Build Ransomware Resilience

Prevent ransomware incursions and defend against ransomware attacks

EXECUTIVE BRIEF

Executive Summary

Your Challenge

Ransomware is a high-profile threat that demands immediate attention:

• Sophisticated ransomware attacks are on the rise and evolving quickly.
• Emerging strains can exfiltrate sensitive data, encrypt systems, and destroy backups in only a few hours, which makes recovery a grueling challenge.
• Executives want reassurance but aren't ready to write a blank check. Improvements must be targeted and justified.

Common Obstacles

Ransomware is more complex than other security threats:

• Malicious agents design progressive, disruptive attacks to pressure organizations to pay a ransom.
• Organizations misunderstand ransomware risk scenarios, which obscures the likelihood and impact of an attack.
• Conventional approaches focus on response and recovery, which do nothing to prevent an attack and are often ineffective against sophisticated attacks.

Info-Tech's Approach

To prevent a ransomware attack:

• Conduct a through assessment of your current state, identify potential gaps, and assess the possible outcomes of an attack.
• Analyze attack vectors and prioritize controls that prevent ransomware attacks, and implement ransomware protection and detection to reduce your attack surface.
• Visualize, plan, and practice your response and recovery to reduce the potential impact of an attack.

Info-Tech Insight

Resilience is not a trampoline, where you're down one moment and up the next. It's more like climbing a mountain. It takes time, planning, and help from people around you to work through challenges. Focus on what is in your organization's control, and cultivate strengths that allow you to protect assets, detect incursions, respond effectively, and recovery quickly.

Analyst Perspective

Ransomware is an opportunity and a challenge.

As I write, the frequency and impact of ransomware attacks continue to increase, with no end in sight. Most organizations will experience ransomware in the next 24 months, some more than once, and business leaders know it. You will never have a better chance to implement best practice security controls as you do now.

The opportunity comes with important challenges. Hackers need to spend less time in discovery before they deploy an attack, which have become much more effective. You can't afford to rely solely on your ability to respond and recover. You need to build a resilient organization that can withstand a ransomware event and recover quickly.

Resilient organizations are not impervious to attack, but they have tools to protect assets, detect incursions, and respond effectively. Resilience is not a trampoline, where you're down one moment and up the next. It's more like climbing a mountain. It takes time, planning, and help from people around you to overcome challenges and work through problems. But eventually you reach the top and look back at how far you've come.

Michel Hébert
Research Director, Security and Privacy
Info-Tech Research Group

Ransomware attacks are on the rise and evolving quickly.

Three factors contribute to the threat:

• The rise of ransomware-as-a-service, which facilitates attacks.
• The rise of crypto-currency, which facilitates anonymous payment.
• State sponsorship of cybercrime.

Elementus maps ransomware payments made through bitcoin. Since 2019, victims made at least $2B in payments.

A handful of criminal organizations, many of whom operate out of cybercrime hotbeds in Russia, are responsible for most of the damage. The numbers capture only the ransom paid, not the clean-up cost and economic fallout over attacks during this period.

Total ransom money collected (2015 – 2021): USD 2,592,889,121

The frequency and impact of ransomware attacks are increasing

Emerging strains can exfiltrate sensitive data, encrypt systems and destroy backups in only a few hours, which makes recovery a grueling challenge.

Sophos commissioned a vendor agnostic study of the real-world experience of 5,600 IT professionals in mid-sized organizations across 31 countries and 15 industries.

The survey was conducted in Jan – Feb 2022 and asked about the experience of respondents over the previous year.

66%
Hit by ransomware in 2021
(up from 37% in 2020)

90%
Ransomware attack affected their ability to operate

$812,360 USD
Average ransom payment

$4.54M
Average remediation cost (not including ransom)

ONE MONTH
Average recovery time

Meanwhile, organizations continue to put their faith in ineffective ransomware defenses.

Of the respondents whose organizations weren't hit by ransomware in 2021 and don't expect to be hit in the future, 72% cited either backups or cyberinsurance as reasons why they anticipated an attack.

