Connect with us

Hi, what are you looking for?


Incident Response

Why Ransomware Response Matters More Than Protection

As high-profile attacks of the Albuquerque Public School District, Kronos, CS Energy, Kaseya,

As high-profile attacks of the Albuquerque Public School District, Kronos, CS Energy, Kaseya, JBS USA, and Colonial Pipeline have illustrated, ransomware is one of the most significant threats to businesses worldwide. It can cause a lot of damage for a company, beyond the financial cost of paying ransom. Downtime, lost opportunities, as well as ransomware removal and recovery expenses can quickly add up. According to the 2021 Threat Landscape report by the European Union Agency for Cybersecurity, the average cost of remediating a ransomware attack in 2021 was $1.85 million, which is almost twice what it was the previous year. And things won’t get better any time soon. This raises the question, “What can organizations do to minimize the impact of falling victim to a ransomware attack”? 

A ransomware attack can cripple an organization in a matter of minutes, leaving it incapable of accessing critical data and unable to do business. But that’s not all – more recently threat actors have shifted from just infecting systems with ransomware to multi-faceted extortion where they also publicly name (and shame) victims, steal data, and threaten to release it to the public or sell it. In response, organizations should consider the following steps to mitigate the risk of ransomware attacks:

• Strategic Readiness: Covers everything from cyber risk assessment, tabletop exercises, security awareness training, and secure data backups to penetration testing.

• Prevention: Includes applying security measures such as patch management, application whitelisting, spam filters, least privilege, as well as deploying anti-malware and endpoint security software.

• Incident Response: Organizations should invest in services and forensic tools to address:

investigation of the ransomware attack, allowing them to determine how the incident occurred, and securing evidence for litigation preparedness;

remediation by hardening the environment so that attackers no longer have access and to avoid further spread of the ransomware;

eradication efforts, aimed at removing the attacker from the environment, for example by disabling accounts, resetting passwords, (re)establishing multi-factor authentication, and ultimately getting rid of the ransomware;

Advertisement. Scroll to continue reading.

recovery efforts, focusing on the restoration of the business, whereby the main objection is to achieve this in a secure fashion without risking reinfection of the infrastructure.

In a recent webinar, Eric Hanselman, Principal Research Analyst at 451 Research, emphasized “the reality is that, while organizations are very concerned about the time to recover from ransomware attacks, they often solely focus on prevention tools, without planning for the worst-case scenario: falling victim to an attack.” The numbers speak for themselves – in 2021, 54 percent of all ransomware attacks were successful despite preventive measures in place.  

The Need to Focus on Preparedness and Response

In turn, it is important to increase an organization’s ransomware preparedness and assure that the tools needed for remediation, eradication, and recovery are not just in place but also functioning as expected. This is especially true for the recovery of endpoints, which represent an essential tool for remote workers to conduct their assigned business tasks in today’s work-from-anywhere environment. While recovery efforts for endpoints are still considered secondary priority compared to restoring critical infrastructure (e.g., Active Directory, database servers, application servers, message servers) and business applications, the shift to remote work puts increased demands on already hard-pressed IT and security teams when it comes to recovering employees’ devices.

Furthermore, ransomware attacks often put endpoints in a state where they’re either vulnerable to reinfection or are almost impossible to re-image/recover because the necessary tools are no longer functioning. Ultimately, this creates increased challenges for IT and security teams that by the time they are tasked to recover their employees’ endpoints have already exhausted their resources.

Increasing Resilience in Ransomware Response

In this context, more and more organizations turn to ransomware response offerings that enable them to assess their ransomware preparedness for endpoints, monitor their endpoint cyber hygiene across the device fleet, and expedite endpoint recovery leveraging always-on connectivity, automated restoration capabilities for key security and management tools, and automated script commands.

These offerings deliver the following capabilities:

• Check strategic ransomware readiness across endpoints by identifying key controls (e.g., anti-virus/anti-malware, endpoint protection, or endpoint detection and response solutions) and device management tools that are required to minimize ransomware exposure and assure expedited recovery efforts.

• Enable ransomware cyber hygiene across endpoints by establishing application resilience policies to ensure that identified mission-critical security applications and device management tools are installed and functioning as intended. 

• Assess device security posture by continuously detecting and reporting on anti-malware, as well as detection and response software deployed throughout fleet endpoint assets.

• Discover sensitive endpoint data by scanning endpoints for financial information, social security numbers, personally identifiable information (PII), protected health information (PHI), and intellectual property to identify at-risk devices and ensure proper back-up via existing tools.

• Self-healing for endpoint security and device management software by leveraging application resistance to keep essential tools installed, healthy, and effective to ensure their availability for recovery purposes. 

• Inform users in a timely and coordinated fashion by displaying messages on user devices, preventing unnecessary help desk support calls and fragmented communications.

• Expedite recovery tasks by gathering precise insights, executing custom workflows, and automating commands for device recovery by leveraging a library of custom scripts to assist with tasks such as identifying machines that have been infected and encrypted, quarantining endpoints (e.g., disable networking or unlock specific device ports), or supporting the re-imaging of devices.  

Ultimately, organizations need to look beyond preventive measures when it comes to dealing with today’s ransomware threats and invest in ransomware response, which improves their ability to prepare and quickly recover endpoints from ransomware attacks. 

Written By

Dr. Torsten George is an internationally recognized IT security expert, author, and speaker with nearly 30 years of experience in the global IT security community. He regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege for Dummies book. Torsten has held executive level positions with Absolute Software, Centrify (now Delinea), RiskSense (acquired by Ivanti), RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

Joe Levy has been appointed Sophos' permanent CEO, and Jim Dildine has been named the company's CFO.

CISA executive assistant director for cybersecurity Eric Goldstein is leaving the agency after more than three years.

More People On The Move

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...