Ransomware – How Can Organizations Arm Themselves?

We’ve heard it on the news this week, Ransomware attacks are impacting the services of cities in Belgium. Unfortunately, we see this happening more often due to the high success rate of these attacks. According to Gartner, at least 3 out of 4 organizations will have to deal with at least one or more ransomware attacks before 2025, which means that it can not only happen to Stad Antwerpen, Diest, Zwijndrecht, but to all of us.

Many organizations still think that they are not interesting enough for cybercriminals. This underestimation is grist to the mill for hackers. Whether you are a distributor, food producer, researcher, bank or hospital, every organization has critical processes that depend on IT and information. And that is exactly what criminals are after.

Nowadays, artificial Intelligence technology makes attacks even more sophisticated and it is becoming increasingly difficult to distinguish fiction from non-fiction. There is an increase in the number of ransomware attacks initiated by humans rather than software. This increases the quality and therefore effectiveness of attacks. After all, people are still better able to add human ‘finesses’ that increase the credibility of messages.

We can say that the problem is major, so making sure that you are prepared for such an attack is an indispensable part of a good information security strategy. To set up and run an effective ransomware prevention strategy, a phased approach is absolutely crucial. By taking it step by step, you can make sure your priorities are met, best practices are implemented and the balance of measures is right. At Devoteam we propose a leveled approach, in which we optimize and streamline the strategy in different phases:

Protect what can be protected

Although some technology solutions pretend to have the silver bullet against ransomware, there is NOT one panacea. Preventing a ransomware attack is perhaps the most challenging thing there is, but it can be reached by building a trusted environment where people, processes and technology work in close collaboration with each other.

But what is a trusted environment with an acceptable level of cyber resilience? When drawing up a security strategy, always assume that you have already been hacked, this is also known as the Zero Trust principle. The basics in order is the minimum, think of reliable asset management and a well-functioning (risk-based) vulnerability management process. Moreover, a tight organization and administration of access rights and authentication mechanisms needs to be in place, together with network segmentation.

Adopt secure behavior

People should adopt responsible behavior to recognize risky situations both online and offline and know the tools and processes to report. Training employees to react correctly and timely follow processes can make all the difference in a ransomware outbreak. The faster you can react, the smaller the impact.

In fact, people are the key to the effectiveness of the preventative measures taken. In every aspect of the organization where people and technology work together, training is crucial to ensure that technology is used optimally and thus maintains its mitigating effect.

Detect in time

In a ransomware attack, reaction time matters. Automatically alerting is key to isolating the attack and limiting the impact as much as possible. If early detection of unusual activity automatically warns you of a possible attack, you can protect your data by taking action right away.

Since 100% protection is nearly impossible, the only alternative is to detect ransomware behavior in time, as early as possible. Implementing the right detection mechanisms for this a complex matter. Detection and Response solutions such as EDR, NDR, XDR are able to identify indicators of compromise based on the MITRE ATT&CK framework, a knowledge base of all techniques and tactics of cybercriminals. The combination with solutions that support ‘Security Orchestration, Automation and Response’ (SOAR) is certainly useful to react in a limited timeframe.

Be prepared

Besides a good level of protection, it is of the utmost importance to have a balanced plan to keep your business running in case of such an attack. Good preparation helps to order to produce a more successful outcome.

But just having a plan is not useful if it doesn’t work in real time. Support and training for all stakeholders will help them to be prepared for future crisis situations. An exercise as a training and testing ground is needed, as it successfully identifies gaps and development points across the board in order to improve the cybersecurity posture of all participating stakeholders.

A meaningful exercise should simulate large-scale cybersecurity incident scenarios. The objective is to test the readiness and capacity to tackle challenging and realistic cyber crises. This will allow you to analyse and test on the capabilities to deal with complex situations such as technical and operational cooperation, quality of information-sharing, articulation between the technical and operational levels and the correct handling of public communication.

The exercise will also confirm the need for future and frequent testing in order to continuously improve and strengthen resilience with regard to cybersecurity threats.

To pay or not to pay

The most difficult question: are you accepting to pay the ransom or not? The general advice is NOT to pay in order to stop encouraging criminals to target more victims. Paying the ransom leaves you with no guarantee of recovering your files. In fact, you may end up paying additional extortion fees and you even have the risk that criminals may share your information on the dark web, making you vulnerable to other attacks.

Removing the traces of a ransomware attack is difficult. In many cases, cybercriminals have built in backdoors that allow them to execute a second attack, or they find new ways to infiltrate.

We can say that the problem is major and therefore an indispensable part of a good information security strategy. It is important to do everything you can to prevent it and to minimize the chance of a future attack to an acceptable level. Are you ready to take your cyber resilience to the next level?