Surviving a ransomware attack begins by acknowledging it’s inevitable

The best defense against a ransomware attack is assuming it will happen before it does. With an 80% chance of re-attack, small and medium businesses in hard-hit industries including healthcare and manufacturing, are primary targets. Ransomware attacks spiked to a new record last month, increasing 153% over September last year.

Well-funded organized crime and Advanced Persistent Threat (APT) groups actively recruit AI and machine learning (ML) specialists on criminal activity hub Telegram and over the dark web to look for new ways to apply new technologies to older common vulnerabilities and exposures (CVEs) and vulnerabilities.

Using AI and ML, organized crime and nation-state attackers are out-innovating the most efficient enterprises. Double extortion ransomware groups increased by 76% between September 2022 and 2023. Healthcare experienced an 86% increase in ransomware attacks month-on-month between August and September. 

“Ransomware defense isn’t something you do when you are under attack,” Merritt Baer, field CISO of Lacework told VentureBeat. Ransomware defense looks a lot like doing security right, throughout your environment, every day — from identity and secrets management, to provisioning infrastructure to managing data protection and backups.”

Weaponized CVEs make ransomware hard to stop 

CEOs and founders of mid-tier manufacturers that have experienced multiple ransomware attacks tell VentureBeat on condition of anonymity that even after hiring cybersecurity consulting firms, ransomware attackers are still launching attacks. The mindset that ransomware is inevitable brings new urgency and focus to improving patch management, data security, backups, identity and secrets management and more secure infrastructure provisioning.  

Ivanti’s 2023 Spotlight Report found that ransomware attackers routinely fly under popular scanners’ radar, including those from well-known groups Nessus, Nexpose and Qualys. The report found that attackers’ tradecraft is getting so precise that weaponizing CVEs and then identifying weak targets based on their profiles is rampant in SMBs. 

Ransomware groups concentrate on evading detection while capitalizing on data gaps and long-standing gaps in legacy CVEs, according to Ivanti’s report.

“Threat actors are increasingly targeting flaws in cyber hygiene, including legacy vulnerability management processes,” Srinivas Mukkamala, chief product officer at Ivanti, told VentureBeat. “Today, many security and IT teams struggle to identify the real-world risks that vulnerabilities pose, and therefore improperly prioritize vulnerabilities for remediation. For example, many only patch new vulnerabilities or those that have been disclosed in the National Vulnerability Database (NVD). Others only use the Common Vulnerability Scoring System (CVSS) to score and prioritize vulnerabilities.“

Get prepared by assuming your company is a ransomware target 

With a business’s continuity and financial health on the line, ransomware is not just a cybersecurity decision. It’s a business decision. VentureBeat has learned of manufacturers paying ransoms to get back up and running — only to be hit again.

Mid-size businesses with under $100 million in revenue often don’t have the budget or staff for security, and attackers know that.

“Ninety percent of all ransomware attacks are hitting companies with less than a billion dollars in revenue,” Furtado advised in a Gartner video interview.

Furtado says ransomware is a highly effective cyberattack strategy because it puts any business under immense time pressure to resolve the breach, get their data back and keep operating.

“One thing you’ve got to understand with ransomware is that, unlike any other sort of security incident, it puts your business on a countdown timer,” Furado advises.

While law enforcement recommends not paying ransoms, nearly a third of victimized organizations end up paying, only to find up to 35% of their data corrupted and unsalvageable. 

A CrowdStrike survey found that 96% of victims who paid the ransom also paid additional extortion fees equal to $792,493 on average, only to find the attackers also shared or sold their information on the dark web via Telegram channels. The Office of Foreign Assets Control has also fined companies who paid certain ransomware attackers.

Preparing for ransomware attacks needs to be a business decision first 

Senior management teams that see ransomware attacks as inevitable are quicker to prioritize actions that seek to reduce the risk of an attack and contain one when it happens. This mindset redirects board-level discussions of cybersecurity as an operating expense to a long-term investment in risk management. 

CISOs need to be part of that discussion and have a seat on the board. With the inevitability of ransomware attacks and risks to the core part of any business, CISOs must guide boards and provide them with insights to minimize risk. A great way for CISOs to gain a seat on boards is to show how their teams drive revenue gains by providing continuous operations and reducing risks.  

“When your board wants to talk about ransomware, remind them that it might take the form of day-to-day improvements — in your patching cadence, how you manage identity, how you defend environments and do infrastructure as code, how you do immutable backups and so forth,” Baer told VentureBeat.

She continued, “ransomware is one ‘cost’ that your enterprise should factor in if they aren’t doing the security and innovation practices they need.”

CISOs must have a seat on boards

That’s a big change in how boards view and fund cybersecurity and why CISOs must have board seats to explain the many business benefits of stronger enterprise security.

“I’m seeing more and more CISOs joining boards,” George Kurtz, cofounder and CEO of CrowdStrike, said during his keynote at his company’s annual event. “I think this is a great opportunity for everyone here [at Fal.Con] to understand what impact they can have on a company. From a career perspective, it’s great to be part of that boardroom and help them on the journey. To keep business resilient and secure.”

He continued: “Adding security should be a business enabler. It should be something that adds to your business resiliency, and it should be something that helps protect the productivity gains of digital transformation.” ‘

Having a ransomware playbook is table-stakes 

CISOs tell VentureBeat that having a playbook helped them recover from ransomware attacks because it helped save time during an attack and helped contain it. 

Playbooks also make it clear to senior management and the board just how devastating an attack can be. The communications plan during a ransomware attack on a public company is a sobering call that gets support moving, CISOs tell VentureBeat. Now, with the Securities and Exchange Commission (SEC) requiring disclosures, there’s even more emphasis on getting playbooks right.  

One CISO of a large publicly-held consumer goods manufacturer told VentureBeat under anonymity that he went so far as to have a written press release explaining the ransomware attack. The board responded by approving funding for a more layered approach to data protection and backup, regular validation of backups, improved patch management and data protection and analysis workflows and clear remediation plans.

Playbooks often have containment, analysis, remediation and recovery sections. It’s important to consider a playbook as a document that needs to be regularly reviewed and updated by SecOps, IT, legal, PR and senior management.

It’s common for CISOs to lead incident simulations and tabletop exercises to test their paybooks and make sure they’re updated and revised regularly. The goal is to always look for gaps in response and close them before a ransomware attack occurs.