- Sophisticated ransomware attacks are on
the rise and evolving quickly.
- Executives want reassurance but are not ready to write a blank check. We need to provide targeted and justified improvements.
- Emerging strains can exfiltrate sensitive data, encrypt systems, and destroy backups in hours, which makes recovery a grueling challenge.
Our Advice
Critical Insight
- Malicious agents design progressive, disruptive attacks to pressure organizations to pay a ransom.
- Organizations misunderstand ransomware risk scenarios, which obscures the likelihood and impact of an attack.
- Conventional approaches focus on response and recovery, which do nothing to prevent an attack and are often ineffective against sophisticated attacks.
Impact and Result
- Conduct a thorough assessment of your current state; identify potential gaps and assess the possible outcomes of an attack.
- Analyze attack vectors and prioritize controls that prevent ransomware attacks, and implement ransomware protections and detection to reduce your attack surface.
- Visualize, plan, and practice your response and recovery to reduce the potential impact of an attack.
Member Testimonials
After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.
9.4/10
Overall Impact
$71,915
Average $ Saved
29
Average Days Saved
Client
Experience
Impact
$ Saved
Days Saved
Alfred H. Knight Holding
Workshop
10/10
$17,100
20
Central University of Technology
Workshop
10/10
$822K
110
The kill chain was very much eye opening The controls that are in place, their effectiveness, and the gaps we need to close
CPA Alberta
Guided Implementation
8/10
$2,000
2
Got a few good ideas from Frank which we will incorporate into the next tabletop exercise. I have talked to Frank a few times over the years and he... Read More
Children's Hospital Colorado
Guided Implementation
9/10
$32,195
5
Columbia Mutual Insurance Company
Guided Implementation
10/10
$2,466
2
Toronto Community Housing Corporation
Guided Implementation
9/10
$23,500
9
AC Ocean Walk, LLC dba Ocean Casino Resort
Workshop
9/10
N/A
N/A
The only negative that comes to mind is I feel like going over the MITRE items could've been a bit more streamlined, but it's a small complaint, it... Read More
JSJ Corporation
Guided Implementation
10/10
$34,250
120
The best part is the expert guidance and support that goes along with the tools Infotech supplies. It has saved JSJ IT staff countless hours and h... Read More
The Goodyear Tire & Rubber Company
Guided Implementation
8/10
$137K
9
Good knowledge.
Arizona Department of Revenue
Workshop
10/10
$8,220
47
The best parts of our experience were the time spent with team members and Andy gathering the tasks and items we need to do/prioritize/implement fo... Read More
Wonderbrands Inc
Guided Implementation
10/10
$10,000
20
Lee County Clerk of Courts
Workshop
9/10
N/A
105
Michel was a fantastic facilitator. He was able to keep everyone calm, while discussing sensitive issues. He was also able to lend his expertise an... Read More
Goodville Mutual
Guided Implementation
7/10
$11,699
10
Children's Hospital Colorado
Guided Implementation
10/10
$64,999
20
Halifax Port Authority
Guided Implementation
10/10
$47,500
50
Michel is a valued cybersecurity advisor for Board/Executive level and IT strategic and tactical operations. We very much appreciate Michel making ... Read More
Goodwill Industries of South Florida
Guided Implementation
10/10
$2,209
2
Celeros Flow Technology, LLC
Guided Implementation
9/10
$12,999
20
The templates and advice was easy to follow and complete. Good feedback on its use.
Utah Transit Authority
Workshop
10/10
$64,999
29
The Cyber Resiliency Workshop allowed us to measure our controls' maturity at this point and confirmed that the systems and processes we have been ... Read More
American University in Cairo
Guided Implementation
9/10
$123K
5
Michel has excellent knowledge of the requested topic and provided me with great and valuable information to fill the gaps AUC Have
ISCO
Workshop
10/10
N/A
35
Our advisor was well-versed and very polished in sharing his experience with us. While the blueprint alone was a good tool to give us direction, hi... Read More
Goodwill Industries of South Florida
Guided Implementation
10/10
$2,519
2
Continental Automotive Systems
Guided Implementation
10/10
$25,829
23
My estimates are a guess today.
