Guide to Preventing, Detecting and Responding to Ransomware Attacks

By Dr. Christine Izuakor

Despite a small decline in the total volume of ransomware attacks, assailants are increasingly leveraging the attack method as a targeted way to extort enterprises. This shift toward more selective targets is a typical trend within the Cyber Security industry. For example, at one point, mass phishing emails were all the rage. Attackers would send generic messages to hundreds or thousands of users, hoping that one naïve person would click on a link and help the attacker further their agenda. Today, cyber criminals prefer using spear phishing and whaling. These are more customized and targeted attacks that can help attackers achieve higher success rates.

A similar shift is happening with Ransomware. Attackers are transitioning from widespread attacks to more targeted efforts that offer the biggest bang for their buck. Companies who take these trends as a sign that they can relax about Ransomware and move on to the next threat are sadly mistaken. The threat of ransomware is still very much alive, and a good Cyber Security strategy should include the right people, processes, and technology to prevent, detect, and respond to ransomware attacks.

Combating Ransomware through PEOPLE

  • Prevention: Most Ransomware attacks require human action to execute. Whether through malicious email messages or infected pop-up windows, there are immediate implications as soon as the user clicks.
    • Like most prevention strategies, the best way to reduce human error is to make users aware of what they should and shouldn’t be doing. It’s essential to educate employees on what Ransomware is and how it works. Help them understand how they might be targeted and what they can do to help protect themselves and the company.
  • Detection: Human interaction can be an efficient way to learn about attacks in your environment. Though technology should be the first line of defense, having a method for employees to report these types of attacks can help where technology is lacking.
  • Response: Depending on the type of attack, employees may feel embarrassed, ashamed, or afraid to share the event with their employer (especially in the case of blackmail). They may choose to take matters into their own hands. Having a clear direction on what employees should do in response to a ransomware attack is important. There should be a way for them to report incidents to a technical or Cyber Security resource without being ridiculed or punished for common human error.

Combating Ransomware through TECHNOLOGY

  • Prevention: From a technology standpoint, Ransomware attacks can be prevented by having a robust security technology stack that includes adequate email, network, and device security controls. For example, since email is a primary delivery vector for Ransomware, blocking these emails before they make it into the user’s inbox can help prevent successful attacks. Having up to date devices and software can also ensure that exploitation of known vulnerabilities is avoided.
  • Detection: Through advances in technology and Artificial Intelligence integration, detection and response to Ransomware attacks can be automated. Ransomware detection solutions can screen files for known Ransomware variants and set up honeypot files that can uncover unknown attacks.
  • Response: Backups are a critical part of Ransomware response strategies, and technology exists to help with this process. Veriato RansomSafe, for example, can intercept the Ransomware command to lock your files, make a clean copy, and safely store it in a different location. This kind of technology can also block accounts attempting to encrypt the data and alert the targeted organization immediately. It’s important to note that in blackmail-based cases, backups may not be as helpful. Other actions may be considered, such as risking disclosure of information, paying the ransom, or choosing to get ahead of the issue by self-publishing.

Responding to Ransomware through PROCESS

The process for responding to a Ransomware attack will differ based on each scenario. Several variables must be considered, such as criticality of assets impacted, the scope of the attack, ransom amount, and more. On top of this, the type of attack (encryption, denial of service, blackmail) matters.

No matter which scenario is present, a reliable incident response process is critical to surviving all of them. Whether the incident involves ransomware or other attack methods, proactively establishing an incident response function can save a company tons of money and time, and can drastically reduce damages. Furthermore, the incident response plan should be tested periodically with realistic scenarios such as Ransomware to ensure it can carry the organization through a real-world attack.

When it comes to response, whether the requested ransom should be paid or not remains a constant debate. In a recent example, a ransomware attack against Baltimore’s government resulted in the disruption of important communication technology such as email and voicemail, as well as numerous citations, technology, and payment systems.  The Mayor noted that the option to pay the ransom would be considered if absolutely necessary. A 2018 study reported that 45% of companies who suffer a Ransomware attack end up paying the attackers to regain access to their data. Unfortunately, only a quarter of those companies actually got what they paid for. The reality is that a majority of cyber criminals don’t follow through after receiving payment.

If you’re concerned about a potential Ransomware attack, check out Veriato RansomSafe™. RansomSafe acts as a vital layer in your ransomware defense, combining just-in-time data protection with multiple mechanisms to detect, and shut down attacks before they hold your business hostage.

If you’re Interested in learning from real victims of recent ransomware attacks? Check out our recap of notable ransomware attacks from 2019 and lessons learned here.

Insider Risk – How Prepared Are You?

Not every company is equally prepared to deal with insider risk. This report outlines the four stages of insider risk maturity and explores how to improve your insider risk preparedness.

About the author

Dr. Christine Izuakor
Dr. Izuakor is the Senior Manager of Global Security Strategy and Awareness at United Airlines where she plays a critical part in embedding cyber security in United’s culture. She is an adjunct professor of cyber security at Robert Morris University, and independently helps corporations solve a diverse range of strategic cybersecurity challenges.

Productivity & Insider Risk Resources

Work From Home, Quiet Quitting, and How Insider Risk Has Changed

Work From Home, Quiet Quitting, and How Insider Risk Has Changed

March 2023 marks approximately three years since the world shut down at the beginning of the Covid-19 pandemic. Since then, organizations have seen their workforce change considerably. What was originally a short term plan to work from home has become ingrained in our...

Focusing On Productivity Helps Reduce Insider Risk

Focusing On Productivity Helps Reduce Insider Risk

Many companies are concerned by the uptick in insider risk that’s come with the work-from-home boom. By one estimate,  58% of office workers work from home at least one day a week. This trend creates blind spots for companies. Managers see their employees less often,...

Elizabeth Harz RSAC 2023 Interview

Elizabeth Harz RSAC 2023 Interview

Elizabeth Harz, CEO of Veriato, gave an interview to ISMG at this year's RSA Conference in San Francisco. In it, Elizabeth covers the challenges of maintaining data security in the remote or hybrid workforce environment and the rising cost of data breaches. She also...