State of Generative AI | Interactive Survey Results

3 Ransomware Defense Strategies And Mistakes To Avoid

These days not a week goes by without news of fresh ransomware attacks. Everywhere we look, companies are falling victim to ransomware and extortion. Even companies with enormous investments in a wide variety of security technologies do not seem to be immune to these attacks.

This blog will share the three popular approaches that we have seen CISOs implement for enterprise ransomware defense and with success as well as common ransomware defense strategy mistakes that we are seeing CISOs resolve to not make in 2023.

But before we cover which ransomware defense strategies are worth implementing, let us talk about ransomware defense as a whole…

3 Ransomware Defense Strategies

What Is Ransomware?

Ransomware is a type of cyber attack where attackers infiltrate an organization and perform a set of actions that give them leverage over the victim and then use that leverage to force the victim to pay a large ransom.

Looking to find out more about different types of ransomware attack groups? Read our blog on Daixin Team Ransomware Group or learn more about BlackCat Ransomware attacks as a whole in our blog.

Why Is Ransomware So Deadly?

Attacker leverage typically comes from two distinct types of activities:

  1. Stealing valuable data
  2. Encrypting important resources

Attackers typically steal data before encrypting resources so that by the time victims realize they have been attacked, their data is long gone. It is important to note that each of these actions provides a separate source of leverage. Victims end up paying the ransom because they cannot afford the disruption caused by the encryption and also separately because they do not want their valuable data leaked.

Find out more about the true cost of ransomware attacks in our blog ‘Ransomware Attacks Affect More Than Just Your Wallet.’

Another notable aspect of ransomware is that it is extremely profitable for attackers due to the numerous revenue streams that emanate from a single attack.

What Does a Ransomware Attack Involve?

A quick glance at the list below will help you better understand what ransomware attacks typically involve and make it amply clear why ransomware is not going away anytime soon:

  1. Extorting the victim for ransom in exchange for the decryption key so that they can get their systems back up
  2. Extorting the victim for ransom in exchange for not leaking their data
  3. Extorting customers, partners, and employees of the victim in exchange for not leaking their data (in the event that stolen data included their identities, intellectual property, or other data valuable to these parties)
  4. Selling PII, PHI, trade secrets and intellectual property to interested parties
  5. Selling access to back doors planted on enterprise networks during the initial attack
  6. Selling identities to other cybercriminals to facilitate future breaches
  7. Selling the full ransomware attack tool kit to other attackers for their use (RaaS, etc.)

For interesting and up-to-date stats on ransomware and double extortion (where attackers extort twice – once for decryption keys and another time for data exposure), have a look at a popular double extortion tracker here. For a recent survey of ransomware-related data exfiltration and extortion, have a look at this State of Data Exfiltration and Extortion Report.

Three Ransomware Defense Strategies that work

In speaking to a large number of CISOs from a variety of organizations, we have found that there have been three types of approaches that they have deployed:

  1. Stick to strong basics but do nothing specific for ransomware defense
  2. Double down on the BCDR plan so that recovery from ransomware is smooth
  3. Focus on data security to minimize attacker leverage and reduce blast radius

Strategy 1: Stick to strong basics but do nothing specific for ransomware defense

There are a number of CISOs who believe that a majority of attacks can be avoided by ensuring that basic security policies are properly implemented. While they are not wrong about this, the key word in that statement is “majority.” If a majority of attacks can be prevented by proper execution of the basics, it still leaves a minority of attacks that do get through, and with the “right” mix of ingredients, these attacks can be deadly.

So, why do well-informed CISOs still opt for this strategy? From what we have seen, this approach works reasonably well for companies that have the following attributes:

  • The enterprise does not store or process sensitive customer data directly.
  • Internal sensitive data, such as employee data, is stored and processed through SaaS providers.
  • Other valuable data, such as code repositories, file shares, etc., are secured via well-executed identity and access management.
  • The enterprise does not offer external services that could suffer interruptions from a ransomware attack.
  • Backups are included in SaaS and other provider contracts.

Strategy 2: Double down on the BCDR plan so that recovery from ransomware is smooth

Another common ransomware defense strategy is where CISOs double down on their business continuity and disaster recovery plans as their primary ransomware defense posture. This is an interesting take on the ransomware problem. While in some cases, it is appropriately tied to ransomware risk, it can also be the case that the organization has overlooked the data theft portion of the attack.

It must be noted that backup vendors have spent two years telling the market that immutable backups make organizations immune to ransomware. This is not accurate. Backups ensure that companies can recover their systems without paying for decryption keys. Still, they can do nothing about the other types of extortion activities, such as those focused on stolen data. For these reasons, such solutions offer only a partial answer to the ransomware challenge.

That said, there is a set of organizations where doubling down on BCDR could be a suitable ransomware defense plan. These organizations would have the following attributes:

  • The enterprise does not store or process sensitive customer data directly.
  • Internal sensitive data, such as employee data, is stored and processed through SaaS providers.
  • Other valuable data, such as code repositories, file shares, etc., are secured via well-executed identity and access management.
  • The enterprise does offer external services that could suffer interruptions from a ransomware attack.

Organizations that focus on BCDR as their primary ransomware defense plan do a detailed job of setting up the backup and recovery service. This includes thorough exercises to confirm that systems can be reconstituted in a timely fashion, that backups themselves cannot be corrupted or encrypted by ransomware actors, and that backups include all the necessary parts and pieces that the organization would need to be functional again.

