The Future of Ransomware Defense: A Primer for Business Leaders
Ransomware is a common threat – 92% of organizations believe it’s a top threat, according to the 2024 Verizon Data Breach Investigation report. While IT and security teams work internally to combat and even prevent ransomware, decision-makers also need to understand the threat at a high level.
As cyber actors become more sophisticated — embracing double extortion ransomware models and sophisticated techniques to dodge protection mechanisms, ransomware can also shut down small businesses, infiltrate government organizations, take down critical infrastructure, and threaten national security.
According to Verizon’s Data Breach Investigation Report (DBIR), ransomware was a top threat across 92% of industries in 2024. Clearly, ransomware is one of the most ubiquitous and deadly threats facing businesses today.
The Sans Institute found that ransomware cases increased by 73% in 2023 – for a grand total of 4,611 reported cases. LockBit 3.0 was responsible for nearly a quarter (1,083) of those cases.
In light of these facts, it goes without saying that today’s cyber defenders must be prepared to protect their organizations from ransomware. Meanwhile, executives and decision-makers need to understand the threat at a high level and what their organization needs to survive. In this article, we answer key questions surrounding ransomware and ransomware defense.
How Can I Prevent Ransomware?
The best response to ransomware is to prevent it from ever entering your network. The next best response is to stop the attack in its tracks. However, on average, cyber defenders have less than an hour to neutralize a ransomware attack in progress before files become inaccessible.
When every minute counts, having a response playbook on hand can mean the difference between rapid recovery and a costly disaster situation. Today, organizations need to pivot from reaction to prevention. By the time ransomware hits, it is too late to do anything unless you have planned for the event.
How Can I Know if Ransomware Has Spread To Other Devices?
It matters whether ransomware is present across multiple endpoints because operations cannot resume until ransomware is fully eliminated from an organization’s network. If it is removed from every system except one, it will likely spread from that system back to the others.
As soon as a ransomware attack hits, the first step is to take all endpoints offline and power down — this will buy cyber defenders some time. Detection can proceed in several directions depending on what solutions an organization has invested in. Endpoint detection and response (EDR) systems will record data that can be analyzed from a central location; security information and event management (SIEM) systems will flag suspicious events that could signal ransomware jumping between endpoints.
Signs of Ransomware Activity
In general, signs of ransomware activity include unexpected file transfers and an unusual volume of file renames. If an endpoint shows any of these signs at the time of a ransomware incident, organizations should proceed on the assumption that they have been compromised. If network data is unclear or unavailable, they should scan potentially affected devices before bringing them back online.
How Can I Protect My Data?
To build resilience against ransomware and other forms of cyberattacks, organizations should have a data backup system in place, air-gapped or otherwise isolated from an organization’s main networks. For backups, the cloud is a great option, but it will not automatically protect against ransomware attacks unless it is used for offline data storage. More traditional forms of on-site or off-site storage (tape and disk) also work well.
Backups should also be performed frequently — how frequently depends on an organization’s Recovery Point Objective (RPO), but every 13-24 hours is common. Finally, organizations should do a test restoration at least once a year to ensure their backup system works and that files can be restored within a reasonable time frame.
The Importance of Backups
Schofield’s Second Law of Computing states, “data isn’t real unless it exists in two places.” Given the business risk of data loss, all businesses should already have a regular backup system in place, and those backups should be easily accessible/restorable within a rapid time frame.
Ideally, restoring the most critical files for business operations will take minutes to hours, and restoring all files will not take more than a few days. Unfortunately, the speed of networks and long-term storage media impose a hard limit on how fast full restorations can actually be performed.
How Can I Ensure Business Continuity During a Ransomware Attack?
A business continuity plan is something every organization should have long before a ransomware attack hits. Without one, mobilizing quickly enough to restore business functionality without a long-term impact on revenue and operations is nearly impossible.
Business continuity plans establish how cyber defenders will respond in the immediate aftermath of a ransomware incident; they also provide business impact analysis, maximum tolerable downtime, and recovery time objectives. Making these decisions ahead of time will save precious time in a disaster scenario. This also gives your business a fighting chance to recover and resume operations quickly.
Should I Ever Pay the Ransom?
Paying the ransom should be a last resort. In the first place, ransom fees can be exorbitant. According to Sophos, the average ransom payment among those who paid is $2 million. Furthermore, 30% of the demands are over $5 million.
Second, paying ransomware actors encourages them to continue their activities. It also paints a target on your back, with 83% of successful ransomware attacks featuring double or even triple extortion. In these cases, the target threatens to release the data on the dark web. Sometimes, the attacker will even single out victims to extort money from multiple individuals.
Finally, businesses rarely get all of their files back after paying a ransom — Veeam Software’s 2024 Ransomware Trends Report found that companies only get about 60% of their data back, and that 27% of organizations that paid the ransom still couldn’t recover.
Dealing With Crypto
“Never pay the ransom” is a good principle. But in the real world, when highly valuable data is at stake, paying a ransom may be your only option. In that case, they should acquire cryptocurrency through a reputable and insured exchange like Coinbase.
Ideally, businesses will transfer a certain amount of cryptocurrency to a password-protected wallet for emergency use ahead of time. But when time is of the essence, they can make payments directly through their exchange.
What Is the Future of Ransomware Defense?
At this very moment, many businesses are in the process of adopting zero-trust network architectures (ZTNAs). A ZTNA treats every user, device, and application like a potential threat, requiring multi-factor authentication to access devices and switch between applications. ZTNAs are significant barriers to many forms of malicious activity, including but not limited to ransomware attacks.
AI and machine learning show great promise as techniques for effective threat detection, which can learn in real-time from changing tactics, techniques and procedures (TTP) in the developing cyber landscape. Organizations should be willing to share threat intelligence with upstream vendors and cybersecurity providers to help them develop better ML-driven cybersecurity tools.
MORE ON VULNERABILITY MANAGEMENT:
