How to improve the impact of ransomware attacks

While respondents with revenues of $500 million to $1 billion experienced the same number of ransomware attacks at 67%, companies with revenues over $5 billion saw their number of incidents drop year-over-year from 72% to 67%. As you can see in the graph below, small businesses (those with revenues of less than $10 million per year) saw a significant drop from 58% to 47%.

As we recently reported, nearly all organizations affected by ransomware were able to identify the root cause of their incident in the Sophos survey. Software vulnerabilities emerged as the most successful first attack vector for the second survey in a row. In addition, email communications were identified as the first attack vector by 34% of respondents, with about twice as many starting with a malicious email (i.e., a message with a malicious link or attachment that downloads malware to the target endpoint) as phishing attacks. Sophos points out that phishing is typically used to steal credentials and can be considered the first step of an attack on compromised credentials.

While a decline or even stagnation in ransomware attacks is welcome news, ransomware remains a significant threat to organizations of all sizes worldwide. And while the overall attack rate has dropped over the past two years, the impact of an attack on victims has increased. Defenders must keep up as attackers are constantly evolving their attack techniques. And let’s face it: More than 60% of organizations hit by a significant ransomware attack are no cause for alarm.

Now that we’ve examined what went wrong with ransomware defense, let’s look at how organizations can better protect themselves.

Better vulnerability management and MFA

If we want to see fewer successful ransomware attacks next year, organizations need to quickly take some meaningful steps toward better defense. Since system vulnerabilities are the most successful attack vector, it would make sense to invest more effort in patch management and attack surface management. Second, integrating multi-factor authentication (MFA) will go a long way in protecting compromised credentials.

Rely on Zero Trust and strengthen security awareness

Many organizations would benefit from moving to a zero-trust architecture, which makes it harder for attackers to gain access. And should they manage to penetrate an environment, it will be much harder for them to move laterally within the environment. Finally, Sophos suggests prioritizing ongoing training to increase user security awareness and better identify phishing emails.

Agile Security

Motivated attackers will always look for other ways to succeed, which is why a comprehensive and flexible security program is essential so that organizations can respond effectively as attackers change their methods. Such a security program adequately protects endpoints, email, applications, cloud systems, and networks. Consider features such as TLS inspection. With respect to email, multi-layered filtering and sandboxing of attachments should also be considered.

mp3

It is also not enough to simply deploy antimalware and various firewall technologies and then let them run unchecked. Security measures must be continuously monitored and optimally tuned and configured. Regular updates of software, operating systems and firmware will help close known vulnerabilities exploited by ransomware. Consider using a managed detection and response service for 24/7 threat monitoring, threat hunting and incident response. Of course, even the best defenses fail from time to time. If an organization is to be resilient to ransomware, it must be able to adequately detect and respond to ransomware attacks. Detection technologies range from traditional signature-based detection technologies to behavior-aware network traffic analysis. More esoteric detection techniques include honeypot files designed to intercept ransomware on endpoints and detect unauthorized changes to those files that may indicate ransomware or other types of attacks.

Protected backups

Organizations need to perform regular offline backups and ensure that these backups are well protected from attacks, as ransomware attackers often target backups. In addition, such backups should be tested and validated regularly to ensure that the backups are intact and that restoring systems from backups works properly.

The will to adapt

After all, ransomware attackers are constantly optimizing their tactics, and the environment of almost every organization is constantly changing. Security strategies must be regularly reviewed and adapted to current conditions. While there is no guaranteed way to completely avoid falling victim to a ransomware attack, focusing on prevention, appropriate response and recovery, and adjusting your security program when necessary can go a long way toward resilience.