A Midsize Company’s Guide to Ransomware Protection

As ransomware attacks continue to affect enterprises everywhere, many overlook how midsize companies are being hurt. With fewer resources and personnel on staff to handle emerging threats, this cybersecurity guide outlines advice for struggling businesses everywhere. 

Ransomware attacks have escalated to the point that no business is immune to the threat. Such attacks have caused massive operational disruption to mid-market organizations in industries that include manufacturing, education, financial services, healthcare, critical infrastructure, and more. According to recent research by Barracuda, attacks on infrastructure, travel entities, financial services institutions, and other businesses made up 57% of all ransomware attacks between August 2020 and July 2021, up from just 18% in its 2020 study. No midsize industry, organization, or government entity is immune to ransomware, but that doesn’t mean organizations are prepared to meet the challenges associated with an attack should they get breached.

This article offers a response blueprint for midsize enterprises that show them how to communicate to customers and other stakeholders in a ransomware attack–and ways to avoid paying the ransom. We’ll include a crisis response plan that outlines who should be contacted when–in what manner and how often–to optimize information sharing and alleviate customer concerns.

How much would I pay? How much can I pay? 

Such questions keep CISOs and other executives up at night as risk from ransomware rises steadily across the midmarket. The cost of ransom payments is also increasing rapidly, with the average demand per incident now at more than $10 million. 

What if I can’t pay? What if I don’t pay? 

Ransomware attacks have escalated to the point that no midsize industry, organization, or government entity is immune to them, but that doesn’t mean organizations are prepared to meet the challenges associated with an attack should they get breached. 

Modern ransomware and its variants (including ransomware as a service, or RaaS) have been targeting organizations worldwide since the advent of CryptoLocker in 2013. CryptoWall, SamSam, Petya, Ryuk, Wannacry, and other well-known hacks followed, but only in the last couple of years has there been a veritable explosion in these types of attacks.

Post-Kaseya, estimates suggest that 800 to 1500 small to medium-sized companies may have experienced a ransomware compromise through their managed services providers, which allowed attackers to circumvent authentication controls to execute the malicious code.

See More: Ransomware: Is Your Sensitive Data Protected, or Will You Have to Pay?

Everything Old is New Again

In other words, ransomware is not a new threat. Still, it has evolved into a more destructive creature in large part because threat actors know that most organizations are ill-equipped to defend against it, and most barriers of entry have disappeared. Organizations had many data breaches that led to the loss of credentials and PII used in the social engineering phase of attacks. DIY ransomware kits are available online for a small fee; less technologically savvy criminals or those who prefer not to do the heavy lifting themselves can outsource the deed using RaaS. The increased value of cryptocurrency and the popularity of cyber insurance have also made ransomware attacks more profitable for cybercriminals, attracting highly organized gangs to operationalize threats like legitimate businesses.

Meanwhile, ransomware has caused massive operational disruption to midmarket organizations in industries that include manufacturing, education, financial services, healthcare, critical infrastructure, and more. Cybercriminals have expanded their skill sets and refined their tactics to create a multipronged extortion scheme to ensure their mid-market targets remain hostage:  First, they base ransom demands on research performed ahead of the attack that informs them how much a target is likely to pay; next, they steal, hide, or freeze sensitive data and information critical to the victim’s business; then they demand payment in exchange for a promise to release the data back to the victim.

Unfortunately, any data stolen in a ransomware attack is compromised forever. Criminals by their very nature cannot be trusted, and even a successful ransom payment does not necessarily prevent threat actors from publishing or selling the victim’s data to other criminals for additional profit, nor does it prevent them from returning to the victim and asking for additional payments to continue to “safeguard” the data they stole. Perhaps worst of all, there has never been any guarantee that paying the ransom would result in the recovery of all the stolen or encrypted data in the first place, just a promise from an untrustworthy thief.

Three-Tiered Defense

Whether the attack starts with a spear-phishing email (designed to steal login or admin credentials which are then used to access the victim’s network and evaluate various assets such as servers, databases, email, AP, and more) or business email compromise (BEC), once inside, threat actors can hide for days, weeks, months, and yes even years, waiting for the optimal time to strike. But that’s no reason to pay the criminals for their crimes. 

Like any cyber threat, mid-market firms should have a plan in place to defend against it. Protecting against ransomware is all about protecting data, which can be accomplished in three fundamental steps: protecting credentials, securing web applications, and backing up critical data. 

Ransomware often relies on breaching email or otherwise accessing user credentials, so organizations should begin by investing in detection and response tools training users. The tens of thousands of usernames and passwords readily available online mean email protection technology should focus on detecting malicious payloads delivered through links or attachments and recognize when attacks use social engineering tactics designed to bypass filtering technology and trick users into action. Because phishing is the primary attack vector for ransomware, maintaining a culture of awareness of and reporting on credential security is paramount. After all, if attackers cannot access credentials, it becomes much more challenging to escalate from phishing to ransomware.

Successful training will use phishing simulation for emails, voicemail, and SMS to train users to identify cyberattacks, test the effectiveness of training protocols, and uncover the users most vulnerable to attacks. It is essential to gain staff trust to be comfortable flagging issues, even when it’s a mistake caused by accident. Many attacks go unreported because employees fear being blamed. Public praise of those who come forward can serve as an early-warning system, which is invaluable during an incident. 

