Security Experts:

Why Ransomware Response Matters More Than Protection

As high-profile attacks of the Albuquerque Public School District, Kronos, CS Energy, Kaseya, JBS USA, and Colonial Pipeline have illustrated, ransomware is one of the most significant threats to businesses worldwide. It can cause a lot of damage for a company, beyond the financial cost of paying ransom. Downtime, lost opportunities, as well as ransomware removal and recovery expenses can quickly add up. According to the 2021 Threat Landscape report by the European Union Agency for Cybersecurity, the average cost of remediating a ransomware attack in 2021 was $1.85 million, which is almost twice what it was the previous year. And things won’t get better any time soon. This raises the question, “What can organizations do to minimize the impact of falling victim to a ransomware attack”? 

A ransomware attack can cripple an organization in a matter of minutes, leaving it incapable of accessing critical data and unable to do business. But that’s not all – more recently threat actors have shifted from just infecting systems with ransomware to multi-faceted extortion where they also publicly name (and shame) victims, steal data, and threaten to release it to the public or sell it. In response, organizations should consider the following steps to mitigate the risk of ransomware attacks:

• Strategic Readiness: Covers everything from cyber risk assessment, tabletop exercises, security awareness training, and secure data backups to penetration testing.

• Prevention: Includes applying security measures such as patch management, application whitelisting, spam filters, least privilege, as well as deploying anti-malware and endpoint security software.

• Incident Response: Organizations should invest in services and forensic tools to address:

investigation of the ransomware attack, allowing them to determine how the incident occurred, and securing evidence for litigation preparedness;

remediation by hardening the environment so that attackers no longer have access and to avoid further spread of the ransomware;

eradication efforts, aimed at removing the attacker from the environment, for example by disabling accounts, resetting passwords, (re)establishing multi-factor authentication, and ultimately getting rid of the ransomware;

recovery efforts, focusing on the restoration of the business, whereby the main objection is to achieve this in a secure fashion without risking reinfection of the infrastructure.

In a recent webinar, Eric Hanselman, Principal Research Analyst at 451 Research, emphasized “the reality is that, while organizations are very concerned about the time to recover from ransomware attacks, they often solely focus on prevention tools, without planning for the worst-case scenario: falling victim to an attack.” The numbers speak for themselves - in 2021, 54 percent of all ransomware attacks were successful despite preventive measures in place.  

The Need to Focus on Preparedness and Response

In turn, it is important to increase an organization’s ransomware preparedness and assure that the tools needed for remediation, eradication, and recovery are not just in place but also functioning as expected. This is especially true for the recovery of endpoints, which represent an essential tool for remote workers to conduct their assigned business tasks in today’s work-from-anywhere environment. While recovery efforts for endpoints are still considered secondary priority compared to restoring critical infrastructure (e.g., Active Directory, database servers, application servers, message servers) and business applications, the shift to remote work puts increased demands on already hard-pressed IT and security teams when it comes to recovering employees’ devices.

Furthermore, ransomware attacks often put endpoints in a state where they’re either vulnerable to reinfection or are almost impossible to re-image/recover because the necessary tools are no longer functioning. Ultimately, this creates increased challenges for IT and security teams that by the time they are tasked to recover their employees’ endpoints have already exhausted their resources.

Increasing Resilience in Ransomware Response

In this context, more and more organizations turn to ransomware response offerings that enable them to assess their ransomware preparedness for endpoints, monitor their endpoint cyber hygiene across the device fleet, and expedite endpoint recovery leveraging always-on connectivity, automated restoration capabilities for key security and management tools, and automated script commands.

These offerings deliver the following capabilities:

• Check strategic ransomware readiness across endpoints by identifying key controls (e.g., anti-virus/anti-malware, endpoint protection, or endpoint detection and response solutions) and device management tools that are required to minimize ransomware exposure and assure expedited recovery efforts.

• Enable ransomware cyber hygiene across endpoints by establishing application resilience policies to ensure that identified mission-critical security applications and device management tools are installed and functioning as intended. 

• Assess device security posture by continuously detecting and reporting on anti-malware, as well as detection and response software deployed throughout fleet endpoint assets.

• Discover sensitive endpoint data by scanning endpoints for financial information, social security numbers, personally identifiable information (PII), protected health information (PHI), and intellectual property to identify at-risk devices and ensure proper back-up via existing tools.

• Self-healing for endpoint security and device management software by leveraging application resistance to keep essential tools installed, healthy, and effective to ensure their availability for recovery purposes. 

• Inform users in a timely and coordinated fashion by displaying messages on user devices, preventing unnecessary help desk support calls and fragmented communications.

• Expedite recovery tasks by gathering precise insights, executing custom workflows, and automating commands for device recovery by leveraging a library of custom scripts to assist with tasks such as identifying machines that have been infected and encrypted, quarantining endpoints (e.g., disable networking or unlock specific device ports), or supporting the re-imaging of devices.  

Ultimately, organizations need to look beyond preventive measures when it comes to dealing with today’s ransomware threats and invest in ransomware response, which improves their ability to prepare and quickly recover endpoints from ransomware attacks. 

view counter
Torsten George is currently a cyber security evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).