While these elements can help recover from an attack, they don't prevent it in the first place.

Source: Sophos, State of Ransomware (2022)
IBM, Cost of A Data Breach (2022)

The 3-step ransomware attack playbook

• Get in
• Spread
• Profit

At each point of the playbook, malicious agents need to achieve something before they can move to the next step.

Resilient organizations look for opportunities to:

• Learn from incursions
• Disrupt the playbook
• Measure effectiveness

Ransomware is more complex than other security threats

Ransomware groups thrive through extortion tactics.

• Traditionally, ransomware attacks focused on encrypting files as an incentive for organizations to pay up.
• As organizations improved backup and recovery strategies, gangs began targeting, encrypting, and destroying back ups.
• Since 2019, gangs have focused on a double-extortion strategy: exfiltrate sensitive or protected data before encrypting systems and threaten to publish them.

Organizations misunderstand ransomware risk scenarios, which obscures the potential impact of an attack.

Ransom is only a small part of the equation. Four process-related activities drive ransomware recovery costs:

• Detection and Response – Activities that enable detection, containment, eradication and recovery.
• Notification – Activities that enable reporting to data subjects, regulators, law enforcement, and third parties.
• Lost Business – Activities that attempt to minimize the loss of customers, business disruption, and revenue.
• Post Breach Response – Redress activities to victims and regulators, and the implementation of additional controls.

Source: IBM, Cost of a Data Breach (2022)

Disrupt the attack each stage of the attack workflow.

An effective response with strong, available backups will reduce the operational impact of an attack, but it won't spare you from its reputational and regulatory impact.

Put controls in place to disrupt each stage of the attack workflow to protect the organization from intrusion, enhance detection, respond quickly, and recover effectively.

Shortening dwell time requires better protection and detection

Ransomware dwell times and average encryption rates are improving dramatically.

Hackers spend less time in your network before they attack, and their attacks are much more effective.

Avg dwell time
3-5 Days

Avg encryption rate
70 GB/h

Avg detection time
11 Days

What is dwell time and why does it matter?

Dwell time is the time between when a malicious agent gains access to your environment and when they are detected. In a ransomware attack, most organizations don't detect malicious agents until they deploy ransomware, encrypt their files, and lock them out until they pay the ransom.

Effective time is a measure of the effectiveness of the encryption algorithm. Encryption rates vary by ransomware family. Lockbit has the fastest encryption rate, clocking in at 628 GB/h.

Dwell times are dropping, and encryption rates are increasing.

It's more critical than ever to build ransomware resilience. Most organizations do not detect ransomware incursions in time to prevent serious business disruption.

References: Bleeping Computers (2022), VentureBeat, Dark Reading, ZDNet.

Resilience depends in part on response and recovery capabilities

This blueprint will focus on improving your ransomware resilience to:

• Protect against ransomware.
• Detect incursions.
• Respond and recovery effectively.

Response	Recovery
For in-depth assistance with disaster recovery planning, refer to Info-Tech's Create a Right-Sized Disaster Recovery.

Info-Tech's ransomware resilience framework

Disrupt the playbooks of ransomware gangs. Put controls in place to protect, detect, respond and recover effectively.

Prioritize protection

Put controls in place to harden your environment, train savvy end users, and prevent incursions.

Support recovery

Build and test a backup strategy that meets business requirements to accelerate recovery and minimize disruption.

Threat preparedness

Review ransomware threat techniques and prioritize detective and mitigation measures for initial and credential access, privilege escalation, and data exfiltration.

Awareness and training

Develop security awareness content and provide cybersecurity and resilience training to employees, contractors and third parties.

Perimeter security

Identify and implement network security solutions including analytics, network and email traffic monitoring, and intrusion detection and prevention.

Respond and recover

Identify disruption scenarios and develop incident response, business continuity, and disaster recovery strategies.

Access management

Review the user access management program, policies and procedures to ensure they are ransomware-ready.

Vulnerability management

Develop proactive vulnerability and patch management programs that mitigate ransomware techniques and tactics.