Ransomware

Guide to Preventing, Detecting and Responding to Ransomware Attacks

By Dr. Christine Izuakor

Despite a small decline in the total volume of ransomware attacks, assailants are increasingly leveraging the attack method as a targeted way to extort enterprises. This shift toward more selective targets is a typical trend within the Cyber Security industry. For example, at one point, mass phishing emails were all the rage. Attackers would send generic messages to hundreds or thousands of users, hoping that one naïve person would click on a link and help the attacker further their agenda. Today, cyber criminals prefer using spear phishing and whaling. These are more customized and targeted attacks that can help attackers achieve higher success rates.

A similar shift is happening with Ransomware. Attackers are transitioning from widespread attacks to more targeted efforts that offer the biggest bang for their buck. Companies who take these trends as a sign that they can relax about Ransomware and move on to the next threat are sadly mistaken. The threat of ransomware is still very much alive, and a good Cyber Security strategy should include the right people, processes, and technology to prevent, detect, and respond to ransomware attacks.

Combating Ransomware through PEOPLE

  • Prevention: Most Ransomware attacks require human action to execute. Whether through malicious email messages or infected pop-up windows, there are immediate implications as soon as the user clicks.
    • Like most prevention strategies, the best way to reduce human error is to make users aware of what they should and shouldn’t be doing. It’s essential to educate employees on what Ransomware is and how it works. Help them understand how they might be targeted and what they can do to help protect themselves and the company.
  • Detection: Human interaction can be an efficient way to learn about attacks in your environment. Though technology should be the first line of defense, having a method for employees to report these types of attacks can help where technology is lacking.
  • Response: Depending on the type of attack, employees may feel embarrassed, ashamed, or afraid to share the event with their employer (especially in the case of blackmail). They may choose to take matters into their own hands. Having a clear direction on what employees should do in response to a ransomware attack is important. There should be a way for them to report incidents to a technical or Cyber Security resource without being ridiculed or punished for common human error.

Combating Ransomware through TECHNOLOGY

  • Prevention: From a technology standpoint, Ransomware attacks can be prevented by having a robust security technology stack that includes adequate email, network, and device security controls. For example, since email is a primary delivery vector for Ransomware, blocking these emails before they make it into the user’s inbox can help prevent successful attacks. Having up to date devices and software can also ensure that exploitation of known vulnerabilities is avoided.
  • Detection: Through advances in technology and Artificial Intelligence integration, detection and response to Ransomware attacks can be automated. Ransomware detection solutions can screen files for known Ransomware variants and set up honeypot files that can uncover unknown attacks.
  • Response: Backups are a critical part of Ransomware response strategies, and technology exists to help with this process. Veriato RansomSafe, for example, can intercept the Ransomware command to lock your files, make a clean copy, and safely store it in a different location. This kind of technology can also block accounts attempting to encrypt the data and alert the targeted organization immediately. It’s important to note that in blackmail-based cases, backups may not be as helpful. Other actions may be considered, such as risking disclosure of information, paying the ransom, or choosing to get ahead of the issue by self-publishing.

Responding to Ransomware through PROCESS

The process for responding to a Ransomware attack will differ based on each scenario. Several variables must be considered, such as criticality of assets impacted, the scope of the attack, ransom amount, and more. On top of this, the type of attack (encryption, denial of service, blackmail) matters.

No matter which scenario is present, a reliable incident response process is critical to surviving all of them. Whether the incident involves ransomware or other attack methods, proactively establishing an incident response function can save a company tons of money and time, and can drastically reduce damages. Furthermore, the incident response plan should be tested periodically with realistic scenarios such as Ransomware to ensure it can carry the organization through a real-world attack.

When it comes to response, whether the requested ransom should be paid or not remains a constant debate. In a recent example, a ransomware attack against Baltimore’s government resulted in the disruption of important communication technology such as email and voicemail, as well as numerous citations, technology, and payment systems.  The Mayor noted that the option to pay the ransom would be considered if absolutely necessary. A 2018 study reported that 45% of companies who suffer a Ransomware attack end up paying the attackers to regain access to their data. Unfortunately, only a quarter of those companies actually got what they paid for. The reality is that a majority of cyber criminals don’t follow through after receiving payment.

If you’re concerned about a potential Ransomware attack, check out Veriato RansomSafe™. RansomSafe acts as a vital layer in your ransomware defense, combining just-in-time data protection with multiple mechanisms to detect, and shut down attacks before they hold your business hostage.

If you’re Interested in learning from real victims of recent ransomware attacks? Check out our recap of notable ransomware attacks from 2019 and lessons learned here.

Insider Risk – How Prepared Are You?

Insider Risk – How Prepared Are You?

Not every company is equally prepared to deal with insider risk. This report outlines the four stages of insider risk maturity and explores how to improve your insider risk preparedness.

About the author

Dr. Christine Izuakor
Dr. Izuakor is the Senior Manager of Global Security Strategy and Awareness at United Airlines where she plays a critical part in embedding cyber security in United’s culture. She is an adjunct professor of cyber security at Robert Morris University, and independently helps corporations solve a diverse range of strategic cybersecurity challenges.

Insider Risk & Employee Monitoring Resources

Smart Year-End IT Investments- A Trifecta for ROI

Smart Year-End IT Investments- A Trifecta for ROI

Drive Productivity, Reduce Insider Risk, Enforce Compliance As the year wraps up, many IT, security, compliance, and HR teams have unspent budgets that won't roll over. Rather than scrambling for last-minute, low-value purchases, why not make smart, strategic...

Is IAM, SIEM, and DLP Enough to Combat Insider Risk?

Is IAM, SIEM, and DLP Enough to Combat Insider Risk?

Key Takeaways: Closing the Gaps in Traditional Security Tools: IAM, SIEM, and DLP are vital but insufficient in addressing insider risks. They focus on access control, event logs, and data protection without understanding the behavioral context that signals insider...