7 Strategies for Proactive Ransomware Defense and Orchestrated Recovery

JULY 22ND, 2021

Today’s CSOs and CISOs have their hands full, monitoring everything from remote endpoint security policies to increased global privacy regulations to ever evolving cyberthreats.

The recent Kaseya ransomware attack, which at last count has impacted at least 1,500 companies, is a case in point regarding why security executives and their IT teams can’t afford to let their guard down.

The supply chain ransomware attack leveraged a vulnerability in Kaseya’s VSA software to infect multiple managed service providers (MSPs), who in turn passed along the malicious code to some of the businesses they served.

This type of attack is particularly disconcerting because it spreads through trusted software supplied by trusted vendors.

Ransomware Protection Is a Moving Target

The Kaseya incident is just the latest in what has become an upward trend in ransomware; however, the elevated risk of attack, though alarming, is not the only factor keeping security teams on high alert.

Ransomware gangs are constantly changing and evolving their tactics to circumvent cybersecurity efforts and maximize pressure on victims to pay the ransom. 

For example, not too long ago, security experts were issuing warnings about double extortion ransomware threats. Today, ransomware operators have upped the ante by adding triple extortion tactics to the mix. Now, not only do businesses have to worry about malicious data encryption and exfiltration but their customers may also be hit with ransom demands or a DDoS attack if the original victim refuses to pay.

The cost of recovery from successful ransomware attacks is also on the rise. According to The State of Ransomware 2021 report by cybersecurity firm Sophos, the average total cost of recovery from a ransomware attack has more than doubled in the past year from $761,106 in 2020 to $1.85 million in 2021.

In other sobering news, the Sophos study also found that only 8 percent of organizations that paid a ransom recovered all their data, and 29 percent recovered no more than half of their data.

Today’s cyberthreat landscape makes ransomware attacks almost inevitable. Although detection and prevention are IT security teams’ top priorities, the reality is that you must be ready with both a proactive defense strategy and a vigorously tested plan to orchestrate recovery.

What to Include in a Proactive Ransomware Defense Strategy

Preventing a ransomware attack is always preferable to cleaning up after one. Implementing and enforcing these seven cybersecurity and data protection best practices will help protect common vulnerabilities from exploitation.

1. Security Awareness

Employees can be your organization’s biggest weakness or its first line of defense against hackers. The only difference is how well informed they are. A high-quality security awareness training program will pay for itself the moment an employee recognizes a phishing email or doesn’t open a malicious email attachment.

Security awareness training teaches employees to:

  • Spot phishing attacks
  • Create strong passwords
  • Secure their laptops and mobile devices
  • Connect securely on public Wi-Fi 
  • Notify the right people if they spot something suspicious

For best results, security awareness training should be recurring and mandatory for new hires as well as for the leadership team and every staff member in between.

2. A 3-2-1-1 Backup Strategy

Once the standard for secure backups, the traditional 3-2-1 approach is no longer effective against today’s ransomware technology. Ransomware operators now target and encrypt backup files specifically, rendering them useless for recovery efforts. 

Other ransomware strains enter the network, then wait—sometimes for weeks or months—before encrypting data and announcing their presence. In the period between infection and encryption, the ransomware code is copied into the backup, again rendering the files useless.

To ensure backups are safely sequestered, many IT teams have adopted a 3-2-1-1 strategy that incorporates an air-gapped copy of the data stored off-site and offline in addition to the three copies of data stored on two different media with one copy stored off-site or in the cloud. 

3. Email Filtering and Scanning

Successful ransomware attacks are often initiated via email. Email scanning, strong spam filtering, and email authentication protocols are the most effective methods for preventing this type of breach.

Email scans can identify common ransomware techniques, block malicious URLs, and prevent employees from opening suspicious attachments. 

Although they aren’t new or foolproof, and they can be a bit cumbersome to deploy, when used together, these three email authentication protocols continue to be a robust defense against email initiated ransomware attacks:

  • Sender Policy Framework (SPF): Restricts who can send emails from your domain and prevents domain spoofing 
  • DomainKeys Identified Mail (DKIM): Ensures that the content of your emails hasn’t been compromised or tampered with
  • Domain-based Message Authentication, Reporting, and Conformance (DMARC): Ties SPF and DKIM together with a consistent set of policies as well as links the sender’s domain name with what is listed in the “From:” header

4. Patch Management and Automatic Updates

If you don’t have time to apply security patches, you don’t have time to recover from a ransomware attack. Missed patches and skipped updates are two of the most common actions that leave networks wide open for attacks. Hackers know a large percentage of organizations don’t stay current on patch management and updates, so they seek out known vulnerabilities in popular applications.

IT teams prioritize this highly effective security step by automating updates and immediately install security patches across all operating systems, software platforms, applications, mobile devices, and cloud locations.

5. Strict Access Management Policies

Privilege creep gives users far more access than they need, which in turn provides hackers with an easy path deeper into the network than they would have otherwise.  

Strict identity and access management policies, such as the principle of least privilege, Zero Trust, and multifactor authentication give employees only the access necessary to do their jobs and require proof that they are allowed to do so.

6. Unified Data Protection and Cybersecurity

A proactive, multi-layered approach to data protection and cybersecurity prevents and protects data from ransomware and other cyberattacks. 

For example, immutable storage—on-premises or in the cloud—safeguards data while advanced machine learning and behavioral analysis detect both known and unknown malware to neutralize never-before-seen threats and boot-record attacks.

7. Disaster Recovery

Even if you follow all the best practices above to the letter, a successful ransomware attack is always possible. Proactively planning for recovery after a crisis is an essential factor in your ransomware defense strategy.

To help ensure your disaster recovery strategy will work when it needs to and that it covers all business-critical systems and functions, include these fundamental steps in the recovery plan:

  • Fully document your entire infrastructure.
  • Integrate virtualization into your disaster recovery strategy.
  • Implement automated testing to ensure you can meet RPOs and RTOs. 
  • Test backups regularly to ensure systems and data are fully recoverable.

Orchestrated Ransomware Recovery Is Essential

Although orchestration is only one facet of your disaster recovery effort, it is arguably the most critical. Orchestrating recovery ensures that critical servers, applications, and all  their dependencies come back online automatically, with no need for IT intervention.

Orchestrating recovery reduces complexity and increases scalability by automating many of the tasks IT would otherwise have to perform manually. Take, for example, the failover process. Think of the dozens of things that need to happen just right for a failover to be successful; now multiply those tasks by the number of machines that need to fail over. 

Done manually, the process would be impossibly time-consuming and prone to failure caused by human error. Orchestration automates the entire failover process for any number of machines—no humans needed.

It is important to remember that orchestrated recovery isn’t without risk. There is always a possibility that something could go wrong. Disaster recovery testing is critical because even if the risk of failure is minimal, the consequences can be devastating.

The Power of a Holistic Ransomware Strategy

Effective ransomware protection is not one-dimensional; it requires a comprehensive, holistic strategy that includes cybersecurity, secure backup, orchestrated disaster recovery, and actionable plans for making employees an extension of IT security. Download Don’t Become a Statistic: Stay Ahead of Cybercriminals by Implementing a Holistic Ransomware Protection Strategy to learn more.