AgHeritage Farm Credit Services d/b/a Insight Technology Unit (ITU)
Workshop
9/10
$10,000
10
Extremely beneficial
County of Placer
Guided Implementation
10/10
$55,249
20
The analyst, Michel Hebert, has tremendous experience in the subject area (ransomware readiness/ransomware response playbook.) Working with him cat... Read More
Government of Nunavut
Guided Implementation
10/10
$1M
50
Luck of planning
Northern Ontario School of Medicine
Guided Implementation
10/10
$2,000
5
Eswatini Railway
Guided Implementation
9/10
$8,752
20
The SME is knowledgeable on the subject and was able to guide us on the maturity assessment and putting plans to close the gaps. We also reviewed... Read More
Guide Dogs for the Blind Inc.
Workshop
10/10
$20,159
10
Effective way to cover the topic in a concise amount of time, with clear and actionable follow up plans. It is hard to schedule for four consecutiv... Read More
Public Utilities Commission of Ohio
Guided Implementation
9/10
$34,649
10
The tools that InfoTech provided for creating a ransomware incident response plan were awesome. Getting John Annand to assist us with the tools an... Read More
Jamaica Civil Aviation Authority
Guided Implementation
10/10
$31,499
20
This process has managed to bring our small team closer together and helped to reduced the Voodoo fog associated with a structured Team response to... Read More
Workshop: Build Resilience Against Ransomware Attacks
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Module 1: Assess ransomware resilience
The Purpose
- Set workshop goals, review ransomware trends and risk scenarios, and assess the organization’s resilience to ransomware attacks.
Key Benefits Achieved
- Develop a solid
understanding of the likelihood and impact of a ransomware attack on your
organization.
- Complete a current state assessment of key security controls in a ransomware context.
Activities
Outputs
Review incidents, challenges, and project drivers.
Diagram critical systems and dependencies and build risk scenario.
Build ransomware risk scenario.
- Ransomware Resilience Assessment.
- Ransomware Risk Scenario
Module 2: Protect and detect
The Purpose
- Improve your capacity to protect your organization from ransomware and detect attacks along common vectors.
Key Benefits Achieved
- Identify targeted countermeasures that improve protection and detection capabilities.
Activities
Outputs
Assess ransomware threat preparedness.
Determine the impact of ransomware techniques on your environment.
Identify countermeasures to improve protection and detection capabilities.
- Targeted ransomware countermeasures to improve protection and detection capabilities.
Module 3: Respond and recover
The Purpose
- ·
Improve your
organization’s capacity to respond to ransomware attacks and recover
effectively.
Key Benefits Achieved
- Build response and recovery capabilities that reduce the potential business disruption of successful ransomware attacks.
Activities
Outputs
Review the workflow and runbook templates.
Update/define your threat escalation protocol.
Define scenarios for a range of incidents.
Run a tabletop planning exercise (IT).
Update your ransomware response workflow.
Update your ransomware response runbook.
- Security incident response plan assessment
- Tabletop test (IT)
- Ransomware workflow and runbook
Module 4: Improve ransomware resilience
The Purpose
Identify prioritized initiatives to improve ransomware resilience.
Key Benefits Achieved
- Identify the role of leadership in ransomware response and recovery.
- Communicate workshop outcomes and recommend initiatives to improve ransomware resilience.
Activities
Outputs
Run a tabletop planning exercise (Leadership).
Identify initiatives to close gaps and improve resilience.
Review broader strategies to improve your overall security program.
Prioritize initiatives based on factors such as effort, cost, and risk.
Review the dashboard to fine tune your roadmap.
Summarize status and next steps in an executive presentation.
- Ransomware resilience roadmap and metrics
- Tabletop test (leadership)
- Completed ransomware resilience roadmap
- Ransomware resilience assessment
- Ransomware resilience summary presentation
Build Ransomware Resilience
Prevent ransomware incursions and defend against ransomware attacks
EXECUTIVE BRIEF
Executive Summary
Your Challenge
Ransomware is a high-profile threat that demands immediate attention:
- Sophisticated ransomware attacks are on the rise and evolving quickly.
