How to Protect Against Ransomware Attacks

Ransomware is a word that might strike terror in IT professionals and CEOs alike and for good reason: It can encrypt files, freeze employees out of systems and networks, and permanently lock organizations out of their data unless an exorbitant ransom is paid. While the cyberthreat has seen a steady increase over the last decade, ransomware has become particularly aggressive in recent years, with ever-increasing frequency and sophistication of attacks, as well as related costs for businesses.

According to the 2022 Verizon Data Breach Investigations Report (DBIR), ransomware accounted for 25% of breaches in 2021, a 13% year-over-year increase—greater than the previous five years combined. Ransom demands have also skyrocketed to an average of $812,360, which the 2022 Sophos State of Ransomware report said is 4.8 times more than the prior year. Shockingly, this amount is dwarfed by the average total cost of a ransomware attack, which IBM Security reports is $4.54 million due to expenses such as remediation, forensics, and legal fees, not including the ransom paid.

Recently, cybercriminals have coupled costly attacks with sophisticated double-extortion threats, warning businesses if they fail to pay the ransom, their sensitive personal, customer, and proprietary information will be published online. Security specialist Venafi found that 83% of successful ransomware attacks today feature double or triple extortion schemes, demonstrating how ransomware adversaries have become considerably more capable at pressuring companies from multiple angles.

Yet the majority of ransomware attacks can be avoided by following the basic tenets of cybersecurity: training employees in social engineering detection, protecting credentials, and shoring up vulnerabilities. Keeping cybercriminals out of your networks altogether is the best defense against ransomware and other cyberthreats. Once your company has been breached—and especially once the ransom has been paid—threat actors will return to the scene of the crime repeatedly until they can no longer access it.

Preventive Measures

The 2022 Verizon DBIR found 82% of all data breaches involve the human element and 35% of ransomware attacks originate from email. That’s why it’s critical for employees to receive security training that helps them recognize social engineering attempts, including:

• Training on red flags for scams and other social engineering tricks, such as how to spot a fraudulent phishing email—which tries to trick a recipient into clicking on a link—or malicious website. Employees also should be briefed about language that could be suspicious, such as "urgent action," too-good-to-be-true deals, or poor grammar or spelling.
• Periodic, regular phishing tests measured for their effectiveness. Dropping employees who fail phishing tests into additional training sessions does little to improve bad behavior if the same players continue to make the same mistakes. Keep track of test scores over the year, with the goal of continuously improving results. If a net improvement is not seen, a change in training programs may be warranted.
• Monthly or quarterly bulletins on cybersecurity news dispersed to all employees, partners, and contractors. Awareness of the latest phishing trends, attack vectors, and major breaches will help employees recognize the importance of continued security vigilance.

Secure Credentials Across the Business

Cybercriminals are opportunistic and will look for the most efficient method to compromise digital networks. Using stolen employee credentials, they can simply enter unobstructed. In fact, compromised credentials are the most common initial cause of breach, according to IBM’s 2022 Cost of a Data Breach report. Update password policies to block ransomware and other threat actors from abusing credentials by:

• Setting up a single sign-on service (SSO) for managing access to all software and web applications.
• Requiring a strong, complex master password for access to all work-issued devices and the SSO that consists of at least 10 characters, including upper- and lowercase letters, numbers, and symbols. Consider recommending that employees use a long passphrase with no personally identifiable information included.
• Requiring multifactor authentication—which involves a code sent separately by email or text—for all employees, contractors, and vendors to access the SSO and any virtual private networks used by remote workers.
• Remind staff not to reuse passwords across work and personal accounts.

Plug Vulnerabilities in Digital Infrastructure

While social engineering and unauthorized credentialed access are closely associated with ransomware attacks, one method of compromise is even more tightly connected: exploited vulnerabilities, especially those in desktop-sharing software known as remote desktop protocol (RDP). An estimated 40% of ransomware incidents now involve RDP, which many businesses use to manage remote IT needs. Cybercriminals also access networks via weaknesses in operating systems, web applications, and other software. To lock down any vulnerabilities or open RDP ports, follow these steps:

• Install updates/patches to operating systems, software, and firmware (including RDP) as soon as they are released.
• Change RDP passwords—especially any default admin credentials—to be strong, complex, and unique.
• Disable unused remote access/RDP ports and monitor for any unusual activity.

The Impacts of Ransomware

If ransomware adversaries are able to circumvent your security perimeter, they can launch any number of destructive attacks likely to throw the business into chaos. They might continue conducting espionage, drop additional malware, and penetrate as many files, endpoints, and servers as possible before deploying ransomware. They can also alter backup systems so they appear to run each night but are no longer saving data.

Once on business networks, ransomware encrypts data (including backups not stored in segmented servers) and freezes employees out of systems, software, and files, causing productivity loss and severing operational continuity. This underlines the importance of a comprehensive data protection program that shields data in use, at rest, and in transit.

Businesses should implement regular, automatic backups of all data to be stored as air-gapped (disconnected from the internet), password-protected copies offline that are not accessible for modification or deletion. They should also administer network segmentation and audit any user accounts with access to sensitive data according to the principle of least privilege.

There is also the issue of the ransom itself. While experts disagree on whether businesses should pay the ransom, the FBI warns against it: "Paying a ransom … encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity."

In fact, ransomware criminals no longer reliably return data to companies: the Sophos report said only 4% of businesses that pay ransom get all their data back. Rather, those that do end up paying are further victimized—60% of organizations that opted to negotiate with their attackers ended up having to pay ransom more than once.

Add the cost of ransom, lost data, remediation expenses, decreased employee output, and increased negative media attention and you get an avalanche of compounding stress for business executives and staff. All of this operational, financial, and reputational pressure on companies can take a toll, taxing employee, customer, and investor confidence, which ties into the overall health of the business. While this can result in lost profits for some organizations, other industries have higher stakes.

A 2022 Ponemon Institute study determined ransomware attacks on the healthcare industry threaten patient care and safety. An alarming 64% of healthcare organizations impacted by ransomware reported delays in procedures and tests, while 24% said there was an increase in mortality rates. Massive financial and operational burdens have even led to some businesses shutting down completely. In May 2022, Lincoln College in Illinois permanently closed its doors after 157 years due to a major ransomware incident.

What to Do If Attacked

If your business does experience a ransomware attack, there are several important steps to take to prevent further damage. Some involve the IT team isolating infected devices and networks from unaffected ones, assessing the security of data backups (and restoring clean backups to endpoints once ransomware has been completely removed), and coordinating with forensics experts, legal teams, and cyber insurance companies on whether to pay the ransom. Also, you should alert employees, partners, vendors, and customers about the attack soon after it happens.

Victims of ransomware should file a complaint with law enforcement and report incidents by contacting their local FBI field office, filing a complaint with the International Crime Complaint Center, and reporting other security incidents, such as phishing, malware, or exploited vulnerabilities with the Cybersecurity and Infrastructure Security Agency. In addition, organizations should develop a strong incident response plan to manage any potential future attacks. The report should include detailed instruction on role assignments, communication protocols and platforms, prepared statements for the press, and prioritized mitigation steps.

With awareness of cybersecurity best practices and diligence in protecting against the most common threat vectors, businesses can secure their data, devices, finances, and future from ransomware attacks.