Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

Five Actions to Mitigate the Financial Damage of Ransomware

Published 10/30/2020

Five Actions to Mitigate the Financial Damage of Ransomware

By Eran Farajun, Executive Vice President at Asigra, Inc.

Ransomware attacks have become a regular occurrence for organizations today, with events that are increasingly targeted, sophisticated, and costly. According to recent reports by the Federal Bureau of Investigation[1], cybercriminals are taking advantage of security weaknesses in widely used software programs to gain control of victim systems and deploy ransomware. In some of the recent exploits, vulnerabilities were discovered in management software used by IT service providers to deploy ransomware on business networks.

Industry experts cite two categories of defensive ransomware approaches – preventative and responsive. Preventative strategies attempt to stop such attacks from succeeding in a way that would maintain business access to their data. Strategies in this area would include raising employee vigilance through training about the proper handling of potential phishing emails and performing frequent updates, implementing the proper cybersecurity software to protect primary data and a second layer of security-enabled data protection on secondary storage to ensure the complete recovery of criminally encrypted data.

Responsive ransomware strategies include ransomware recovery experts who focus on minimizing downtime and potential financial loss in the event an attack was successful. These measures also include an IT service provider to assist in finding all possible alternatives to return mission critical data to the customer. Additionally, it would also include a credible cyber-insurance provider at the company's disposal to financially cover the event and address monetary damages.

Five actions to help mitigate the financial damages caused by ransomware include:

1. Cultivating a security-aware culture:

Educate and train employees on the dangers posed by malware attacks. Phishing is the number one method used by ransomware attackers because it is an effective means to access a target’s network.

2. Backing up files and protecting backup data:

Regularly back up data using a 3-2-2 methodology where three copies of data are stored locally on secondary storage; two additional copies of backup data are kept on different locally available mediums (devices); and two backup copies are stored offsite two remote locations, such as a remote facility or cloud-based platform. In the event the training and primary cybersecurity measures fail, ensure the backup data is protected as it will become the recovery technique of last resort should the network be impacted. This is effectively done with a backup solution that addresses ransomware Attack Loops™ by scanning for malware instream and as recovered data is returned to production, among other techniques.

3. Securing the network environment.

Keep programs and operating systems up to date, ensure server vulnerabilities are patched and updated, and securely restrict and limit access to system components and administration tools by granting users just enough access or privileges to accomplish a task or run an application.

4. Defending primary data:

While there are an endless number of cybersecurity solutions available, choose continuously updated solutions with an effective record of success and deploy accordingly to protect both traditional and remote workforce environments.

5. Insuring against financial loss:

Some ransomware payments have been reported to be in the millions of dollars. Organizations that have no other option but to pay the ransom, would be remedied by having a cyber insurance policy that covers the damage from such attacks. Having a policy that protects against such attacks and the resulting liability could mean the difference between continuing with operations or claiming bankruptcy.

Should devices on a company's network unfortunately fall victim to cyber attackers and it is critical that data be recovered, ensure that a ransomware recovery expert is part of the incident response team to negotiate the ransom demand with the threat actors and to try to reduce the financial impact. To mitigate the risk, the incident response team should investigate all the alternatives, such as recovering from back-ups, rebuilding server environments and deploying free decryption tools, or negotiating with the threat actors.

As a last resort, companies can direct the ransomware recovery expert to coordinate and direct the most suitable response to the specific threat, and if the decision is made to pay the ransom, negotiate and facilitate the ransom settlement on the victim's behalf and procure the decryption tools required to restore data files.

Paying ransom to cyber threat actors is never recommended, but sometimes it is a necessary response to ensure business continuity. In these cases, it is essential to negotiate and facilitate payment of the ransom in the proper cryptocurrency and to ensure that your data is unlocked, so that business services can resume as soon as possible. It is further recommended to hire a digital forensic expert to perform an intrusion investigation to eliminate any vulnerabilities and any potential future attacks.

The financial impact that ransomware can have on any organization is frequently devastating," said Marc Staimer, Principal Analyst and President of Dragon Slayer Consulting. "If not properly prepared, damages can go beyond the payment of an exorbitant ransom which does not guarantee the de-encryption of data. It often also includes the loss of revenues from downtime, expensive third-party data recovery attempts, increases in future insurance costs, and reputational damage."

These time-sensitive events need to be addressed quickly. Whether for pre-attack preparation or post-attack emergency support, it is critical to have industry experts available. To provide some level of assurance, these five actions provide the best chance of making it through these unfortunate events with some level of success.

About the Author

Eran Farajun is the executive vice president of Asigra and an expert in the area of cybersecurity-enabled data protection with more than 20 years in the industry. He has been instrumental in establishing Asigra as a leader in public, private and hybrid cloud-based data protection, bringing new levels of efficiency to organizations and addressing new challenges in the areas of data security and compliance. Learn more about Asigra at http:/www.asigra.com.


[1] FBI, Public Service Announcement, https://www.ic3.gov/media/2019/191002.aspx