Strategy 3: Focus on data security to minimize attacker leverage and reduce blast radius

A data security-focused approach to ransomware acknowledges the reality that a big portion of attacker leverage comes from stolen data. So this strategy includes strong and always-on data security.

Advanced data security controls such as data-in-use encryption (encryption-in-use) and searchable encryption, along with long-standing traditional controls such as data tokenization, data masking, hashing, anonymization, and traditional and format-preserving encryption, all play a part in ensuring that even if bad guys get in, they cannot leave with usable data. These controls can be applied to both structured and unstructured data. The main attribute that governs the effectiveness of these measures is whether they can withstand compromised credentials. When they do, these controls can truly eliminate attacker leverage where data theft is concerned.

So, when a data security platform is deployed to secure valuable data via encryption-in-use, attackers cannot steal unencrypted data even if they manage to get admin privileges to a server, database, or application. (Disclosure: This is a popular offering from Portal26). When combined with backup and recovery, this comes very close to the promise of “ransomware immunity.”

Explore Portal26’s Ransomware And Extortion Defense

Find Out More >

CISOs of organizations with any of the following attributes are adopting a data security-based approach to ransomware defense:

  • The organization is responsible for storing or processing (any type of) customer data. With many of the newer regulations broadening the definitions of PII, it has become more important than ever before to properly secure customer data against external attackers as well as insider threats.
  • The organization holds and processes internal employee data
  • The organization holds other types of valuable data such as intellectual property, user-generated documents, source code, designs, partner and supplier data, etc.
  • The organization holds data belonging to other organizations
  • The organization holds audio, video, chat, or image files pertaining to customers, employees, or other related parties
  • The organization holds data belonging to key figures such as board members or other important internal or external individuals where the loss of their data presents a privacy risk
  • The organization holds location information for individuals or devices

The above is not an exhaustive list. The main idea is to catalog the data present in the organization and put it to a simple test: If the bad guys got their hands on it, would this present a problem? If the answer is yes, then a data-focused approach is right for the organization in question.

You can read more about effective strategies CISOs have implemented with success in our blog, which covers 4 top data security strategies for 2023 and beyond.

Ransomware Defense Mistakes

3 Ransomware Defense Mistakes To Avoid

2022 was definitely a year of learning for ransomware defense. Here are some of the common mistakes that CISOs have learned from, and these are things we expect to see less of in 2023.

Mistake 1: Assuming that backup is all that is needed to avoid being extorted

A common mistake made by organizations in 2022 with respect to ransomware was that they assumed that they could reject the ransom demand on the basis of their ability to recover from backup.

Many enterprises found out the hard way that attackers managed to gather sufficient leverage in the form of stolen data – so that even when the company was able to get their services back online without paying for the decryption key, they still ended up paying the ransom. The percentage of organizations with solid backup and recovery solutions in place that still got extorted is very high. Please take a read of our State of Data Exfiltration and Extortion Report for further details.

At the end of the day, if you have data that you’d be willing to pay ransom for, you should proactively protect it against ransomware attacks.

Mistake 2: Insufficient testing of the backup and recovery process

Another mistake made by organizations in 2022 was that some assumed that simply having a backup and recovery process was sufficient, and they did not fully test the process. As a result, when they were attacked they found out the hard way that the recovery took too long and was not 100% complete. When every passing hour without service can be measured in lost revenue, organizations end up succumbing to ransom demands.

Mistake 3: Assuming that paying the ransom would ensure the safety of stolen data

Finally, organizations mistakenly assumed that if ransom payments are made then attackers would not release their data. Some organizations found out the hard way that ever after they paid the ransom, they were extorted again. Their customers and partners were also extorted for the same data. After some time, this data was sold to a number of other cybercriminals who utilized it to breach other systems.

The best defense against ransomware is preparation

From talking to many organizations and understanding the perspectives of numerous CISOs with different approaches, we are convinced that regardless of which strategy you adopt: doing nothing special, doubling down on backup, or strongly focusing on keeping your data from being used as leverage – your best defense lies in properly anticipating an attack and being prepared for it. In this day and age, with a new attack taking place every second or two, it would not be advisable to operate under the assumption that you will not be attacked.

Many CISOs strongly believe that it is always about the data, so their recommendation would be to go with strategy 3, where you take care of the basics to the best of your team’s ability, be sure to invest in backup and recovery, and after that definitely invest in strong data security.

Today we have practical and performant solutions that can use encryption-in-use to make certain classes of attacks irrelevant and can ensure data remains secure in the most challenging of circumstances. Portal26 offers this platform.

Portal26 offers the industry’s richest data security and anti-ransomware platform, with a full suite of data security controls, including encrypted search and all nine traditional controls. In 2022, Portal26 was recognized by the industry, analysts, and CISOs over 16 times.

When Portal26 is in place, valuable data retain encryption and cannot be exfiltrated in clear text from the datastore, memory, queries, or even via admin credentials. In this way, Portal26 dramatically reduces attacker leverage.

“Portal26 Provides substantial reduction in risk from ransomware and other data related attacks.”   Gartner 2022

Data Security and Anti-Ransomware Platform

Ensure your organization is not making any of the above mistakes when it comes to ransomware defense this year and schedule a demo of Portal26 today.

Schedule a Demo >

Related Resources