2023 has been a relentless year for ransomware, and it’s not over yet.
Continued attacks on schools, governments, hospitals and businesses are proof that a majority of organizations still lack the policies, tools and expertise to discover and eliminate the blind spots black hats use to get in.
Fortunately, thanks to a report released earlier this year by cybersecurity vendor Sophos, we now have data indicating the most common blind spots. Based on a survey of 3,000 IT and cybersecurity leaders around the world, the report’s findings make clear ransomware isn’t the unbeatable menace it’s hyped up to be. Rather, ransomware's prevalence largely depends on whether organizations stay vigilant over their attack surfaces, are receptive to new policies and security innovations and are diligent about enforcing cybersecurity hygiene.
Based on the study’s findings, we’ve put together some guidance for how organizations can more effectively repel ransomware.
#1: Practice good cybersecurity hygiene (patch, review, repeat)
We’ve put this at the top of the list for a reason. Exploited vulnerabilities (36%), compromised credentials (29%), and malicious emails (18%) were the top root causes of ransomware attacks reported by respondents in the Sophos study — all of them consequences of poor cybersecurity hygiene. Patching and security updates are tried-and-true techniques for eliminating vulnerabilities, but many organizations don’t take them seriously enough. In over half of investigations which Sophos determined a vulnerability was the root cause, ProxyShell or Log4Shell were present in affected assets, each of which could have been patched back in May 2021 and December 2021. In addition to patching, organizations should regularly review security tool configurations and train employees on how to identify and report suspicious emails and links.
#2: Back up your data and practice recovery
It’s not a matter of if attackers find a way into your network but when. When they do, raising the white flag of surrender won’t do you any favors. Regularly backing up your data and storing that data in an offsite location will ensure you have a Plan B (or C or D) should your IT systems get encrypted or shut down. The organizations in the Sophos study that practiced backing up data were far more resilient in responding to and recovering from ransomware attacks than companies that shunned backups. They spent an average of $1 million less in recovery fees versus their non-backup peers. Moreover, 45% of those that used data backups were able to recover within a week, compared to 39% of those who recovered in a week by paying a ransom.
It’s important to practice data recovery on a regular basis to ensure your backups are up-to-date. It's also important that your security team know their responsibilities when rehearsal becomes reality. “Backups are only as good as the ones that you've practiced restoring,” says Chester Wisniewski, Field CTO of Applied Research at Sophos. “A lot of people think they have backups when it later turns out they haven't been working for six months or they don't know the procedure for restoring so it takes their team three days to figure out how to actually do a restore.”
#3: Implement Zero Trust Network Access
With compromised credentials being a top root cause in this year’s ransomware study (29%), it’s clear that organizations are struggling to verify who can or can’t be trusted on their networks. That’s why more companies are moving to adopt zero trust network access. ZTNA treats each user and device individually so that only the resources that users and devices are allowed to access are made available. Instead of granting users complete freedom of movement on a network (as is the case with remote VPNs), a ZTNA framework establishes a unique channel between the user and the specific gateway for the application they’re authorized to access – and nothing more. This is increasingly essential as attackers evolve their techniques to bypass MFA with sophisticated phishing-as-a-service tools.
#4: Invest in adaptive endpoint protection tools
Company whitepapers burst with acronyms that hype the latest endpoint security solutions – EDR, NDR, XDR, EDPR, the list goes on. But with global enterprise spending on endpoint tools expected to pass $26.4 billion by 2025, companies clearly have an appetite for solutions that can monitor and generate real-time alerts regarding endpoint health. “The diversity of attack types we saw in this year’s ransomware data might be due to attackers not achieving their end objectives,” says John Shier, Senior Security Advisor at Sophos. “More companies are adopting EDR, NDR and XDR which allow them to spot trouble sooner. This, in turn, means they can stop an attack in progress and evict the intruders before the primary goal is achieved – or before another, more malignant intruder finds a protection gap first located by a lesser adversary.” While it’s wise to invest in an endpoint security platform, try to land on something that’s product-agnostic that can be easily integrated into your existing IT stack.
#5: Consider allying with an MDR provider
Many of the above solutions aren’t difficult to implement, but they can be tricky to orchestrate. That’s why it can be really beneficial for companies to partner with a managed detection and response (MDR) provider. MDR vendors can give you support and access to elite threat hunting experts, advanced endpoint scanning tools, rapid incident response and contextual threat intelligence to help your in-house team proactively address endpoint vulnerabilities. Another major benefit of MDR is the massive data they bring to the fight. By working with thousands of clients around the world, they have significantly more threat data at their fingertips than the average organization. And by leveraging artificial intelligence, MDR vendors can spot suspicious activity and pick up on patterns in a matter of minutes rather than the months it might take others. They can then use that knowledge to immediately alert their customers or take action on their customers' behalf to remove those threats.
