3 strategies that can help stop ransomware before it becomes a crisis

Over the past decade, the average value of ransoms demanded by hackers has gone from hundreds of dollars to hundreds of thousands -- even into the millions in some cases. With increasingly stringent regulatory requirements and CISOs being sued for not reporting a breach, the stakes of ransomware attacks are getting ever higher. But specialists say enterprises can avoid getting into such situations in the first place by creating incident response plans, improving their cybersecurity posture, and investing in robust backups of both data and infrastructure.

In 2018, Shelley Ma, incident response lead at Coalition, was in a conversation with the executive and technical teams of a company that had just been hit by ransomware. The attack brought the company to a standstill and the ransom was $200,000. “The CEO said, 'I’m losing $1 million a day. $200,000 for me is chicken feed. So pay it -- just pay it,” Ma recalls.

In 2015, when she first started dealing with ransomware, most companies paid and the ransoms were usually just a couple hundred dollars. Over time, they’ve gotten larger and now are exorbitant, she says. “We very rarely would see a ransom south of $300,000. Most are in the six figures and quite frequently in the seven or eight figures, too.”

According to a report released in July by Coverware, the average size of a ransomware payment has risen to more than $740,000, an increase of 126% compared to the first quarter of 2023 as attackers have begun to target larger enterprises in an attempt to extort ever-increasing payments. And, according to the latest data from NCC, ransomware attacks hit record levels in June 2023, with a 221% increase over the same time the year before.

But there is some good news. According to Coverware, the percentage of ransomware attacks where the victim paid up fell to a record low of 34% because companies have been creating incident response plans, improving their cybersecurity posture, and investing in robust backups of both data and infrastructure.

Why companies pay ransoms

There are two main reasons companies pay money to cybercriminals, the first being that they don’t have any way to recover from ransomware on their own or a recovery would take too much time. “One case we had involved a medical device manufacturer that informed us they were days away from having to issue over 2,000 layoff notifications if something didn’t dramatically change,” says Heath Renfrow, co-founder at Fenix24, a cyber disaster recovery firm.

After paying the ransom, they were able to recover enough of the data and systems that the CEO canceled the layoffs, he says. “Most companies we have worked with -- over 200 in the last 15 months -- would have had to close their doors if they didn’t pay the ransom,” he says. “While we are not necessarily advocating for paying ransoms, we understand that it is truly a business decision and, ethics of paying ransoms aside, it's a tough position, with many people's livelihoods, and at times lives and critical infrastructure, at stake.”

The second main reason companies pay up is that criminals threaten to release sensitive data. Steve Stone, head of Zero Labs at Rubrik, has worked with numerous clients who’ve been hit by ransomware attacks and sometimes the data is so sensitive that reducing the risk of it being released, by any amount, is worth the money. “A number of organizations have paid the extortion ransom to try to protect data, even if it means that there’s still a chance that it will be leaked,” he says.

Of course, you can’t trust the bad guys to keep their word. The data can still be sold through back channels even if it’s not dumped on the dark web. And it still counts as a breach, whether or not the attackers publish the stolen data, and victims still have to be notified. If the data is critical enough, a company may feel it has to do everything it can to keep it from getting out. Some companies might also decide that paying the ransom might save them money when all the recovery costs are considered.

But that might not actually be the case. According to an IBM report released in late July 2023, the global average cost of a ransomware attack for companies that didn’t pay the ransom was $5.17 million in 2023. Companies that paid the ransom reduced their total costs only a little, to $5.06 million, a savings of just $110,000, which is usually more than offset by the cost of the ransom itself. Here are three strategies that can help CISOs mitigate the risk and impact of a ransomware strike:

1. Create incident response playbooks

The first step in avoiding ransomware attacks is to create a plan whether you expect you’re a potential target or not -- assume that it’s more of a question of when you’ll be hit by a ransomware attack, not if. According to a recent report conducted by Vanson Bourne on behalf of Barracuda, 73% of companies were hit with at least one successful ransomware attack in 2022.

Without an incident response plan in place, companies typically panic, not knowing who to call, or what to do, which can make paying the ransom seem like the easiest way out. With a plan in place, however, people know what to do and will ideally have practised the plan ahead of time to ensure disaster recovery measures work the way they're supposed to.

An incident response plan should include clear roles and responsibilities, communication protocols, and recovery strategies. According to Palo Alto’s 2023 ransomware and extortion report, ransomware victims should prepare for three kinds of attacks: encryption of data and systems, data theft, and (more recently) harassment.

The percentage of ransomware attacks that involved data theft rose to 70% in late 2022 from 40% in 2021, while incidents of harassment rose to 20% from less than 1%. So, incident response plans should include not only measures to recover from ransomware encryption and protocols for dealing with threats of leaked data, but also what to do in the event that employees or clients are being harassed.

For example, attackers might call and leave voicemails for company executives and employees, send emails, and disclose victims’ identities on a leak site or social media. These tactics are designed to increase pressure on decision-makers. In general, the companies that are able to recover from ransomware attacks the fastest are those that had incident response plans in place and had practiced them ahead of time. Fortunately, the industry overall has been getting better in this regard, Ma says. “There’s been significant growth in incident response in general.”

Testing the plan is critical since processes that work on paper can often fail in practice. For example, Ma has run into situations where companies had backups but they were invalid or inaccessible or were not set up in a way that a company could use them for quick disaster recovery. Companies that find themselves in this situation might panic and decide to pay the ransomware after all.

