How to be Ransomware Ready in Four Steps

2021 was a breakout year for ransomware, growing 105% and exceeding 623.3 million attacks, according to SonicWall’s 2022 Cyber Threat Report. Additional research from Sophos showed that ransom payments increased to an average of $812,360 in 2021, while the average cost to remediate an attack was $1.4 million. For nearly all (90%) organizations affected by a ransomware attack, the attack impacted their ability to operate, causing a loss of business or revenue for 86% of ransomware victims.

With attacks originating from both sophisticated adversaries and script kiddies hitting random targets, preparedness and response are increasingly important—and complicated—as ransomware tactics continue to evolve rapidly. While in the past ransomware primarily encrypted data, double extortion ransomware attacks both encrypt and steal that data, exfiltrating a copy of the data. Cybercriminals use this data as a second way to extort money from victims or to increase leverage in getting the ransom paid.

Unfortunately, even organizations that have paid the ransom may still see their data leaked publicly. Triple extortion ransomware attacks also occur; in this scenario, attackers demand payment from the original victim but also from anyone who might be affected by that leak—such as partners, patients, and customers.

To be ready for these types of ransomware attacks, we need to be ready for each aspect of them. Here are four key steps organizations can implement before a ransomware attack occurs:

1. Collect and Store Relevant Forensic Data

Forensic data is essential for investigating a cyberattack, which is why that data is essential for responding to both aspects of the double ransomware attack:

● Data recovery — Forensic data allows you to understand how the threat actor gained access and what malicious activities they conducted. This is crucial so that you can secure the system before recovering your data.
● Data theft/leakage — Forensic data helps you better understand what data was leaked (or wasn’t). Sometimes, attackers claim to have data they do not, and an investigation can prove that. Even if the attackers do have sensitive data, knowing exactly what they have and how they got it allows your organization to better manage the crisis, including aspects such as ransom negotiation, legal notifications, as well as identifying and implementing other compensating controls.

To investigate and respond to ransomware incidents, you need to collect and store relevant forensic data. Start an analysis to identify the digital assets that, if compromised, would have a significant negative impact on your business. Next, find the pathways and digital assets that a cyberattacker is likely to compromise in their efforts to access those assets. You can do this by simulating a critical incident and verifying that you are collecting the right data based on your analysis.

2. Test and Maintain Data Recovery and Incident Response Plans

Having tested backups with a tested and efficient recovery plan completely negates the first aspect of the ransomware (data encryption), making it easy to recover lost data and allowing you to focus your energy on the second aspect of ransomware (potential data leakage). Sometimes this focus allows you to completely avoid a ransomware payment or substantially reduce it.

An incident response plan (IRP) creates a set of tools for you to use and processes to follow if a ransomware attack occurs. Many organizations do not regularly review their response plan to ensure that it aligns with their business, compliance, and regulatory requirements. Testing and maintaining an IRP helps you prepare for some of the most stressful aspects of ransomware, such as:

● How will you negotiate with an attacker? Do you need an experienced ransomware negotiator?
● How will you pay a ransom? Do you have the funds available? Do you know how to complete the payment (often required in bitcoin)?
● Which external stakeholders need to be involved in making decisions? Common ransomware attack stakeholders include ransomware negotiators, internal and external legal and communication teams, regulatory compliance entities and cyberinsurance providers.

3. Carry out Readiness Drills and Functional Exercises

It is essential to make sure that your readiness activities actually work. You need to do drills and exercises to test the overall response, the investigation phase, the recovery process and so on. To do this, make sure your technical and executive stakeholders carry out readiness drills and functional exercises. If these teams are well trained and have practiced running through attack scenarios, it will reduce the stress involved in a ransomware attack and enable you to make decisions more calmly and deliberately. This, in turn, will help you get back to business as usual more quickly.

Just remember, attack groups, technologies, teams and requirements are all constantly changing. Regular drills will help you ensure that your organization is ready for ransomware and other cyberattacks regardless of these changes.

4. Conduct Proactive Threat Hunts

The preceding steps all help you increase your ransomware readiness, but hunts may help you avoid a ransomware attack altogether by identifying it before it is triggered. Proactive threat hunts identify initial attacks or dormant threats before the actual ransomware attack takes place. On top of that, proactive threat hunts also exercise the system as recommended, and thereby supply another level of readiness. Run hunts regularly based on new ransomware attack tactics and technologies, then update your hypotheses. This helps you adapt to changing threats and changes in your own environment as well.

Build Ransomware Readiness

Ransomware attacks are likely to continue because they are easy, the risk to attackers is low and the reward is high. It is an ongoing challenge to secure increasingly complex on-premises, hybrid and cloud environments, and attackers need just one way in. Keeping them all out is a virtual impossibility, even for the best security team with the best technology.

Taking a proactive approach by building ransomware readiness through these steps can help your organization manage risk and return to business as usual quickly, even after a critical ransomware incident.

Avatar photo

Ofer Maor

Ofer Maor is a leading technology expert and entrepreneur with over twenty years of experience in information technology and security. In the past two decades, Ofer has helped successful security companies build and deliver technology innovation and products. His responsibilities ranged from hands-on technology research, development, networking, IT and (ethical) hacking, through product building, strategy, marketing and sales, and all the way to M&A of multiple companies. In his current position at Mitiga, Ofer is reshaping how organisations prepare for and deal with breaches, focusing on the new era of attacks across cloud, multi-cloud and hybrid-cloud environments. In the last few years, Ofer was part of an exciting journey with Synopsys (SNPS), to become the leader in Software Security & Quality through the acquisition and integration of various leading technologies and solutions in this space. This journey offered him a unique point of view into how technologies are built, sold, and achieve market domination. Prior to Synopsys, Ofer founded several security technology companies. As Founder and CTO of Seeker, now acquired by Synopsys, Ofer pioneered IAST, the next generation of application security testing technology, currently used by some of the largest organizations in the world to continuously improve their software security. Prior to Seeker, Ofer was the Founder and CTO of Hacktics, a world-leading security services group, later acquired by Ernst & Young. Ofer was previously the leader of Imperva's Application Defense Center research group and has also served as the Chairman of OWASP Israel and in the OWASP Global Membership Committee.

ofer-maor has 2 posts and counting.See all posts by ofer-maor