See More: What Is Ransomware Attack? Definition, Types, Examples, and Best Practices for Prevention and Removal

Are Your Web Apps Vulnerable?

Web applications are the biggest attack vector in use, accounting for more than 80 percent of all data breaches. The shift to remote work has pushed even more applications to the workforce, and sometimes the rush to keep businesses functioning compromised security measures. Web applications can be attacked through the user interface or an API interface, often through the credential stuffing, brute force attacks, or OWASP vulnerabilities. Once the application has been compromised, the attacker can introduce ransomware and other malware into networks and systems. 

Prevent ransomware from spreading using network segmentation and intrusion prevention. Look for a next-generation firewall solution and secure application access with a Zero Trust Network Access (ZTNA) solution that provides secure access to applications and workloads from any device and any location.

As you transform your business to primarily operate on SaaS applications, it’s essential to consider micro-segmentation strategies.  Start by reducing attack surfaces by eliminating access to infrastructure, instead only providing your users the access to SaaS applications they need.

Back It Up

Any serious ransomware protection strategy must include backup and disaster recovery because threat actors seek to own all backup solutions in addition to primary data. After all, if they can control all critical data, all principal backup servers, and all secondary/tertiary disaster recovery copies, what choice will they leave you with other than to pay up? 

To properly defend and isolate backup data, organizations must ensure that restoring systems from backup versions is possible in a reasonable timeframe and with sufficiently up-to-date information. It’s not enough to just check logs to see if data is being replicated often or accurately enough. Simulations and drills that demonstrate backup systems work are a critical step, and they can be run application by application or department by the department; company operations don’t need to grind to halt to test protocols to prove the org is fully confident in bringing systems back online in a timely way. Even if everything else fails, genuinely up-to-date and secure backups mean cybercriminals can’t force a ransom payment.

Plan of Action

If a ransomware attack is successful, midmarket organizations must have an established plan in place that allows them to optimize information sharing and ease customer concerns as they work to remediate the threat. As with other parts of the organization, a robust governance model should dictate what to do in an incident. Design and define a set of principles before a threat executes. Outline decision-makers and the criteria that determine under what conditions ransom will be paid or not paid–with a bias not to pay wherever possible.

The company must know who’s in charge during a crisis ahead of time: Is it the CEO? General counsel? CIO? Who’s the first call if there’s an incident after hours or on holiday? Who communicates to the press? Who talks to the board? Who are the customers?

The answers likely depend on the severity of the incident. A frank and factual assessment of the situation will determine the seriousness of the breach and the type of response warranted. A ransomware incident could act as a warning shot in the form of an attack that shuts down one or two systems to prove they can be breached. Suppose the episode is a show of force merely or affects essential but not critical assets. In that case, the governance model may outline a more internally-focused communication plan rather than a full-scale, crisis-level response.

But in the event of a critical attack, one that cripples the organization’s ability to conduct business attempts to blackmail members of the senior executive team, or puts customers at risk, midmarket organizations need to ensure their governance models are strong enough to protect them from liability resulting from improper or insufficient controls. If the general counsel function is outsourced, for example, and that person is the decision-maker during a crisis-level event, a lack of timely and comprehensive action could introduce more risk with much more severe financial consequences to the organization. 

To avoid making a critical event worse, set up a war room (even if virtual) to operate around the clock during the event. It should be staffed by all relevant teams: Executive, Legal, Corporate Communication, Customer Success, Account Management, IT, HR, and InfoSec. And remember, timing matters. Communicate the facts about the incident early, succinctly, and at regular intervals to minimize rumors and maintain confidence in the organization by:

1. Assigning a spokesperson: There should be a single voice internally and externally to disseminate information and triage inbound inquiries, typically the executive in charge of media affairs or corporate communication.
2. Notifying customers: Understand any contractual requirements that dictate when and how to communicate incidents to customers. Use the appropriate templates / key messages (developed as part of the governance model) to ensure the right contacts are on point and available to speak to customers throughout the event.
3. Notifying employees: Employees are brand ambassadors, so keeping them informed is essential in the communication strategy. Messages from the CEO–over email, Slack, Zoom, and other channels–should be shared every day throughout the event.
4. Posting information on the company website and social media channels: Keep external stakeholders apprised of what’s happening and show them where to go if they require more information.
5. Meeting the press: Consider convening a news conference to keep the news media informed throughout the crisis–silence may promote suspicion. 
6. Feeding the narrative: Update the story each day to hear critical messages. Stick to the facts, stay on message, and never allow assumptions.
7. Developing written materials: Posting media advisories, news releases, blog posts, and other forms of communication ensure accuracy and consistency throughout the event. 
8. Know when to include law enforcement: Have a protocol ready in case law enforcement needs to be notified. 

Midsize companies must have controls in place to manage risks from ransomware threats, including proper governance and codified procedures; creating and executing actionable cybersecurity blueprints that determine ways to communicate to customers and other stakeholders and strategies to help avoid paying the ransom ahead of time will help them handle an event should one occur. 

At the end of the day, there is no one-size-fits-all solution, no silver bullet. Better to remain vigilant and prepared than be held hostage down the road. 

How protected do you feel against ransomware? Share with us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . 

1. De Vynck, Gerrit, et.al.  Ransomware attack struck between 800 and 1,500 businesses, says company at center of hack. Washington Post. July 6, 2021.

2. According to the 2021 Verizon DBIR.