Organizations must rethink their approaches to ransomware protection by adding more intelligence and agility to their ransomware prevention and detection programs.

Omdia view

Summary

New and evolving ransomware attack tactics mean that a backup/restore strategy is no longer enough to keep data safe. Successful ransomware defense now requires intelligence and agility—in the backup process, in intrusion and malware detection, and in rapidly learning (and applying) lessons from successful intrusions.

The threat landscape is evolving rapidly

Ransomware is evolving, but not in any way that will allow cybersecurity professionals to sleep more soundly in 2021. What once was a straightforward encryption-based data attack has evolved into a complex chain of events often involving data theft, data encryption, and corporate extortion.

This more complex and more damaging ransomware is also becoming a larger percentage of total cyberattacks, according to industry data. Security researchers estimate that ransomware attacks more than doubled during 2020, and the early months of 2021 show no signs of a reduction in ransomware attack numbers.

Today’s most common ransomware attack strategy, known informally as “pay up or be exposed,” involves the exfiltration of critical data before encrypting data storage. If the victim declines to pay the ransom, the attacker threatens to release that critical data to the world, compromising confidentiality and threatening regulatory action.

These multi-phase variants and opportunities for new entries in the market underscore the reality that most organizations are not prepared to survive a ransomware attack without significant business disruption. In a recent Omdia poll hosted on Dark Reading (please refer to the link in the “Further reading” section of the Appendix for more details), less than a quarter of all respondents indicated confidence in their company’s ransomware response. More than one-third of the responses indicated either that there were major holes in the organization’s response plan (21%), or that there was no plan in place at all (13%).

A threefold plan offers superior protection

Gaining confidence in an organization’s ability to withstand a ransomware attack without catastrophic business disruption rests on three legs of a response strategy—cyber protection for critical data, rapid response, and organizational learning.

Cyber protection involves going beyond the basics of a solid backup and restore plan. In addition to that foundation, cyber protection brings data security and intelligent threat response into the mix. The result is comprehensive data backup that recognizes when a file has been compromised and automatically restores any file that has been tampered with by the ransomware, without the need for the administrator to manually do anything.

Next, organizations should take steps to reduce the period during which ransomware is able to conduct surveillance, mapping, and asset inventories. Ransomware is, by its nature, a “noisy” attack—there is nothing stealthy about the demand for ransom or presence of encrypted files. A successful response, then, means catching and stopping the attack as early as possible, ideally before any data is exfiltrated or encrypted. While every effort should be made to prevent an attack (e.g., proper patching performed), organizations must have an “assume breach” mentality. Bad actors will get in eventually, and then they need to be caught as quickly as possible.

Finally, organizations must learn from their mistakes. In a recent case, a UK company paid millions in ransom for a decryption key, received it and decrypted their data—and did nothing to remediate the vulnerability that allowed the attack to succeed. Two weeks later, the same criminal organization hit them with the same attack a second time. The company had no recourse but to pay another ransom. Understanding how an attack occurred, why it was successful, and how it can be prevented in the future should be a top priority in any ransomware attack—and the lessons learned should be immediately applied. Furthermore, the use of artificial intelligence and machine learning that trains on data from millions of endpoints, security researchers, and threat hunters can greatly help to automate the learning process.

Ransomware is now part of the business cyberthreat landscape. Learning how it can be prevented with a cyber protection strategy, and the best responses when it cannot, is critical for every organization in 2021 and beyond.

Appendix

Further reading

Data extortion: Ransomware with an evil new twist (February 2020)

Data Security Strategies Are at the Heart of Cybersecurity (October 2020)

Ransomware Response (December 2020)

Pay-or-Get-Breached Ransomware Schemes Take Off (January 2021)

Author

Curtis Franklin, Jr., Senior Analyst, Enterprise Security Management

askananalyst@omdia.com