The expert view: ransomware strategies – preparing for an attack

“Ransomware is the cyber-plague of our time,” said John Maynard, CEO of Adarma, opening a recent TEISS breakfast briefing at The Goring in London. He told attendees, all senior executives from a range of industries, that ransomware attacks are up 144 percent, year-on-year, and the amount paid in ransoms has increased by 75 percent to $500,000.

There are around 130 ransomware gangs active worldwide, ranging from the well-known REvil and Conti groups (with Russian linkages) to others such as DarkSide (involved in the Colonial Pipeline attack). Adarma’s research has found that 96 percent of business leaders are confident in their cybersecurity defences, despite almost 60 percent falling victim to a ransomware attack.

What does good preparation look like? Bernard Montel, EMEA Technical Director at Tenable, pointed out that attackers are often lazy. He said: “It’s a low-cost, high-impact model. If attacking you is too much effort, they’ll go elsewhere.”

Identifying vulnerabilities

Attendees felt as prepared as they can be but were very aware that this might not prevent an attack. Several attendees said they had shifted their posture on ransomware attacks from “if” to “when”, and a couple even said they assume they have already been compromised by an attacker and plan accordingly.

Getting the right protection, attendees said, means getting the whole business on the same page. Quantifying the threat is hard, whether considering the likelihood of an attack or the potential cost and damage. However, some said reports of ransomware attacks elsewhere provide a useful benchmark and tend to resonate with the board if this can be applied back to the organisation at hand.

Incident simulation exercises work too. Tabletop exercises and red teaming were cited to identify gaps in processes – not just within IT and the cyber-security team but across the organisation. Some of these can be technical, such as discovering a system vulnerability, while others are procedural, such as finding that nobody knows how to contact the CEO if normal communication channels are compromised.

Attendees agreed you need to bring in stakeholders from various departments to ensure you have a comprehensive response plan that covers non-IT elements such as communicating with the media, understanding your customer breach notification obligations and alternative communication methods if you are to assume your normal channels are compromised. Attendees agreed these exercises help everyone grasp the risks and should be run more often and at least quarterly.

Know your adversary

It is important that the business understands the overall risk, but the cyber-security team must have a much more detailed understanding. As Mr Maynard put it, “Your adversary probably knows your environment better than you do.” The security team must close that knowledge gap, identify vulnerabilities and develop an understanding of how issues could be combined into an attack path.

One attendee noted that they’d reduced their vulnerabilities from hundreds of thousands to just a few thousand, with some arguing there is no point trying to get to a zero vulnerabilities position. Rather, security teams need to understand the likely attack paths and their common “choke points” to remediate the riskiest vulnerabilities, thus making the best use of their limited resources.

Another attendee pointed out that “attackers don’t hack, they log in”. Organisations must keep tight control of credentials and use systems to track users as they move through the organisation. And they should go further: much authentication activity today is machine to machine. Organisations must have visibility of that and detect inappropriate or suspicious activity.

Managing vulnerabilities and developing rapid detection and response provides a good foundation, but attendees were very aware there are no guarantees. What happens if you’ve done all the preparation and an attack still happens?

Handling an attack

Firstly, if you’ve prepared well, you’ll have a sound architecture and tools such as multi-factor authentication, network segmentation or zero-trust controls, all of which will limit the attack’s “blast radius”. Stop attackers from moving once they are in the network and you will sustain less damage.

Secondly, you will have to face the inevitable question of whether you pay the ransom. Everyone agreed that discussing this ahead of time and at board level was the right approach; however, you can never really know what decision the business will make until you’re in the position and you know what is at stake.

Paying the ransom is far from ideal because it helps legitimise the ransomware business model and might damage your reputation with customers or investors. Furthermore, there are no guarantees that paying will get your data back or save any time, especially with the trends of double or even triple extortion within ransomware tool kits. It could also still take weeks to restore the data and your backups may be compromised.

However, attendees were realistic and acknowledged that if you really cannot function without the lost data, you will have to consider paying. In that case, some said, it can be worth hiring a ransom negotiation specialist, who will at least buy you time and might have intelligence about your attackers and whether they typically return stolen information to victims who pay.

After an attack, your options are limited. Summarising the briefing, Mr Maynard said that the one advantage that businesses have over their attackers is time to prepare a response with a credible plan. It is vital that this advantage isn’t squandered.

For more information, please visit Adarma.