The R-word dreaded by cybersecurity experts, and a new approach to stop it
Right now, organizations are struggling in the ongoing battle against ransomware, investing $150 billion in cybersecurity in 2021 alone. Yet ransomware attacks continue to succeed and the threat landscape continues to grow.
Consider these recent statistics:
• According to Verizon’s 2022 Data Breach Incident Report, ransomware is used in 25% of breaches
• In 2021, recovering from ransomware cost an average of $1.85 million per incident
• In 2021’s largest attacks, organizations paid between $4.4 and $40 million in ransom
In you want to stay one step ahead of ransomware threats and attacks, you need a new approach. This three-part article series has been crafted to help you do just that.
In this first article, we’ll take a look at the current approach to stopping ransomware and explain why it isn’t delivering the results that it promises.
The current approach in four pieces of advice
There is no single approach that every organization should employ to fight ransomware. Much has been written on the subject by many different sources, but most of the advice boils down to four key recommendations:
1. Follow CISA or NIST’s advice for preventing ransomware
There are multiple frameworks for building a robust ransomware defense, but CISA’s Ransomware Guide and NIST’s Cybersecurity Framework Profile for Ransomware Risk Management are most often recommended. Both provide a comprehensive set of guidelines for fighting this threat. However, the key question is whether or not you are able to implement the practices and approaches recommended by these frameworks.
2. Invest in the right cybersecurity solution to stop ransomware
Fighting ransomware is a booming business, and many technology providers have built solutions to stop this threat. Common technology solutions include Endpoint Detection and Response (EDR), Extended Detection and Response (XDR), Managed Detection and Response (MDR) and zero trust segmentation. It is up to you to examine, analyze and identify the solution best suited to your business and your ransomware protection needs.
3. Build your defenses against the most common ransomware variants
There are dozens (if not hundreds) of active ransomware variants acting in your threat landscape at any given moment. Yet only a few of the most widely-used variants cause most of the breaches. Building your defenses against these common variants should be able to stop most incidents. But can you really anticipate which variant you will be facing?
4. Focus on stopping a particular phase of a ransomware attack
Some experts claim you should focus on building your perimeter to prevent intrusions into your network. Others recommend focusing on stopping the spread of incidents after the breach. Still others tell you to focus on detecting and responding to incidents as quickly as possible. What are we really supposed to do now?
Why this approach is failing in the real world
Theoretically, most of this advice is solid. Yes, organizations need to follow good frameworks, deploy the right tools, defend themselves against common variants, stop the most dangerous phases of an attack, and make ransomware defense a top priority.
However, each of these pieces of advice falls apart in the real world. Here’s why:
1. The CISA and NIST frameworks are hard to operationalize
Both frameworks — and many others like them — give you a great picture of the defenses you must build and deploy to stop ransomware. Yet, these frameworks can be hard to develop and operationalize in a real-world organization. They are rigid, overly prospective, and overwhelming to bring to life.
2. There is no silver bullet solution to ransomware
Every technology vendor claims that their solution is the key to stopping ransomware, but there’s no single solution for stopping ransomware. Each ransomware solution may be strong at containing some aspects of the attack, but also leave other vulnerabilities open to exploitation.
3. Ransomware variants and TTPs are constantly evolving
Certain ransomware variants and tactics, techniques, and procedures (TTPs) are more common and damaging than others, but new variants emerge every year and attackers constantly change their TTPs. If they expect to stay secure, organizations cannot defend themselves against today’s common patterns only.
4. Ransomware attack patterns are complex
Most ransomware attacks follow a complex, multi-stage attack pattern that can cause significant damage at any point during an incident. It isn’t enough to stop just one stage of this pattern. Every stage must be mitigated in a unified and focused approach that deals with the attack as a single, unfolding event.
To stop ransomware, you must consider deploying many different tools and processes before, during, and after an attack.
Many of these tools and processes require expert operators with rare (and often, expensive) skillsets.
Most organizations do not have enough resources to build a complete ransomware defense on their own, which is why they need to look to solution providers for an answer.
Outlining a new approach to stop ransomware
Ransomware is still evolving, and the most common defense against it isn’t working effectively. However, this isn’t to say that stopping ransomware is a lost cause.
To stop ransomware, you must deploy many different tools and processes before, during and after an attack.
In the next article of this series, we will build on the principles discussed in this piece and outline a new approach that can stop ransomware in the real world.
You can get a head start on this conversation by downloading our new ransomware defense e-book: Atos insights on emerging trends, combat strategies and solutions to enable an effective ransomware defense.