How a Three-Pronged Approach Maximizes Ransomware Protection

Ransomware remains a high-impact threat. ActualTech Media recently ran a survey that honed in on this threat to help organizations decide the best way to develop a preparedness strategy and the results were astounding.

When it comes to how common ransomware attacks are, 42% of respondents had fallen victim in the last year, but there was a caveat: Those who said they weren’t allowed to disclose that information were excluded from the results, so the occurrence is likely much higher than that.

Of those who were a victim of an attack, 52% had suffered unrecoverable loss of data, and less than half, 45%, were able to recover in less than 24 hours. We can tell from the results of this survey ransomware remains a huge issue for organizations. The threat keeps growing as threat actors become more creative. For example, encrypting 16 bytes of a file to maximize destruction and increase the number of systems they can damage in a short period of time.

Ransomware prevention has been discussed over the last few years, but in reality, that’s just not enough. The human vector remains one of the most popular ways in for threat actors and organizations can’t do much to change that.

What is needed is a multi-pronged approach to ransomware protection. There are three pillars of protection that will ensure organizations are ready for an attack. Remember, it’s not if there’s a ransomware attack, but when.

Let’s dive deeper into these three key areas: protect, detect, and recover. See the graphic below to illustrate the three-pronged approach.

Protect

Protection is all about taking the needed steps to reduce the chances that ransomware gets in, while knowing it may still happen. Humans will always be the most popular and easiest way in, so it’s important to ensure organizations have information security awareness programs in place. Only 42% of respondents of the ActualTech Media survey said these programs are in place.

Another key area is authentication. Since humans are a weak link, organizations need to be proactive in deploying things like secure multi-factor authentication and focus on emerging trends like zero trust approaches to authentication.

Once organizations have a handle on their users and have secured the way they’re accessing systems, it’s time to go a step further into these systems. It’s imperative organizations know what they have from both a system and a data perspective. Many organizations don’t have a handle on what data is being collected, how it’s stored, or even how sensitive it might be. Until there’s a clear inventory of what’s needed to protect and ensure it’s properly protected, that data cannot be recovered.

The capabilities of storage tie closely to this. Intelligent ransomware can target data protection systems and storage systems to maximize impact. That’s why it’s important to ensure storage-level features—such as immutable snapshots and detailed logging—are being used to limit the impact and understand how things are unfolding in the event of an attack.

Detect

Once data is protected, it’s time to focus on detection to minimize the impact of an attack.

Propagation through the network is the natural course of a threat actor. Therefore, a surveillance state needs to be built. Understanding what’s going on at all times is a necessity so when something abnormal is happening it can be detected quickly. Organizations have the ability to understand this across the environment—from the cloud to the edge to the data center—and keeping on top of this is critical.

Early detection is absolutely imperative to a quick response to ransomware and to mitigate any potential damage. Network surveillance is one aspect of the story, but organizations need to have proactive alerting throughout the environment, so administrators are quickly informed of any unusual activity.

While looking at activity at the file level is important to spot signs of encryption, organizations need to go a step further and look at the big picture, like a deactivated user account suddenly accessing something, or changes in usage patterns across the network, which can be a sign of exfiltration.

Combined, a solid detection strategy will help stop ransomware in its tracks, but even if the attack is stopped early, the data and systems that have been impacted will still need to be recovered.

Recover

If the worst happens, organizations need to be able to recover. This goes back to the overall preparedness strategy that combines protection and detection, which is so important for beating ransomware.

When recovery time comes, that’s when immutable storage snapshots and air-gapped backups become incredibly important. Organizations need to make sure that once backups are created, they cannot be altered since threat actors actively seek to destroy them.

Another important aspect of overall preparedness is recovery planning. Recovery should be prioritized because not everything can be brought back at the same time. This is where recovery testing comes into play, so organizations know what order to bring things online to get up and running in the shortest time possible.

Most importantly, the recovery aspect of the protection plan should be simple, and testing helps with this. Testing regularly without the stress of ransomware helps find the gaps in a recovery plan, so they can be fixed before there’s a need to execute the plan.

In order to beat ransomware, there are a few things organizations need to remember. Be sure  to stay current—IT moves fast, but ransomware moves faster. It’s important to stay up to date on the latest threats so an organization can refine their preparedness strategy.

Organizations also need to move beyond ransomware prevention alone. Creating a robust three-pronged preparedness strategy that includes protection, detection, and recovery will maximize the best outcomes in the event of an attack. There are a number of solutions on the market today, and an important aspect of a preparedness strategy is to make sure that the partners selected understand the risk associated with ransomware and are a good fit for your organization’s overall preparedness strategy.