Ransomware Resilience

Ransomware continues to be the No. 1 source of cyberattacks. To defend themselves against it, organizations must become more resilient.

Ransomware attacks represent one of the greatest cyber threats to government, economy, and society. This makes it even more important to remain informed about the latest attack methods and to increase the level of ransomware resilience.

Ransomware remains the No. 1 threat

Ransomware attacks, which involve cybercriminals encrypting critical data and only releasing the decrypting password after a ransom is paid, are feared now more than ever. According to the survey The State of Ransomware 2023, conducted by the security provider Sophos among 3,000 IT executives from 14 countries, 66% of companies were affected by at least one ransomware attack last year. Of these attacks, 76% resulted in encrypted data and in 30% of the cases, there was even data theft.

Multi-extortion tactics in particular are on the rise. In the ransomware cases that were studied in the 2023 Unit 42 Ransomware and Extortion Report, cyber attackers committed data theft in an average of 70% of cases (in mid-2021, the rate was only 40% on average). In approximately 50% of ransomware attacks encountered by the Palo Alto Networks Unit 42 Incident Response Team, an "unprotected attack surface" was the cause.

Similarly, the 2023 Allianz Risk Barometer ranks cyber incidents caused by ransomware as the greatest risk: While at 4.35 million US dollars, the average cost of a data breach was at an all-time high, this figure might cross the 5 million threshold later this year. According to the FBI Internet Crime Report 2022, the IC3 received 2,385 complaints in 2022 that were identified as ransomware, causing an adjusted damage of over $34.3 million. Although cybercriminals employ a variety of techniques to infect their victims with ransomware, phishing emails remained the main infection vectors for ransomware incidents reported to the IC3 – with Lock Bit, ALPHV/Blackcoats, and Hive being the most frequently used variants.

Ransomware attacks are occurring quicker

Cybercriminals are no longer content with simply encrypting data; they also steal data and threaten to make them public. With this multiple-extortion strategy, attackers increase the pressure, causing many victims to willingly pay a ransom.

For the targeted companies and organizations, the situation is further exacerbated by the fact that the speed of ransomware attacks has also increased significantly. According to a study by the security provider Sophos, hackers now need just eleven days to scout targets, identify lucrative data, steal them and/or encrypt them, whereas a few years ago that process took around 200 days. This accelerated approach makes it increasingly difficult for victims to identify and neutralize the threat.

For companies, it is therefore ever more crucial to detect cyberattacks as early as possible and to initiate the appropriate countermeasures. This includes both technological and personnel resources. For example, modern attack detection systems based on artificial intelligence and machine learning can be helpful in quickly identifying any anomalies.

Strengthening ransomware resilience

Ransomware has become a huge business for criminals, who are constantly expanding their attack methods and lowering the barriers of entry with leasing models such as Cybercrime-as-a-Service.

It is also clear that companies and organizations should develop the ability to react quickly to an attack and to successfully avoid ransomware payments. In addition to increased security awareness among the company's own employees, who are often used as human attack vectors for phishing and social engineering, an integrated security architecture geared toward ransomware resilience, security monitoring, established incident response processes, and regular testing of the company's own security infrastructure and processes are crucial. It is equally important to conduct a continuous risk assessment to identify the attack vectors.

Synergy of people, processes, and tools

Qualified personnel are needed to monitor the systems, interpret data, and respond quickly in the event of an emergency – for example, as an integral part of a Security Operations Center (SOC). The appropriate security and IT organizations should work together effectively, and all specifications, processes and tools should be interconnected. In addition, the security architecture should work with their measures and with the processes of risk management and business continuity management.

An example of an effective state-of-the-art approach would be to align the company's own security processes with zero-trust principles and with an increase in the visibility of assets and with the user behavior.

Best practices of an integrated security architecture

Show all Hide all

Zero Trust

With end-to-end and continuous access authentication and authorization, anomalies can be detected early and attackers can be identified before the actual attack.

Security platform

The consolidation of security services into a central Secure Access Service Edge (SASE) platform not only enhances security in almost all areas of a company, but also offers a considerable savings potential.

BCM processes & disaster & recovery

Robust backup and recovery processes, regular tests of these backups and redundancy tests are an essential part of the business continuity management. They protect against data loss, ensure data recoverability, and safeguard the network functionality even in the event of downtime.

Endpoint Detection and Response (EDR)

Advanced EDR tools monitor clients on the network, detect threats, collect data, and automatically respond to unusual activity.

Incident response drills

Regular drills train personnel for emergencies to shorten response time and to minimize damage.

Identity protection

Identity protection, especially protection of privileged and regular user accounts, is essential as these are often the targets of ransomware attacks. Identity governance and multi-factor authentication, in combination with monitoring stolen identities, can improve the detection of attacks and increase resilience.

Penetration testing

Simulated attacks identify vulnerabilities in security systems.

Vulnerability management

Regular scanning and timely patching of the systems minimizes the risk of the exploitation of vulnerabilities.

Secure remote access

Secure access to enterprise resources, regardless of location (cloud, onPrem, partner/provider), requires a constant monitoring and assessment of user context and user actions.

Secure web access

Many web proxies and VPNs do not monitor MS 365 traffic. Despite the trust in Microsoft, attackers exploit this vulnerability, e.g., via AWS S3, Microsoft OneDrive or Google Drive. A centralized system for monitoring client traffic for malware is therefore essential.

Secure network architecture

Detecting attackers early and preventing them from penetrating the network is key. Security is based on a microsegmentation of local networks and the intelligent networking of company locations and the cloud.

Preventive protection, faster response

The bottom line: Ransomware attacks are on the rise and pose a serious threat to businesses and public institutions. A comprehensive approach that includes both preventive measures and fast response strategies is therefore essential.

At a time when cybercrime is becoming increasingly more sophisticated, ransomware resilience is no longer an option, but an absolute necessity.

Learn more about our cybersecurity services and increase your ransomware resilience.

When it comes to your cybersecurity, there is no one-size-fits-all solution. That's why we offer you a flexible range of services – tailored to your individual needs and requirements.