Virtual Event Today: Supply Chain Security Summit - Register Now

Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

Why Ransomware Response Matters More Than Protection

As high-profile attacks of the Albuquerque Public School District, Kronos, CS Energy, Kaseya,

As high-profile attacks of the Albuquerque Public School District, Kronos, CS Energy, Kaseya, JBS USA, and Colonial Pipeline have illustrated, ransomware is one of the most significant threats to businesses worldwide. It can cause a lot of damage for a company, beyond the financial cost of paying ransom. Downtime, lost opportunities, as well as ransomware removal and recovery expenses can quickly add up. According to the 2021 Threat Landscape report by the European Union Agency for Cybersecurity, the average cost of remediating a ransomware attack in 2021 was $1.85 million, which is almost twice what it was the previous year. And things won’t get better any time soon. This raises the question, “What can organizations do to minimize the impact of falling victim to a ransomware attack”? 

A ransomware attack can cripple an organization in a matter of minutes, leaving it incapable of accessing critical data and unable to do business. But that’s not all – more recently threat actors have shifted from just infecting systems with ransomware to multi-faceted extortion where they also publicly name (and shame) victims, steal data, and threaten to release it to the public or sell it. In response, organizations should consider the following steps to mitigate the risk of ransomware attacks:

• Strategic Readiness: Covers everything from cyber risk assessment, tabletop exercises, security awareness training, and secure data backups to penetration testing.

• Prevention: Includes applying security measures such as patch management, application whitelisting, spam filters, least privilege, as well as deploying anti-malware and endpoint security software.

• Incident Response: Organizations should invest in services and forensic tools to address:

investigation of the ransomware attack, allowing them to determine how the incident occurred, and securing evidence for litigation preparedness;

remediation by hardening the environment so that attackers no longer have access and to avoid further spread of the ransomware;

eradication efforts, aimed at removing the attacker from the environment, for example by disabling accounts, resetting passwords, (re)establishing multi-factor authentication, and ultimately getting rid of the ransomware;

recovery efforts, focusing on the restoration of the business, whereby the main objection is to achieve this in a secure fashion without risking reinfection of the infrastructure.

In a recent webinar, Eric Hanselman, Principal Research Analyst at 451 Research, emphasized “the reality is that, while organizations are very concerned about the time to recover from ransomware attacks, they often solely focus on prevention tools, without planning for the worst-case scenario: falling victim to an attack.” The numbers speak for themselves – in 2021, 54 percent of all ransomware attacks were successful despite preventive measures in place.  

The Need to Focus on Preparedness and Response

In turn, it is important to increase an organization’s ransomware preparedness and assure that the tools needed for remediation, eradication, and recovery are not just in place but also functioning as expected. This is especially true for the recovery of endpoints, which represent an essential tool for remote workers to conduct their assigned business tasks in today’s work-from-anywhere environment. While recovery efforts for endpoints are still considered secondary priority compared to restoring critical infrastructure (e.g., Active Directory, database servers, application servers, message servers) and business applications, the shift to remote work puts increased demands on already hard-pressed IT and security teams when it comes to recovering employees’ devices.

Furthermore, ransomware attacks often put endpoints in a state where they’re either vulnerable to reinfection or are almost impossible to re-image/recover because the necessary tools are no longer functioning. Ultimately, this creates increased challenges for IT and security teams that by the time they are tasked to recover their employees’ endpoints have already exhausted their resources.

Increasing Resilience in Ransomware Response

In this context, more and more organizations turn to ransomware response offerings that enable them to assess their ransomware preparedness for endpoints, monitor their endpoint cyber hygiene across the device fleet, and expedite endpoint recovery leveraging always-on connectivity, automated restoration capabilities for key security and management tools, and automated script commands.

These offerings deliver the following capabilities:

• Check strategic ransomware readiness across endpoints by identifying key controls (e.g., anti-virus/anti-malware, endpoint protection, or endpoint detection and response solutions) and device management tools that are required to minimize ransomware exposure and assure expedited recovery efforts.

• Enable ransomware cyber hygiene across endpoints by establishing application resilience policies to ensure that identified mission-critical security applications and device management tools are installed and functioning as intended. 

• Assess device security posture by continuously detecting and reporting on anti-malware, as well as detection and response software deployed throughout fleet endpoint assets.

• Discover sensitive endpoint data by scanning endpoints for financial information, social security numbers, personally identifiable information (PII), protected health information (PHI), and intellectual property to identify at-risk devices and ensure proper back-up via existing tools.

• Self-healing for endpoint security and device management software by leveraging application resistance to keep essential tools installed, healthy, and effective to ensure their availability for recovery purposes. 

• Inform users in a timely and coordinated fashion by displaying messages on user devices, preventing unnecessary help desk support calls and fragmented communications.

• Expedite recovery tasks by gathering precise insights, executing custom workflows, and automating commands for device recovery by leveraging a library of custom scripts to assist with tasks such as identifying machines that have been infected and encrypted, quarantining endpoints (e.g., disable networking or unlock specific device ports), or supporting the re-imaging of devices.  

Ultimately, organizations need to look beyond preventive measures when it comes to dealing with today’s ransomware threats and invest in ransomware response, which improves their ability to prepare and quickly recover endpoints from ransomware attacks. 

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...