- Emerging strains can exfiltrate sensitive data, encrypt systems, and destroy backups in only a few hours, which makes recovery a grueling challenge.
- Executives want reassurance but aren't ready to write a blank check. Improvements must be targeted and justified.
Common Obstacles
Ransomware is more complex than other security threats:
- Malicious agents design progressive, disruptive attacks to pressure organizations to pay a ransom.
- Organizations misunderstand ransomware risk scenarios, which obscures the likelihood and impact of an attack.
- Conventional approaches focus on response and recovery, which do nothing to prevent an attack and are often ineffective against sophisticated attacks.
Info-Tech's Approach
To prevent a ransomware attack:
- Conduct a through assessment of your current state, identify potential gaps, and assess the possible outcomes of an attack.
- Analyze attack vectors and prioritize controls that prevent ransomware attacks, and implement ransomware protection and detection to reduce your attack surface.
- Visualize, plan, and practice your response and recovery to reduce the potential impact of an attack.
Info-Tech Insight
Resilience is not a trampoline, where you're down one moment and up the next. It's more like climbing a mountain. It takes time, planning, and help from people around you to work through challenges. Focus on what is in your organization's control, and cultivate strengths that allow you to protect assets, detect incursions, respond effectively, and recovery quickly.
Analyst Perspective
Ransomware is an opportunity and a challenge.
As I write, the frequency and impact of ransomware attacks continue to increase, with no end in sight. Most organizations will experience ransomware in the next 24 months, some more than once, and business leaders know it. You will never have a better chance to implement best practice security controls as you do now.
The opportunity comes with important challenges. Hackers need to spend less time in discovery before they deploy an attack, which have become much more effective. You can't afford to rely solely on your ability to respond and recover. You need to build a resilient organization that can withstand a ransomware event and recover quickly.
Resilient organizations are not impervious to attack, but they have tools to protect assets, detect incursions, and respond effectively. Resilience is not a trampoline, where you're down one moment and up the next. It's more like climbing a mountain. It takes time, planning, and help from people around you to overcome challenges and work through problems. But eventually you reach the top and look back at how far you've come.
Michel Hébert
Research Director, Security and Privacy
Info-Tech Research Group
Ransomware attacks are on the rise and evolving quickly.
Three factors contribute to the threat:
- The rise of ransomware-as-a-service, which facilitates attacks.
- The rise of crypto-currency, which facilitates anonymous payment.
- State sponsorship of cybercrime.
Elementus maps ransomware payments made through bitcoin. Since 2019, victims made at least $2B in payments.
A handful of criminal organizations, many of whom operate out of cybercrime hotbeds in Russia, are responsible for most of the damage. The numbers capture only the ransom paid, not the clean-up cost and economic fallout over attacks during this period.
Total ransom money collected (2015 – 2021): USD 2,592,889,121
The frequency and impact of ransomware attacks are increasing
Emerging strains can exfiltrate sensitive data, encrypt systems and destroy backups in only a few hours, which makes recovery a grueling challenge.
Sophos commissioned a vendor agnostic study of the real-world experience of 5,600 IT professionals in mid-sized organizations across 31 countries and 15 industries.
The survey was conducted in Jan – Feb 2022 and asked about the experience of respondents over the previous year.
66%
Hit by ransomware in 2021
(up from 37% in 2020)
90%
Ransomware attack affected their ability to operate
$812,360 USD
Average ransom payment
$4.54M
Average remediation cost
(not including ransom)
ONE MONTH
Average recovery time
Meanwhile, organizations continue to put their faith in ineffective ransomware defenses.
Of the respondents whose organizations weren't hit by ransomware in 2021 and don't expect to be hit in the future, 72% cited either backups or cyberinsurance as reasons why they anticipated an attack.
While these elements can help recover from an attack, they don't prevent it in the first place.
Source: Sophos, State of Ransomware (2022)
IBM, Cost of A Data Breach (2022)
The 3-step ransomware attack playbook
- Get in
- Spread
- Profit
At each point of the playbook, malicious agents need to achieve something before they can move to the next step.
