Think You Are Prepared for Ransomware? You’re Probably Not.

Ransomware has increased nearly 1100% over the last year according to FortiGuard Labs research, impacting organizations of all sizes and across all market sectors. And according to Fortinet’s State of Ransomware survey, 96% of organizations indicate that they are concerned about the threat of a ransomware attack, with 85% reporting that they are more worried about a ransomware attack than any other cyber threat. As a result, preparing for a ransomware attack has become a boardroom issue and a top priority for CISOs worldwide.

And the concern is genuine. Over two-thirds of respondents admitted to having been the target of a ransomware attack, with one in six claiming to have been attacked three or more times. Fortunately, knowing that a specific type of attack may be headed one’s way provides an opportunity to prepare.

Ninety-six percent of respondents feel they are at least moderately prepared. Their top preparedness measures include employee cyber training, ongoing risk assessment, offline data backups, and cybersecurity/ransomware insurance. But less than half includes such things as network segmentation, business continuity measures, a remediation plan, the testing of ransomware recovery methods, or red team/blue team exercises designed to identify weaknesses in security systems—all things most security experts see as crucial elements of any successful ransomware mitigation strategy.

Similarly, many critical technologies are low on the list of tools seen as essential for combating ransomware. While a secure web gateway, VPN, and network access control are at the top of the list, those tools primarily focus on the attack vectors created by remote workers. Essential tools designed to address other attack vectors, such as a secure email gateway, segmentation, UEBA, and sandboxing, are at the bottom of the list, prioritized by less than a third of respondents. And even protections for remote workers are limited, with ZTNA and SD-WAN also near the bottom of the list.

One of the most controversial topics related to ransomware is whether to pay a ransom. The FBI advises organizations not to pay, citing several reasons, including that a majority either do not recover their data after paying or find that recovered data has been corrupted and that paying simply encourages cybercriminals. The Fortinet survey showed nearly three-quarters of respondents have a ransom policy in place, and for 74%, that policy is to pay, with 24% adding a caveat that it depends on how expensive the ransom is.

Some of this may be due to most organizations in the survey claiming to have ransomware insurance in place. Some argue that having cyber insurance in place encourages ransomware victims to simply pay because ransoms are be covered by their insurers. According to one extensive report from the Royal United Services Institute for Defence and Security Studies (RUSI) in the UK, efforts are underway to either ban insurers from paying ransoms to discourage the business model driving the growth of ransomware or having insurers “withdraw coverage for ransom payments while retaining coverage for the costs of recovering from an attack, as AXA France did in May 2021.”

Take the Proper Steps to Prepare

What is clear is that there is little agreement across organizations as to what it means to be prepared for a ransomware attack. To start, organizations should follow the following five steps to help them better prepare.

1. Know what you are defending against. Organizations need to understand how ransomware organizations operate, their primary attack vectors, how their malware is inserted into their network, and what it does while there. Ransomware criminal organizations are complex coalitions of specialized actors ranging from malware developers to target acquisition specialists, financial experts who set ransoms, and money launderers who process payment. Some gangs attack organizations directly, and others sell their services online to affiliates who leverage technologies and lists of pre-compromised organizations in exchange for a cut of any profits.
2. Take preventive measures. The first step is to design vulnerabilities out of the network. This begins with implementing a stringent cyber hygiene protocol to patch and update every network device or engage in “hot patching,” whereby devices that cannot be updated are either isolated or directly protected by advanced security technologies. Network access should ensure that any device seeking admission to the network is patched and is running appropriate security software. Zero trust networking and intent-based network segmentation ensure that users and devices can only access predetermined resources, so malware cannot move laterally across the network. As ransomers are increasingly holding data hostage, threatening to release customer information or research data to the public if a ransom is not paid, it is critical that as much data as possible, especially data at rest, be encrypted. Data backups need to be kept off-network, along with any hardware required to restart the network.
3. Add essential security technologies. Technology sprawl is a problem for many organizations, fracturing visibility, complicating the process of correlating threat intelligence to detect an attack, and limiting the ability to launch a coordinated response. Not only do organizations need to select a portfolio of tools designed to protect all attack vectors, but those solutions also need to operate as part of a unified security fabric. Secure web gateways and secure email gateways are essential to detect and stop ransomware before it enters the network or lands on an end-user’s device. Advanced security tools like NGFW, EDR, XDR, UEBA, ZTNA, and Secure SD-WAN must be part of any organization’s security portfolio. And ensure that security is consistently applied everywhere, from the campus and data center to private and multi-clouds, branch offices, and every remote worker and IoT device.
4. Plan a response and then work the plan. Rapid response to ransomware can have a significant impact on how quickly an organization can recover. Detection technologies are useless if it takes IT teams too long to figure out what to do next. Response protocols need to be in place. Chains of command need to be established. Responders need to be armed with the authority required to act. Critical data and systems need to be prioritized. Walls need to automatically drop to separate infected systems from the rest of the network. Processes need to be in place to wipe infected systems and restore them with clean backups from off-network. And this all needs to be practiced regularly, ideally with an outside team of professionals.
5. Make everyone part of the security team. From the chairman of the board to the receptionist, every worker needs to undergo regular training to detect and avoid things like social engineering and phishing. Consider dividing security budgets across teams and requiring them to work together to create a cohesive security strategy. And make sure that you are actively engaged in threat sharing with others in your region and market.

These steps will go a long way towards ensuring that any organization is prepared to successfully defend itself against ransomware. We are facing what may well be an existential threat to our global digital economy, and the only way to respond is for everyone to take the time and effort to close the opportunity for ransomware actors to thrive.

Learn more about Fortinet’s NSE Training Institute free Information Security Awareness and Training Service.