How have we all come to extortion as part of annual business planning? The threat of a ransomware attack, while not always addressed, is now an acknowledged common risk factor for virtually every industry. While we can blame the challenges of threat actor attribution, the use of pseudo-anonymous cryptocurrency, or even lax approaches to back ups, the real challenge lies in our tepid acceptance of ransomware as a common business risk.
We accept it because, for the time being, it can’t be stopped. While ransomware has technically existed for years, it is only within the last three that double and triple extortion techniques–the exfiltration of data and the emergence of leak sites–that acceptance of ransomware as a business risk has become commonplace. The line between an intrusion and a data breach was forever crossed when threat actors began stealing data, including backups, for sale on the dark web.
Unfortunately for defenders, the tools for conducting this kind of digital extortion evolved dramatically, creating an ecosystem of participants that includes network access brokers, ransom negotiators, wary cyber insurers, and ransomware-as-a-service providers with criminal profit-sharing and surprising marketing acumen. In 2021, the names and proof of compromise for 2,566 victims were publicly posted on over 30 different ransomware leak sites, marking an 85% increase compared to 2020.(1) Unfortunately for everyone else, ransomware is their business, and business is good.
Because most ransomware begins with an unsuspecting victim clicking a link, many security teams naturally focus efforts on email security and training. Unfortunately they are often not enough to stop attacks. Threat actors are patient, often dwelling in networks for days, even months, before executing attacks. To truly stop ransomware, security teams must continuously improve detection and response capabilities.
First, 24/7/365 threat monitoring is a must. The right tech stack is needed for real-time detection of real threats, including hard-to-detect use cases, but without the alert fatigue associated with false alarms.
You ultimately need capabilities to respond at machine-speed with appropriate actions to contain the threats, such as isolate affected endpoints and rolling back unauthorized changes. If all of these are not part of your SecOps maturity roadmap, then you’re at higher risk of the attack advancing to extortion for your organizations.
Best practices for response include Incident Response programs developed in advanced attack planning and tabletop exercises, and the establishment of internal playbooks for dealing with a breach. The better those playbooks, updated with the latest threat intelligence, the better your chances of fast identification and remediation.
Mature SecOps teams must master detection tools to monitor potential access points for changes in data traffic, privilege escalation or new account creation. With detection processes in place, SecOps teams can respond to alerts as they appear, determine alert severity for prioritization, and make adjustments or notify developers and admins.
As ubiquitous as ransomware has become, no organization should be without this baseline capability or risk the full impact of a ransomware attack. If you don’t have those systems or people in place or are struggling with detection and response, you should consider managed detection and response services.
MDR often provides better protection from ransomware by simply adding security resources whose job is to look for it continuously, and have experience responding to intrusions. In a recent study, an astounding 81% of incident responders felt the rise of ransomware has exacerbated the stress/psychological demands required during a cybersecurity incident response.(2) Deepwatch MDR services reduce that stress by providing dedicated security professionals that know the environment and desired security outcomes of the organization. While we may have come to accept extortion as a business reality, we don’t have to succumb to it. Good back-ups aren’t enough, particularly when threat actors target them, too. You want to detect and contain the threat and prevent data exfiltration in the first place. When we become competent at early detection and coordinated response throughout the attack lifecycle, we reduce risk to revenue, brand reputation, and business continuity. Last year, according to researchers at Sophos, 46% of victims claimed to have paid the ransom, while only 4% claim to have recovered all of their data. (3) While attempted ransomware attacks may be inevitable, succumbing to them doesn’t have to be.
1) Ransomware Threat Report 2022, Palo Alto Unit 42
2) Security Incident Responder Study, IBM 2022
3) State of Ransomware 2022, Sophos