Resilient organizations look for opportunities to:
- Learn from incursions
- Disrupt the playbook
- Measure effectiveness
Initial access Execution |
Privilege Escalation Credential Access |
Lateral Movement Collection |
Data Exfiltration |
Data encryption |
---|---|---|---|---|
Deliver phishing email designed to avoid spam filter. Launch malware undetected. |
Identify user accounts. Target an admin account. Use brute force tactics to crack it. |
Move through the network and collect data. Infect as many critical systems and backups as possible to limit recovery options. |
Exfiltrate data to gain leverage. |
Encrypt data, which triggers alert. Deliver ransom note. |
Ransomware is more complex than other security threats
Ransomware groups thrive through extortion tactics.
- Traditionally, ransomware attacks focused on encrypting files as an incentive for organizations to pay up.
- As organizations improved backup and recovery strategies, gangs began targeting, encrypting, and destroying back ups.
- Since 2019, gangs have focused on a double-extortion strategy: exfiltrate sensitive or protected data before encrypting systems and threaten to publish them.
Organizations misunderstand ransomware risk scenarios, which obscures the potential impact of an attack.
Ransom is only a small part of the equation. Four process-related activities drive ransomware recovery costs:
- Detection and Response – Activities that enable detection, containment, eradication and recovery.
- Notification – Activities that enable reporting to data subjects, regulators, law enforcement, and third parties.
- Lost Business – Activities that attempt to minimize the loss of customers, business disruption, and revenue.
- Post Breach Response – Redress activities to victims and regulators, and the implementation of additional controls.
Source: IBM, Cost of a Data Breach (2022)
Disrupt the attack each stage of the attack workflow.
An effective response with strong, available backups will reduce the operational impact of an attack, but it won't spare you from its reputational and regulatory impact.
Put controls in place to disrupt each stage of the attack workflow to protect the organization from intrusion, enhance detection, respond quickly, and recover effectively.
Shortening dwell time requires better protection and detection
Ransomware dwell times and average encryption rates are improving dramatically.
Hackers spend less time in your network before they attack, and their attacks are much more effective.
Avg dwell time
3-5 Days
Avg encryption rate
70 GB/h
Avg detection time
11 Days
What is dwell time and why does it matter?
Dwell time is the time between when a malicious agent gains access to your environment and when they are detected. In a ransomware attack, most organizations don't detect malicious agents until they deploy ransomware, encrypt their files, and lock them out until they pay the ransom.
Effective time is a measure of the effectiveness of the encryption algorithm. Encryption rates vary by ransomware family. Lockbit has the fastest encryption rate, clocking in at 628 GB/h.
Dwell times are dropping, and encryption rates are increasing.
It's more critical than ever to build ransomware resilience. Most organizations do not detect ransomware incursions in time to prevent serious business disruption.
References: Bleeping Computers (2022), VentureBeat, Dark Reading, ZDNet.
Resilience depends in part on response and recovery capabilities
This blueprint will focus on improving your ransomware resilience to:
- Protect against ransomware.
- Detect incursions.
- Respond and recovery effectively.
Response |
Recovery |
---|---|
For in-depth assistance with disaster recovery planning, refer to Info-Tech's Create a Right-Sized Disaster Recovery. |
Info-Tech's ransomware resilience framework
Disrupt the playbooks of ransomware gangs. Put controls in place to protect, detect, respond and recover effectively.
Prioritize protection
Put controls in place to harden your environment, train savvy end users, and prevent incursions.
Support recovery
Build and test a backup strategy that meets business requirements to accelerate recovery and minimize disruption.
Protect | Detect | Respond |
Recover |
Threat preparedness
Review ransomware threat techniques and prioritize detective and mitigation measures for initial and credential access, privilege escalation, and data exfiltration.
Awareness and training
Develop security awareness content and provide cybersecurity and resilience training to employees, contractors and third parties.
Perimeter security
Identify and implement network security solutions including analytics, network and email traffic monitoring, and intrusion detection and prevention.
Respond and recover
Identify disruption scenarios and develop incident response, business continuity, and disaster recovery strategies.
Access management
Review the user access management program, policies and procedures to ensure they are ransomware-ready.
Vulnerability management
Develop proactive vulnerability and patch management programs that mitigate ransomware techniques and tactics.