Three Keys to a Reliable Ransomware Defense Strategy

May 5, 2021 | 4 minute read

As we noted in a previous blog post, ransomware attacks are becoming more frequent and more costly. Reports reveal that there were 304 million ransomware attacks in 2020 - 62% more than the total number of ransomware attacks for 2019. The estimated cost of those incidents increased from $11.5 billion to $20 billion during that same time period. Average ransom costs also rose from $5,900 to $8,100 between those two years, with associated downtime losses growing from $141,000 to $283,000.

These trends highlight the need for organizations to not just respond to ransomware attacks, but to make sure they are prepared to prevent them from ever being successful. Towards that end, we recommend that organizations use the following three tips to build a successful ransomware prevention strategy.

Tip #1: Create a Robust Data Backup Strategy

There are two main types of ransomware: lockers and crypto-malware. The former employs a screen locking technique to prevent victims from using their computers and/or accessing their data. Meanwhile, the latter leverages encryption to render a user’s data inaccessible unless they have a decryption key.

Notwithstanding their differences, both types of ransomware have the same motivation: preventing a user from accessing their information until they pay up. That’s why organizations need a way to recover their data in the event of a ransomware infection. With data backups specifically, organizations can restore their information on a computer that’s been wiped of ransomware or on a newly purchased replacement device—all without having to pay the ransom.

Organizations and users might consider abiding by the 3-2-1 rule with their data backups. As noted by Network World, this involves maintaining at least three different versions or copies of their data on at least two different media (hard drive and online). It also involves keeping one backup version or copy located off-site so that organizations and users can recover their information if they lose their data in a physically destructive incident such as a fire.

A data backup strategy is not a terminal event, however. It’s an ongoing process. Organizations and users need to ensure that their backups will work so that they won’t lose their information in a ransomware attack or similar incident. Hence the need to test their backups regularly.

But organizations cannot simply rely on data backups alone, as ransomware operators are increasingly using “double extortion” schemes to ensure payment. Double extortion is a tactic ransomware strain first steals information stored on a victim’s machine before launching the encryption routine.

The ransomware encrypts the victim’s data and demands payment in exchange for a decryptor, as would be expected. But the threat actor then makes the additional demand that victims pay up in order to prevent the attackers from publishing their data online.

By using double extortion, ransomware attackers can compel organizations to pay even if they are able to recover their information using data backups, so organizations still need to focus on preventing a ransomware infection in the first place.

Tip #2: Use Security Awareness and Good Endpoint Protection

Data backups are essential for recovering from a ransomware attack, but they won’t help to prevent one. That’s especially the case given the emergence of double extortion, as explained above. This tactic shifts the conversation from detecting a ransomware attack to preventing one from occurring in the first place.

One of the ways organizations can prevent a ransomware attack is by educating their employees about some of the most common ransomware delivery vectors. No delivery vector is more common than email. For example, one report notes that 54% of managed service providers (MSPs) reported that phishing scams were the most common cause of ransomware infections.

Organizations can respond to this finding by using phishing simulations to build their employees’ familiarity with phishing attacks. They can also use threat intelligence along the way to educate their employees about some of the most recent phishing attacks that security researchers have spotted in the wild.

Also key here is having a robust prevention solution in place on all endpoints. A worthy solution should offer threat intelligence-based, behavioral analytics, machine learning algorithms, and deception techniques that work in unison to convict both known and unknown malware.

It should have the ability to provide both static and dynamic detections of malicious executables, as well as the ability to block zero-day exploits, fileless attacks, .Net abuse, malicious macros in documents, and other challenging threats. Having this multi-layer approach to prevention deployed across all endpoints is critical to preventing ransomware attacks before they can cause damage or disruption of critical business operations.

Tip #3: Invest in the Ability to Visualize the Entire Attack Chain

The reality is that not every phishing attack or ransomware strain has been spotted before. This is a problem for organizations. Without Indicators of Compromise (IOCs) and other threat intelligence, organizations don’t know what to look for, so they won’t be able to implement appropriate security safeguards.

That’s why organizations need to be able to spot an attack that’s in progress—regardless of whether someone has detected it before. They can do this by investing in endpoint detection and response (EDR) solutions that are not wholly dependent on IOCs alone, but also leverage detections based on the more subtle Indicators of Behavior (IOBs).

An efficient EDR solution that leverages IOBs can identify threats quickly with a high degree of accuracy using behavioral analysis that leverages cross-machine correlations and enriched data from across all endpoints in real-time, correlating threats to instantly deliver the complete story of an attack.

The Cybereason Advantage

Cybereason delivers fearless ransomware protection via multi-layered prevention, detection and response to prevent ransomware infections and data exfiltration that can put organizations at risk from double extortion, including:

Endpoint Controls: Cybereason hardens endpoints against attacks by managing security policies, maintaining device controls, implementing personal firewalls and enforcing whole-disk encryption across a range of device types, both fixed and mobile.

• Intelligence Based-Antivirus: Cybereason block known ransomware variants leveraging an ever-growing pool of threat intelligence based on previously detected attacks.

NGAV: Cybereason NGAV is powered by machine learning and recognizes malicious components in code to block unknown ransomware variants prior to execution.

• Fileless Ransomware Protection: Cybereason disrupts attacks utilizing fileless and MBR-based ransomware that traditional antivirus tools miss.

• Behavioral Document Protection: Cybereason detects and blocks ransomware hidden in the most common business document formats, including those that leverage malicious macros and other stealthy attack vectors.

Anti-Ransomware and Deception: Cybereason uses a combination of behavioral detections and proprietary deception techniques surface the most complex ransomware threats and end the attack before any critical data can be encrypted.

Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere. Learn more about ransomware defense here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Cybereason Security Team
About the Author

Cybereason Security Team

The Cybereason Security Team champions cyber defenders by providing future-ready attack protection that unifies security from the endpoint, to the enterprise, to everywhere the battle moves. The Cybereason Defense Platform combines the industry’s top-rated detection and response (EDR and XDR), next-gen anti-virus (NGAV), and proactive threat hunting to deliver context-rich analysis of every element of a Malop (malicious operation). The result: defenders can end cyber attacks from endpoints to everywhere.

All Posts by Cybereason Security Team