But decryption tools often fail when it comes to restoring complex systems brought down by ransomware. “Even if you’re able to get your complete data sets decrypted, it’s hard to get the complex configurations back and running like they were pre-incident,” Ma says.
2. Implement multilayered cybersecurity
For most companies, focusing on basic security hygiene is the fastest way to reduce ransomware risks. “[The cybersecurity industry’s] goal isn’t to make our networks impenetrable,” says Frank Dickson, group VP for security and trust research practice at IDC. “It’s to elevate the defenses to such a point that it’s no longer profitable to penetrate them.”
According to an IDC survey conducted in June, companies that had no ransomware breaches typically used some or all of five key security technologies: endpoint detection and response (EDR), cloud security gateways or cloud access security brokers (CASB), security information and event management (SIEM) systems, identity analytics or user and entity behavior analytics (UEBA), and network detection and response (NDR).
Having multiple layers of defense, as well as setting up multifactor authentication and data encryption, are fundamental to cybersecurity, but many companies still get them wrong. Stone recently worked with an educational organization that had invested heavily in cybersecurity. When they were hit by ransomware, they were able to shift operations to an offline backup. Then the attackers escalated their demands — if the organization didn’t pay the ransom, their data would be leaked online.
“The organization was well prepared for an encryption event, but not prepared for the second ransom,” Stone says. “There was actual sensitive data that would trigger a number of regulatory compliance actions.”
The company didn’t want to see the data leaked, but neither did they trust the attackers to keep their promises. “What this organization chose to do is not pay the second ransom, either,” Stone says. Instead, while the attackers were waiting for an answer, the organization notified victims about the breach. “By the time the data leaked online, they had already completed the notification actions.”
The attack exposed two major weaknesses in the company’s defense strategy. First of all, their incident response playbook didn’t cover a second extortion event. Second, they hadn’t encrypted their sensitive data. Afterward, they went back to revise their strategy, starting with their response playbook. “How do we get better at this? How do we reduce our risk? How do we do things differently next time?” Stone says, which also led them to encrypt sensitive data.
Security controls work, and over the years, companies have gotten better at protecting themselves. Rubrik conducts security assessments of organizations “and that score was up 16% last year, with improvements in every single region and every single industry,” Stone says. With the proper measures in place, companies can reduce both the number and the severity of successful attacks and get up and running again quickly after they’ve been hit. “It boils down to cost,” says Omdia analyst Adam Strange. “Organizations just have not had the budgets to be able to put themselves into a secure position.”
Data has long been regarded as one of the most important assets in an organization. “But the way we’ve protected it — or not, over the past few years — has been deplorable, really,” he says. “If an organization is going to die because it hasn’t got access to its data, then it needs to put a lot more thought into how it protects its data.” It’s only with the advent of GDPR and CCPA that data security has been emerging as a separate discipline in its own right, he adds.
3. Invest in robust backups
When ransomware attackers get a foothold into an organization, they have two main objectives: to get to the valuable data and to neutralize the backups. “The best-case scenario is robust backups that are in the cloud, and completely disconnected from the main network,” says Ma. “And tape backups, usually run less frequently, but completely segregated and not accessible via the internet.”
If attackers get access to domain credentials, they shouldn’t be able to access the backups as well. “If the backups require a second set of authentication they’re a lot more protected,” Ma says.
Another backup strategy is immutable backups that cannot be overwritten or erased. “Some of the larger companies do have that implemented. But for smaller and medium-sized companies, the topic of immutable backups doesn’t make it to the boardroom. They’re still relying on backup technology from 2016–and that’s not good enough in today’s day and age,” she says.
Rubrik recently conducted an analysis of several thousand organizations, from both customer and non-customer environments, and 99% of enterprises had data backups in place when they were hit by ransomware. But 93% of companies also had significant challenges using those backups to recover lost data. “There was either not enough data storage, or not enough expertise, or an inadequate portion of their environment was covered,” says Stone. Also, in 73% of the incidents, the attackers had some success in accessing the backups, he adds.
If the backups weren’t secured properly, attackers were able to delete backups or use compromised credentials to access management panels. If the backups failed or were deleted by attackers, paying the ransom might seem like the only way out. But, according to the Rubrik report, only 16% of organizations recovered all data after paying the ransomware demand.
The reason? The ransomware gangs aren’t very good at their decryption tools and aren’t particularly motivated, either. As long as their tools do something, anything, the victims have hope.
According to Stone, today’s ransomware attacks are rarely conducted by a single group. Instead, there’s an attack ecosystem. One actor finds the vulnerability that gets them into an environment. Another plants the ransomware. A third steals data and resells it. Someone else uses stolen credentials to launch more attacks. Other actors may use the same access path to plant crypto-miners, or more ransomware.
“It’s not unusual for multiple threat actors to be involved in an intrusion,” Stone says.
So it’s not a surprise that, according to Barracuda, 38% of organizations reported two or more successful ransomware attacks in 2022–up from fewer than 20% in 2019. “You can become an annuity for the criminals because they can keep asking for more money,” says Catherine Castaldo, partner with Reed Smith’s tech and data practice. “We’ve seen this happen, especially in sensitive areas like hospitals and law firms.”
Companies that are avoiding investing in multilayered security, strong encryption, multifactor authentication and robust backups because they think they won’t be hit by ransomware — or, if they are, that it would be cheaper to just pay the ransom and get back to work — are living in the past. This strategy might have worked in 2013 when ransomware attacks were rare and ransoms were tiny. But it doesn’t work today.