Ransomware Attacks: Strategies for Prevention and Recovery
• Paying the ransom is expedient, but often ineffectual. Many organizations pay the ransom demand to gain the decryption key, stop the publication of exfiltrated data, or prevent a DDoS attack—despite low success rates. Cyber insurance cover is a leading source of funding for paying ransoms. However, decryption keys don’t always work to restore encrypted data and cyber criminals still leak data. Paying the ransom to recover from an attack has four significant weaknesses.
First, it doesn’t address the systemic shortcomings that allowed the attack to succeed. Second, it funds additional cybercrime. Third, future cybersecurity insurance premiums will be higher— assuming coverage even remains available to the organization given their changed risk calculus. Finally, it often leads to additional attacks or subsequent ransom demands for exfiltrated data because threat actors know the organization has a proclivity to pay up.
• Just one unaddressed entry point is enough for an attack to gain a foothold.
Ransomware attacks start with one successful phishing email, access to a single password to a legacy VPN that isn’t using multi-factor authentication (MFA), or abuse of a newly identified or unpatched software vulnerability. The problem has been exacerbated due to visibility challenges stemming from the transition to a more hybrid workforce over the past couple of years. Hoping that
xx
threat actors will not trick employees, find infrequently used systems, or attack irregularly patched applications has repeatedly proven short-sighted.
KEY TAKEAWAYS
• Ransomware remains a threat—and a growing one at that. Threat actors are evolving their toolkits and playbooks to make ransomware more devastating to victims. Ransomware-as-a-Service (RaaS) and partner-in crime models, along with greater supply chain specialization, increase the peril.
• Metrics for ransomware attacks are both up and down. Some reports on ransomware show a threat with increasing frequency. Others show a downward trend. Sanctions imposed on Russia following its invasion of Ukraine appear to have neutralized the efficacy of Russian-based gangs.
• Strengthen defences against ransomware attacks If 2022 is a “strategic pause” for ransomware attacks, organizations should increase security posture and decrease threat susceptibility for when ransomware gangs return to crime-as-usual.
• Prepare to recover after a ransomware incident While it is almost certain that every organization will face opportunistic attackers—and perhaps determined ones too—it is not certain that every organization will become a victim of a ransomware incident.
But if that does happen, having a response protocol or recovery plan approved by the Board and ready to enact is invaluable. Lay a strong foundation now for recovery, if needed.
Click on the image above to read this important Whitepaper:
Published by: https://ostermanresearch.com
Osterman Research is a leading market research and consulting firm delivering insight on cybersecurity, data protection and information governance.
Published with the kind permission of Michael Sampson.