Trustwave Blog

Ransomware Readiness: 10 Steps Every Organization Must Take

Written by | Oct 18, 2024

At the end of every year, the Trustwave content team asks its in-house experts what cybersecurity topics they predict will be top of mind in the coming 12 months, and inevitably the top answer is more ransomware.

Instead of waiting an extra couple of months, we thought why not get ahead of the curve, pretend that ransomware will again be an issue, because it will, and proceed to the part of the story where we go through the problem and mitigation methods.

Recent research compiled by Trustwave SpiderLabs from several sources was the basis for the chart below that graphically displays which ransomware threat groups are most active. The team’s work revealed Clop, Lockbits 2.0 and 3.0, Conti, and ALPHV are the most active when it comes to spreading ransomware.


Raw data taken from ransomlook.io and ecrime.ch. Analysis done by Trustwave SpiderLabs.

Microsoft, which partners with Trustwave on a variety of solutions designed to help organizations unlock the full potential of Microsoft Security under its Microsoft 365 enterprise plans, noted in its latest report a 2.75X increase year over year in human-operated ransomware attacks on its customer base.

Trustwave and Microsoft have noted that social engineered email, SMS and voice-based phishing attacks, along with identity compromise, exploiting known vulnerabilities and running unpatched operating systems were the primary methods threat actors used to gain an initial foothold.

The reason behind this activity is obvious. Big bucks.

According to several sources, the attackers have made about $3.75 billion over the last five years, with this number ramping up with $1.1 billion being illegally garnered in just 2023. These billions of stolen dollars equate to each attack costing the victim about $5 million, with a mean time to identify an issue of 211 days and mean time to contain of 73 days. US-based targets received 48% of all ransomware attacks, followed by the EU, 19%, UK, 12%, and Australia 2%.

These numbers are intimidating, but the silver lining is every organization has the ability to take the steps necessary to harden itself against a ransomware attack.

 

Be Fundamentally Sound

  1. Know Your Assets and Manage Vulnerabilities: Understand your critical systems, their dependencies, and who is responsible for them. Identify, manage, and communicate known vulnerabilities and weaknesses to develop effective remediation plans. Assets can be assessed using a managed vulnerability scanning solution, which will help prioritize protection and recovery of business-critical assets to minimize disruption.
  2. Foster a Cyber-Conscious Culture: Promote a security-aware culture through training, awareness programs, and designating cyber champions. Include security in performance objectives.
  3. Develop Robust Plans: Create documented incident response, business continuity, and backup plans. Regularly review and update these plans to reflect changes in your organization.

 

Testing and Evaluation

  1. Test Your Plans: Regularly test incident response and business continuity plans in simulated environments to identify and address weaknesses.
  2. Conduct Proactive Testing: Use penetration testing and Red/Purple team exercises identify vulnerabilities and assess data exposure.
  3. Collaborate: Conduct tabletop exercises to train staff on incident response procedures and ensure effective collaboration with external suppliers.
  4. Consider Data Privacy: Understand relevant data privacy laws and be prepared to address potential breaches.

 

Collaboration and Preparedness

  1. Collaborate with Suppliers: Work with external suppliers to understand how and when to engage them during an incident.
  2. Train Employees: Provide comprehensive training and awareness programs that focus on prevention, detection, and response.
  3. Prepare for Data Breaches: Understand the potential impact of data breaches on your organization and have a plan in place to address legal and regulatory requirements.

Step 10 needs to be fleshed out a bit. All conversations on ransomware prevention and preparedness must include information on what to do if the unthinkable happens and your organization is successfully attacked.

It is all about the speed of detection and speed of response. As noted above, the average MTTI and MTTC can be quite long, which means the faster an organization can mitigate an incident, the better. Organizations that partner with managed security service providers can ensure there are always eyes on the environment. Adversaries can attack any system at any time of day.

It's also important that organizations have an incident response retainer. We've seen organizations who recognize that they have been attacked but never switch to partner organizations that can help respond to the attack. Meanwhile, the attacker gains more and more information and sensitive data from the network.

 

The Role Trustwave Plays to Keep Organization’s Safe

Trustwave offers comprehensive support for dealing with ransomware attacks through several key services:

  1. Ransomware Preparedness Service: This service helps organizations assess their current defenses and readiness to handle ransomware threats. It includes evaluating critical lines of defense, such as security controls, detection capabilities, and response strategies.
  2. Digital Forensics and Incident Response: Trustwave’s incident response team can quickly mobilize to contain and mitigate the impact of a ransomware attack. This team provides detailed analysis of the attack, including how the threat actors infiltrated the system and the techniques they used.
  3. Advanced Threat Hunting and Intelligence: Trustwave’s threat hunters proactively search for signs of malicious activity within your network. This helps in identifying and neutralizing threats before they can cause significant damage.
  4. Layered Email Security: Ninety percent of data breaches occur due to an email-based phishing attack, so it’s imperative to have a layered approach in place. The combination of Trustwave MailMarshal and Microsoft 365 Email delivers unprecedented protection.
  5. Post-Attack Recovery: After an attack, Trustwave assists with recovery efforts, including malware eradication, system restoration, and strengthening defenses to prevent future incidents.

These services collectively ensure that organizations are not only prepared to handle ransomware attacks but also equipped to recover swiftly and strengthen their security posture for the future.

By implementing these strategies, organizations can build a strong cybersecurity foundation and significantly reduce their risk of falling victim to ransomware attacks.