Ransomware

How to combat ransomware in the face of tight security staffing

Cybergang RansomedVC shutters and sells stolen assets

Ransomware remains a threat for which all organizations must be prepared. But with much of today’s cybersecurity guidance geared toward larger companies, smaller organizations with tighter staffing are often left hanging. The advice in this article is for them.

Ransomware cost organizations $4.5 million in 2022, according to the most recent IBM Cost of a Databreach Report. It is often a crime of opportunity -- a combination of threat actors, a set of processes typically used in these attacks, and the malicious software used to encrypt victim files. Once valuable data is encrypted, the attacker demands a ransom be paid so that access, through decryption, can be restored. These attacks often start with a phishing email, less often through the exploitation of software vulnerabilities and misconfigurations within the target’s systems.

The attacks often cost much more than the ransom itself, and these include the cost of downtime, lost business, and the cost of cleanup and remediation.

The best way for small organizations to defend themselves against ransomware is in making sure that the malicious encryption is made moot through mitigation. Should those mitigation efforts fail, small organizations must be able to optimize their remediation and incident response capabilities so they can respond as effectively as possible with the resources they have on hand.

Prevention and mitigation

While attempting to prevent ransomware attacks is the best defense, it’s arguably attainable with the right combination of security practices and policies and deploying effective threat protection capabilities. Security awareness training for the general staff and continuous security training for IT and security staff is also essential. While the non-IT staffer needs reminders to be careful about what they click and download, the technical and tactical nature of ransomware threat actors and attacks evolve, and these technical teams must be kept up to date.

The technical controls that provide the most anti-ransomware capabilities for the dollar are not necessarily expensive or require much in the way of staff to manage, such as multi-factor authentication, regular data backups, and enforcing good access policies, such as the principle of least privilege.

Enforcing good access policies is essential as ransomware attackers typically will breach an endpoint or workload and then begin to try to compromise connected systems. They’ll keep moving this way until they find troves of valuable data that the organization will likely pay handsomely to access again.

Finally, there’s the use of advanced threat protection technologies that attempt to disrupt the entire ransomware attack chain, preventing ransomware from taking hold. Most of these technologies use behavioral analysis to identify and stop ransomware attacks before they can fully execute.

Detection and response

Endpoint detection and response (EDR) technologies collect data relating to security events and activities across all endpoints and provide visibility into its security posture. While helpful, small organizations often struggle with the “response” aspect of ransomware attacks. They don’t have teams of security experts to investigate and respond to the identified attacks.

While network, endpoint, and behavioral analysis systems will detect the attack underway and often be able to block it, there needs to be a response by trained security professionals, often. That’s where MDR services come in. Managed detection and response (MDR) services are outsourced services that proactively hunt, detect and respond to attacks in real-time, neutralizing ransomware.

MDR services provide 24/7/365 security monitoring. These services proactively hunt for threat actors and act as an extension of the security team for small organizations. Fortunately for all organizations, especially small ones with tight resources, automated security response technologies accelerate all these processes. This means the attack and infected systems can be isolated immediately when an attack is identified.

This shuts down the lateral movement we described earlier. MDR services will also provide expert help during an attack, experts most small businesses certainly don’t have access to. This way, MDR can provide small businesses with the threat hunting, threat detection, and incident response capabilities necessary to ensure ransomware attacks, even somewhat successful ones, pose limited damage.

Ransomware is a threat that is both persistent and ever-changing. But it is beatable -- even for resource-strapped businesses.

George V. Hulme

An award winning writer and journalist, for more than 20 years George Hulme has written about business, technology, and IT security topics. He currently freelances for a wide range of publications, and is security blogger at InformationWeek.com. From

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.