source: cyberdefensemagazine.com

As businesses increasingly rely on digital systems, networks, and data for operations, the value of maintaining the integrity and availability of these resources becomes more critical. According to the Ransomware 2017 Report by Cybersecurity Insiders, 80% of cybersecurity professionals surveyed considered ransomware as a threat ranging from moderate to extreme.

Ransomware infections are particularity concerning for Security Operations Center (SOC) analysts because there is usually little to no advance warning. Unlike advanced persistent threats (APT), that rely on low-and-slow techniques, ransomware instead uses shock-and-awe techniques. Once it starts, an attack is capable of encrypting large numbers of files within minutes. For individuals, this can be the contents of their computer. For companies, where employees often have access to multiple shared files and databases, ransomware can spread quickly to shared drives, bringing business to a standstill. When it comes to organizations such as hospitals, critical infrastructure, or transportation systems, a ransomware attack can even be potentially life-threatening. Thirty-nine percent of security professionals surveyed estimate that it would take anywhere from a couple of days to a few weeks for their organization to recover from a ransomware attack.

Ransomware is likely to remain a popular form of attack as long as it remains profitable to attackers. While only 23% of security professionals surveyed say that their company is even slightly likely to pay a ransom demand, 3% of companies have already set up a bitcoin account to prepare for a future attack. Combined with high-profile news of large payouts, ransomware isn’t likely to disappear any time soon.

There are many methods hackers use to spread ransomware. The most common method is through malicious email attachments, often as part of a phishing campaign. Victims are sent an email that appears to come from a trusted source and are enticed to open the attachment. This could be an Adobe PDF, Microsoft Excel or Word document, or even an image file, and is infected with the malicious ransomware. The second most common vector for ransomware attacks is visiting malicious websites that exploit common software vulnerabilities to spread ransomware to visitors. Other attack vectors include social engineering, where an attacker poses as a trusted individual, or even removable media, where attacks can spread through infected USB drives.

Given all of this, how can you protect your organization from falling prey to a ransomware outbreak? A comprehensive approach to ransomware requires three things: people, process, and product.

First, train people across your organization. Teach users how to spot and avoid phishing campaigns. Encourage good “cyber hygiene” practices including keeping devices up to date, learning how to identify and avoid suspicious public WiFi access points, and maintaining regular backups of important files. All of these practices help reduce the risk of infection and minimize the impact of a successful attack.

Second, create a process that ensures that, in case of a successful ransomware attack, the number of users, devices, and the amount of data compromised is minimal. Automated incident response (IR) triage actions, when well defined and quickly executed, are a critical first step. Automation is particularly important given the speed with which ransomware attacks occur. When a user is infected by malware, quickly informing the IT security team, shutting down the user’s network connection(s), and powering off the device are all steps that can prevent a massive impact. Additional IR processes executed by security analysts can ensure that the ransomware does not spread across the organization or across shared resources.

Third, leverage available product technologies to detect and respond to ransomware attacks, minimizing impact, and speeding recovery. Organizations have historically relied on the perimeter, network, and endpoint security products to prevent attacks. However, point products often create security data silos, leaving SOC teams to struggle with overall visibility and intelligence. To close the gap between point products, consider a next-generation machine learning and AI-based security analytics solution that collects data from across your enterprise, adds wider context, and intelligently cuts through the noise to identify the alerts that can indicate a ransomware infection. Organizations that deploy an advanced security analytics technology, train their users appropriately and implement effective triage and recovery processes will be much better prepared to defend against ransomware attacks.