization, and policies. Rather than deploying individual tech security components in pieces, your security program should take a holistic approach, from technology coordination to employee guidelines. In its list of the top 20 security controls, the Center for Internet Security recommends implementing a full security stack that includes continuous vulnerability management, malware defenses, backup processes that include restoration testing processes, penetration testing, monitoring and analysis of audit logs, and need-to-know controlled access. In addition, companies should establish employee guidelines that keep doors closed to common ransomware infiltration methods. Employees should be educated about how to identify phishing emails, for instance, to avoid clicking on links or opening attachments in unsolicited communications.
  • Have an incident response plan. A good start for a strong plan is to ensure that it will cover all critical applications and data. You then must consider factors such as how you will identify the origin and scope of the incident and whether it is still ongoing; how you will contain its impact; how you will eradicate the vulnerabilities that have permitted its ingress; how you will restore data; and how you will respond to any necessary regulatory or contractual obligations. It should specify how or if you will negotiate with hackers. And, it should include a plan to review your response — both strengths and weaknesses — after an incident.

It can help to regularly review the No More Ransom project, which has created a repository of keys and applications that can decrypt data locked by different types of ransomware, and it adds new keys and applications as soon as they are available.

  • Buy ransomware insurance. This can cover the financial losses that occur as a result of the incident, as well as negotiators to handle hackers and the ransom fee itself. Policies can also cover other costs to your business, such as hardware replacement, reputation management, and investigation costs. You can also extend these policies to cover threats beyond ransomware. Bundling a general cyber policy with a ransomware policy can often result in savings and provide more comprehensive protection. It’s still critical to have your own ransomware prevention and recovery plan in order, but some companies do feel more secure adding this to their list of protections.

Not every business has the cybersecurity resources in-house to manage ransomware threats in the most comprehensive and intelligent manner. If you are interested in a deeper conversation about how to prepare for or recover from a ransomware attack, contact us.

Share this Post