Mike Davis - Contributor CISO, ExactlyIT

Ransomware is a top threat to minimize; especially as it continues to grow, morph and become even more virulent and effective.  Why classify it as Existential – for starters, governments have categorized it as destructive as terrorism overall, plus the asymmetrical advantage criminals have, putting the defenders at a significant disadvantage. This summary paper is meant to consolidate the main elements and key protections as serve as ‘talking points’ to those who manage the business and protect all its assets.

Though this threat can be scary, it can also be reasonably well-managed (there is no guarantee even close to 100% in cyber as well all know) – where you must invest in it with the same resolve as the criminals do to attack you.

Problem overview. Now that Ransomware has the attention consumers (e.g., loss of gas availability. meat production, water safety, etc), the risk has widespread attention.  This is a very wide topic, so we only list the top contributing factors herein, not all the significant (and for the most part incalculable) organizational damages it can cause – as we assume those are well known at this point.

Key ransomware factors: 

It is now a triple threat - (1) loss of data availability (encrypted), (2) data breach extortion (exfiltrated sensitive data) and (3) extortion of your partners and clients for their data stolen from you.

Ransomware as a Service (RaaS) – it is now a commodity service that can be easily bought and then executed on any entity at any time.  It is also much more targeted now, not just a wide mass email to thousands, with gobs of social media data available, the phishing attacks are well done (and getting better with AI / ML too). The company is also assessed for its ability to pay, including those with cyber insurance.

Cybercrime is a business – they are well organized, have business plans, share data and now we discover they are supporting startup cybercrime entities as well.  They are thriving as they reinvest into more effective methods, and tools – not to mention that they are essentially immune from the law or any real punitive repercussions (another story in itself)

Asymmetrical advantage – the above factors show they have the upper hand for the most part.  It goes back to the adage that they need to find one vulnerability and we need manage 1000s… As well as being a well-organized, high profit and low risk business (with no stakeholders to account to).

So, what to do?  While this is as they say, a “wicked” problem, it is not hopeless - the risk can be significantly reduced by an aggressive ransomware risk reduction program – show your resolve, initiate a ransomware task force!  There are a lot of ransomware support resources, mitigations to follow, etc. (a few links are listed at the end); whereas those are best reviewed and then integrated into your own tailored, ransomware risk reduction program. Within the program you will have researched all potential risk reduction measures and weighted their utility, then prioritizing their mitigations. Like all programs, ensure it is resourced, managed, tracked, and reported frequently. This is where you need to make this risk reduction effort a priority or not – convince leadership that the company future could well depend on this effort – because it can.  If you cannot, then redo the message and keep trying.

What are the key mitigations?  As mentioned, review the major ransomware support references and build, tailor your own; whereas there are some common items to ensure are assessed, and in many cases must be verified / audited if need be (for example, have IT proved they can restore critical data, and just what data do they store, where?). The ransomware mitigations effort must be aligned and part of your overall risk-based security strategy, which must also account for data leak/breach, resilience, etc. That is why your formal risk register must keep track of all the risks, priorities, status, etc. – as most of us have a lot of risks, with the top business risk value efforts being done first. So, there it is – your top MUST DO task – use a risk register to account for all your risk assessment efforts; use it to show stakeholders the overall organization’s risk story – how their key business success factors are being supported.

As for what matters - it all does, and of course it depends, as the relative risks vary by environment and some measures can be “good enough’ while resources are used elsewhere to drive that risk down.  The dozen items listed below are but one view, as many others exist, yet these tend to be key in both ransomware risk mitigation and overall risk reduction in general. That said, please skim the resources below and decide what matters for your environment – collectively they will capture a risk-based ransomware protection plan.