The benefits of implementing a multi-layered ransomware defense strategy
Ransomware is becoming a risk that UK organizations cannot afford to take, with rising financial and operational costs. A staggering 75 percent of UK organizations were targeted by ransomware in 2021, and where these attacks were successful, most (82 percent) paid the ransom. This makes the UK the most likely country in the world to make ransom payments. As cybercriminal strategies evolve to bypass traditional network-based defenses, a multi-layered ransomware defense strategy is vital for organizations to protect their mission-critical data.
First, it’s important for us to understand the typical defense strategies that attackers have adapted to, in order to appreciate the rationale for the boost in cyber protection. And, we need to understand the rising costs of these incidents, to prove the business value of initiatives that are aimed at prioritizing prevention and detection of cyber-attacks before they occur. It’s not just a quick fix -- failure to implement these solutions can affect your profitability, reputation and even put your company out of business.
An exponential rise in ransomware incidents
High-profile ransomware attacks are becoming increasingly prevalent, such as the attack on KP Snacks and the Foreign Office attack, which cost nearly £500,000 to resolve. These attacks show the threat is real, and that no industry is safe.
In addition to the rise in attack frequency, costs are escalating rapidly, with Sophos’ State of Ransomware Report 2021 showing the average ransomware recovery cost is now $1.85 million. Even more concerning, in the interest of business continuity and the necessity of restoring their mission-critical operations, more organizations are accepting attackers’ demands.
Know your enemy
Understanding how ransomware works is key to putting strategies in place to thwart potential attacks. By finding vulnerabilities in corporate IT infrastructure and capitalizing on gaps in user awareness, ransomware is a form of malware that can spread throughout the tech ecosystem. Actively targeting weaknesses and uninformed end users is its typical route -- opportunities to do this have surged as a result of 'working from anywhere' workstyles that impact network security with rapidly-evolving device configurations and end-points, utilization of personal networks, and workers’ more cavalier approach to cyber-security in their home environments. Alarmingly, most ransomware transmission still occurs via classic phishing emails and visits to infected websites.
Users are typically notified upon infection via a pop-up notification that their files have been encrypted, and receive a request for immediate payment. The encrypted file from an infected user’s account syncs to the cloud and his or her productivity ceases immediately. Without a multi-layered ransomware defense strategy in place, many businesses concede defeat to quickly resume access to their files and pay the ransom.
However, the impact of an attack on an organization doesn’t just stop there -- a ripple effect runs through the business, with organizations needing to conduct event impact debriefs, laboriously analyze their backup files, and even perform manual backups to restore data. On average, this can take three weeks or more to see through. During that recovery period, attackers remain in active pursuit of additional infrastructure vulnerabilities, which means the nightmare usually isn’t over. And, we also need to be mindful that the company is negotiating with a cyber-criminal, who may or may not be negotiating in good faith.
Evolving complexity of ransomware
Even with robust security procedures in place, attacks are often impossible to avoid. Attackers can alter encryption methods, for instance, by adjusting the speed of the encryption process to render their malware less predictable. This means that infection volume is below the threshold of traditional detection software. A typical cybersecurity tactic, such as randomizing the file overwriting process and making ransomware 'dormant' for a defined time period, can make ransomware harder to detect.
Now that organizations’ workers are more security-savvy about email links, hackers have evolved their tactics to attach files to emails instead. The malware presents as a common file type (.doc, .pdf, .xls or ZIP file), but initiates a ransomware script when it’s opened.
Therefore, a multi-layered ransomware defense strategy that uses a combination of methods, including multi-factor authentication, security awareness training and specialized ransomware detection technology, is the best way to protect businesses' most important assets.
Maximizing ransomware protection
These practical recommendations can supplement an organization's defense-in-depth strategy and help to prevent ransomware infections:
- Always utilize multi-factor authentication (MFA)
- Adopt a robust security awareness training program, for induction and at regular intervals
- Employ a zero-trust policy -- restrict users’ file access to content based on their 'need to know'
- Implement software patches immediately and work with trusted third-party vendors
- Investigate dedicated ransomware detection solutions
Early detection is the best protection
Early detection is key to avoiding ransomware threats. An effective, multi-layered ransomware defense strategy will utilize machine learning algorithms to monitor, detect and alert for suspicious activity. This means monitoring for anomalies, such as inconsistent file types. They can also spot evidence of an infection like file extensions that may have changed or include known ransomware signatures, or 'ransom notes.'
If irregularities are found, the administrator would immediately be alerted, so that they can block all affected user accounts, helping to contain ransomware before it propagates. Identifying every encrypted file and tracing the infection back to its source helps to prevent the spread. Whilst containing the damage, that approach also helps to minimize data loss.
Making a quick recovery
It’s best to choose a cybersecurity solution that has disaster recovery built into its content architecture and doesn’t rely on external backup services. With frequent file snapshots made as changes occur, tech teams can easily restore to the latest clean version of files, without compromising sensitive data. If ransomware can be thwarted on a granular level, no valuable data is lost, and business operations will continue with minimal downtime.
Your best defense might be table stakes to a cyber-attacker
Attackers have wised up to the deficiencies of commonplace security offerings, such as antivirus software, firewalls, secure email and web gateways, and intrusion prevention systems (IPS). Deployed as point solutions that aren’t aligned with comprehensive security strategies, they no longer provide organizations with a robust defense, as they did before. You can have the most solid backup plan, as well as first-class employee training and up-to-date security software, but ransomware can mutate, making it impossible to detect through traditional signature-based tactics. If multiple layers of defense aren’t built into your data protection -- including anomaly detection, account blocking and version control measures -- threat actors will find their way in, and your company’s productivity and financial stability could be jeopardized.
Neil Jones, CISSP, is Director of Cybersecurity Evangelism at Egnyte. Neil has extensive sales, client relationship development and management experience -- combining strong technical knowledge with digital marketing and social media techniques that drive engagement, responses and sales pipeline. Before joining Egnyte, Neil held roles at HCL Software, IBM and Aditi Technologies.