Tech Journal Mounting a Ransomware Defense for the Big Picture

When it comes to ransomware defense, protective controls have always been critical — but more security pros are saying goodbye to a siloed approach.

As we’ve stressed in this issue of the Tech Journal, a siloed approach to defending your business from cybercrime just won’t cut it anymore. A ransomware use case is no exception. These days, organisations need a more robust approach to mounting a defense against the incredibly real — and costly — threat of ransomware.

In August of 2020, just five months after the onset of COVID-19, hackers were waging 4,000 successful ransomware attacks per day on unsuspecting businesses. It was a 400% increase from pre-COVID-19 numbers, according to the FBI. Today, the attacks persist and tend to surge even more around the holidays. In fact, CBS News reported that up to 1,500 businesses in the U.S. and other parts of the world were impacted by a ransomware attack over the 2021 Fourth of July weekend.

Extortion-style attacks, where data wasn’t encrypted but the victim was still held to ransom, have more than doubled since 2020.

The lure of ransomware

Why has ransomware become such a mainstay for hackers? Why have organised crime rings and even nation states joined with bad actors, magnifying the threat — and reach — of these types of attacks? It’s because the financial payoff for ransomware in particular has become significant, so more hackers are investing in those tactics. Anytime the juice is worth the squeeze, you're going to have more people doing it.

The four basic ransomware types:

1. Application-level lockers prevent users from accessing applications or operating systems until a ransom has been paid.
2. System-level lockers overwrite a system’s Master Boot Record (MBR) with its own microkernel, preventing any type of use until a ransom has been paid.
3. File encryptors encrypt user files and data, demanding a ransom for the release of the decryption key.
4. Fake ransomware is malware that claims to have encrypted a user’s data but actually hasn’t; ransomware language is used to collect a panic-induced payment from the victim.

So how is your organisation supposed to mount any kind of effective defense against these types of attacks? As with any cybersecurity use case, creating a multilayered defense will best protect your environment and assets from ransomware.

A multilayered defense includes:

1. Prevention of malware
2. Detection of bad actors
3. Recovery and continuity

It’s time to go beyond protective controls.

A layered approach to preventing ransomware isn't all that different than the approach that we take with malware. Yes, it means keeping the bad guys out by deploying effective endpoint security and teaching users not to click on malicious links or unknown documents. It also means improving threat intelligence, particularly around command and control. The protective, or preventive, side of ransomware defense is straightforward — limiting the vectors that the ransomware actor has to inject into an environment.

But when it comes to ransomware, it’s not enough to just keep bad actors out. We must also focus on the recovery and continuity aspects of security. To do this, organisations need to ask themselves key questions like:

• What is my storage environment doing to help me recover?
• How can my data protection help me recover?
• How quickly can I restore entire environments in the event of an attack?
• How do I effectively secure these environments?
• How do we get back up and running in a way that avoids putting our last resort data back into a compromised environment?

Options like immutable storage and backup are becoming popular, despite them being last-resort solutions. According to Sophos’ State of Ransomware 2021 survey, the number of organisations that paid a ransom increased from 26% in 2020 to 32% in 2021 — but fewer than one in 10 (8%) managed to get back all of their data. As lose-lose situations like these become more commonplace, having the nuclear option has become increasingly helpful to security teams.

As we move from the traditional data centre model to centres of data and see more edge computing involving artificial intelligence, it’s critical to remember: These areas, along with remote workstations, need to be protected with the same type of multilayered approach.

Three mantras to live by

As you pursue excellence across your ransomware defense strategy, remember:

1. There’s no silver bullet. We all wish it were true, but there’s no one holy grail product that will stop ransomware in its tracks. A tool may be a very important piece of a strategy and response plan, but there’s no point solution that covers it all.
2. End-user training will always be vital. You can have all the sophisticated tools in the world, but the end user will always be the weakest link. Make training a priority. Make it fun. Do whatever you need to do to keep end users invested in your security policies.
3. There’s no start and stop. The most successful teams look at ransomware defense through a business continuity lens. Test your methodology, and test it often — whether it’s annually, bi-annually or however often your business deems it appropriate. Every 10-11 seconds, an organization will fall victim to a ransomware attack, according to research compiled by PurpleSec. That’s simply too often for a “set it and forget it” strategy.

Always be evolving. Explore more ways to ensure a strong defense — from assessing readiness to strategising across key focus areas.

About the author: