The benefits of implementing a multi-layered ransomware defense strategy

Ransomware is becoming a risk that UK organizations can’t afford to take, with rising financial and operational costs. A staggering 75 percent of UK organizations were hit with ransomware in 2021, and most of them (82 percent) paid the ransom, making the UK the most likely country to pay out globally. As cybercriminal strategies evolve to navigate traditional defenses, a multi-layered ransomware defense strategy is vital for organizations to protect what’s theirs.

It’s first important to understand the typical defense strategies that attackers have adapted to, in order to appreciate the rationale for a boost in cyber protection. And looking at the rising costs of these incidents proves the business value in working hard to detect and stop attacks before they occur. It’s not just a quick fix, but failure to implement these solutions can affect a business’ profitability, reputation, and even worse.

Exponential rise in ransomware incidents

High profile ransomware attacks are becoming increasingly prevalent, such as the attack on KP Snacks, or the Foreign Office ransomware attack which cost nearly £500,000 to resolve — these attacks show the threat is real and that no industry is safe.

In addition to the rise in attack frequency, costs are escalating rapidly, with Sophos’ State of Ransomware Report 2021 showing the average ransomware recovery cost is now $1.85 million. Even more worryingly, in the interest of business continuity and the necessity of restoring their mission-critical operations, more organizations are accepting attackers’ demands.

Know your enemy

Understanding how ransomware works is key to putting strategies in place to thwart potential attacks. Finding the vulnerabilities in the corporate IT infrastructure, ransomware is a form of malware which can spread right throughout the tech ecosystem. Actively targeting weaknesses and uninformed end users is its typical route — and opportunities to do this have surged, as a result of ‘working from anywhere’ workstyles impacting networks with new devices, personal networks and workers’ more cavalier approach to security. Alarmingly, most ransomware transmission still occurs via classic phishing emails and visits to infected websites.

Users are typically notified upon infection via a pop-up notification, that their files have been encrypted, receiving a request for immediate payment. The encrypted file from an infected user’s account syncs to the cloud and productivity ceases immediately. Without a multi-layered ransomware defense strategy in place, many businesses concede defeat to quickly resume access to their files and pay the ransom.

However, the impact of an attack on an organization doesn’t just stop there — a ripple effect runs through the business with organizations needing to conduct event impact debriefs, disinfect hardware, and even perform manual backups to restore data — this can take weeks to see through. Even during this recovery period, attackers remain in active pursuit of additional infrastructure vulnerabilities, which means the nightmare isn’t always over.

Evolving complexity of ransomware

Even with robust security in place, attacks are often impossible to avoid. Attackers are able to alter encryption methods, for instance adjusting the speed of the encryption process to render their malware less predictable. This means that infection volume is below the threshold of traditional detection software. A typical cybersecurity tactic, such as randomizing the file overwriting process and making ransomware “dormant” for a defined time period, can even make ransomware harder to detect.

Now that organizations’ workers are more security savvy about email links, hackers have evolved their tactics to attach files instead. They present as common file types (.doc, .pdf, .xls or JPEG files), but initiate ransomware scripts when opened.

A multi-layered ransomware defense strategy, using a combination of methods such as multi-factor authentication, security awareness training and specialized ransomware detection technology is the best way to protect businesses’ most important assets.

Maximizing ransomware protection

These practical recommendations can supplement an organization’s defense-in-depth strategy, and help prevent ransomware infections:

Always utilize multi-factor authentication (MFA)Adopt a robust security awareness training program, for induction and at regular intervalsEmploy a zero-trust policy — restrict users’ file access to “need to know” onlyImplement software patches immediately, and work with trusted vendorsInvestigate dedicated ransomware detection solutions

Earliest detection is the best protection

The earliest detection is key to avoiding ransomware threats. An effective multi-layered ransomware defense strategy will utilize machine learning algorithms to monitor, detect and alert for suspicious activity. This means monitoring for anomalies, for example inconsistent file types. By spotting evidence of an infection such as file extensions which may have changed or include known ransomware signatures, or a “ransom note”.

If irregularities are found, the administrator would be immediately alerted so that they can block all affected user accounts, helping to contain ransomware before it spreads. Identifying every encrypted file and tracing the infection back to its source will prevent the spread. In containing the damage, this helps to minimize data loss.

Making a quick recovery

It’s best to choose a cybersecurity solution which has disaster recovery built into the content architecture and doesn’t need to rely on external backup services. With frequent file snapshots made as any changes are made, tech teams can easily restore to the latest clean version of files, without sensitive data being compromised. If ransomware can be thwarted on a granular level, no valuable data is lost, and business operations will continue with minimal downtime.

The best defense is table stakes

Attackers have wised-up to the deficiencies of commonplace security such as antivirus software, firewalls, secure email and web gateways, and intrusion prevention systems (IPS). These no longer provide a threat, or a robust defense. You can have the most solid backup plan, first class employee training, and keep security software up to date, but ransomware can mutate, making it impossible to detect through traditional signature-based tactics. If multiple layers of defense aren’t built into your data protection – including anomaly detection, account blocking, and version control measures — threat actors will find their way in.

Image credit: Andrey_Popov/ Shutterstock

Neil Jones, CISSP, is Director of Cybersecurity Evangelism at Egnyte. Neil has extensive sales, client relationship development and management experience — combining strong technical knowledge with digital marketing and social media techniques that drive engagement, responses and sales pipeline. Before joining Egnyte, Neil held roles at HCL Software, IBM and Aditi Technologies.

Author: Martha Meyer