But decryption tools often fail when it comes to restoring complex systems brought down by ransomware. “Even if you’re able to get your complete data sets decrypted, it’s hard to get the complex configurations back and running like they were pre-incident,” Ma says.

2. Implement multilayered cybersecurity

For most companies, focusing on basic security hygiene is the fastest way to reduce ransomware risks. “[The cybersecurity industry's] goal isn't to make our networks impenetrable,” says Frank Dickson, group VP for security and trust research practice at IDC. “It’s to elevate the defenses to such a point that it's no longer profitable to penetrate them.”

According to an IDC survey conducted in June, companies that had no ransomware breaches typically used some or all of five key security technologies: endpoint detection and response (EDR), cloud security gateways or cloud access security brokers (CASB), security information and event management (SIEM) systems, identity analytics or user and entity behavior analytics (UEBA), and network detection and response (NDR).

Having multiple layers of defense, as well as setting up multifactor authentication and data encryption, are fundamental to cybersecurity, but many companies still get them wrong. Stone recently worked with an educational organization that had invested heavily in cybersecurity. When they were hit by ransomware, they were able to shift operations to an offline backup. Then the attackers escalated their demands -- if the organization didn’t pay the ransom, their data would be leaked online.

“The organization was well prepared for an encryption event, but not prepared for the second ransom,” Stone says.  “There was actual sensitive data that would trigger a number of regulatory compliance actions.”

The company didn’t want to see the data leaked, but neither did they trust the attackers to keep their promises. “What this organization chose to do is not pay the second ransom, either,” Stone says. Instead, while the attackers were waiting for an answer, the organization notified victims about the breach. “By the time the data leaked online, they had already completed the notification actions.”

The attack exposed two major weaknesses in the company’s defense strategy. First of all, their incident response playbook didn’t cover a second extortion event. Second, they hadn’t encrypted their sensitive data. Afterward, they went back to revise their strategy, starting with their response playbook. “How do we get better at this? How do we reduce our risk? How do we do things differently next time?” Stone says, which also led them to encrypt sensitive data.

Security controls work, and over the years, companies have gotten better at protecting themselves. Rubrik conducts security assessments of organizations “and that score was up 16% last year, with improvements in every single region and every single industry,” Stone says. With the proper measures in place, companies can reduce both the number and the severity of successful attacks and get up and running again quickly after they’ve been hit. “It boils down to cost,” says Omdia analyst Adam Strange. “Organizations just have not had the budgets to be able to put themselves into a secure position.”

Data has long been regarded as one of the most important assets in an organization. “But the way we've protected it -- or not, over the past few years -- has been deplorable, really,” he says. “If an organization is going to die because it hasn't got access to its data, then it needs to put a lot more thought into how it protects its data.” It's only with the advent of GDPR and CCPA that data security has been emerging as a separate discipline in its own right, he adds.

3. Invest in robust backups

When ransomware attackers get a foothold into an organization, they have two main objectives: to get to the valuable data and to neutralize the backups. “The best-case scenario is robust backups that are in the cloud, and completely disconnected from the main network,” says Ma. “And tape backups, usually run less frequently, but completely segregated and not accessible via the internet.”

If attackers get access to domain credentials, they shouldn’t be able to access the backups as well. “If the backups require a second set of authentication they’re a lot more protected,” Ma says.

Another backup strategy is immutable backups that cannot be overwritten or erased. “Some of the larger companies do have that implemented. But for smaller and medium-sized companies, the topic of immutable backups doesn’t make it to the boardroom. They’re still relying on backup technology from 2016--and that’s not good enough in today’s day and age,” she says.

Rubrik recently conducted an analysis of several thousand organizations, from both customer and non-customer environments, and 99% of enterprises had data backups in place when they were hit by ransomware. But 93% of companies also had significant challenges using those backups to recover lost data. “There was either not enough data storage, or not enough expertise, or an inadequate portion of their environment was covered,” says Stone. Also, in 73% of the incidents, the attackers had some success in accessing the backups, he adds.

If the backups weren’t secured properly, attackers were able to delete backups or use compromised credentials to access management panels. If the backups failed or were deleted by attackers, paying the ransom might seem like the only way out. But, according to the Rubrik report, only 16% of organizations recovered all data after paying the ransomware demand.

The reason? The ransomware gangs aren’t very good at their decryption tools and aren’t particularly motivated, either. As long as their tools do something, anything, the victims have hope.

According to Stone, today’s ransomware attacks are rarely conducted by a single group. Instead, there’s an attack ecosystem. One actor finds the vulnerability that gets them into an environment. Another plants the ransomware. A third steals data and resells it. Someone else uses stolen credentials to launch more attacks. Other actors may use the same access path to plant crypto-miners, or more ransomware.

“It’s not unusual for multiple threat actors to be involved in an intrusion,” Stone says.

So it's not a surprise that, according to Barracuda, 38% of organizations reported two or more successful ransomware attacks in 2022--up from fewer than 20% in 2019. “You can become an annuity for the criminals because they can keep asking for more money,” says Catherine Castaldo, partner with Reed Smith's tech and data practice. “We’ve seen this happen, especially in sensitive areas like hospitals and law firms.”

Companies that are avoiding investing in multilayered security, strong encryption, multifactor authentication and robust backups because they think they won’t be hit by ransomware -- or, if they are, that it would be cheaper to just pay the ransom and get back to work -- are living in the past. This strategy might have worked in 2013 when ransomware attacks were rare and ransoms were tiny. But it doesn’t work today.