How to Build a Multilayered Ransomware Defense Strategy

MAY 28TH, 2024
Vitali Edrenkine
EVP, Worldwide Sales & Marketing

The Hacker News recently reported that the “ransomware landscape is in a state of flux, registering an 18 percentdecline in activity in Q1 2024 compared to the previous quarter.” 

But don’t get your hopes up. 

The same article notes that the Black Basta ransomware-as-a-service—about which we wrote a post when it first appeared in 2022—has targeted more than 500 private industry and critical infrastructure entities since then. 

Then there’s BlackFog’s “Ransomware Roundup” for Q1 2024: The first quarter of 2024 broke records, with 192 publicly disclosed ransomware attacks, an increase of 48 percent over 2023. The Roundup also notes that over five times as many attacks go unreported, so the actual numbers are much higher. From what we’ve seen here at Arcserve, BlackFog’s report appears to be a more accurate reflection of the threat environment mid-size enterprises face.

Ransomware Defenses Demand Focused IT Investments

These numbers emphasize the importance of building an effective ransomware defense strategy for IT pros at mid-size enterprises. It’s crucial to involve everyone in your organization, but your efforts must start at the top because it requires some investment. Your executive team needs to understand the consequences of being unprepared—in terms of dollars and downtime.

A cost-benefit analysis that illustrates the potential costs of a successful ransomware attack will show that it is common sense to make IT investments in data protection. You should also outline how those investments will be spent on implementing a multilayered ransomware defense strategy that reduces downtime and ensures your data is always protected from any threat

Ransomware Prevention: Bolster Your Defenses

Here are some initial steps you should take:

Cybersecurity Training and Awareness

Your people are your first line of defense against ransomware. That’s why you must involve everyone in your organization in its prevention. Regular, ongoing training sessions should be conducted to educate your employees, including how to:

• Recognize phishing emails, attachments, and malicious websites
• Avoid downloading suspicious attachments or clicking on unknown links
• Report suspicious activities immediately to the IT department

Advanced Email Security

According to the Cybersecurity and Infrastructure Security Agency (CISA), over 90 percent of all cyberattacks, including ransomware, start with phishing. So, you need to invest in advanced email security solutions that use sophisticated algorithms to scan incoming messages for signs of phishing or malicious attachments. Find Gartner’s peer reviews of available email security solutions here. These solutions add another layer of security by:

• Analyzing email content for known malware signatures
• Comparing URLs within emails against known malicious sites
• Quarantining or flagging suspicious emails for further evaluation

Ransomware Detection: Track System Activity

Fast detection is vital to minimizing the impacts of a ransomware attack. Here are technologies and strategies for ensuring you’re aware of suspicious activity within your systems.

Endpoint Protection Solutions

Endpoint protection solutions, like Sophos Intercept X Endpoint, stop advanced attacks before they impact your systems. Intercept X includes CryptoGuard technology that universally detects and stops ransomware, including new variants and local and remote ransomware attacks. Using advanced mathematical analysis of file contents, CryptoGuard detects malicious encryption wherever it occurs. Regardless of the solution you choose, be sure it includes:

• Real-time malware scanning that intercepts malicious downloads and installs
• Integration with global threat intelligence networks to address new and emerging threats
• Behavioral analysis, like Intercept X, that detects unusual activity—such as file encryption—that may indicate a ransomware attack

Intrusion Detection and Prevention Systems

Intrusion detection systems (IDS) and intrusion prevention systems (IPS) are network security solutions that protect against cyber threats in different ways. An IPS is an active security system that:

• Detects potential threats and automatically responds by preventing or blocking them in real-time
• Uses signature-based detection, anomaly detection, and heuristics to identify threats 

IDS is a passive security system that monitors your network traffic or system activities that:

• Identifies potential security incidents, policy violations, or anomalous behavior
• Analyzes network packets, logs, or system events, detecting known attack vectors, vulnerabilities, or behavior outside of established baselines

Gartner Peer Reviews offers its list of IDS/IPS systems here.

Security Information and Event Management (SIEM)

An SIEM configurable system collects and aggregates logs from multiple sources, providing a holistic view of your security posture. SIEM capabilities include:

• Event correlation across networks to detect signs of a ransomware attack
• Automatic alerting and response based on detected ransomware behaviors
• Forensic reporting to help you understand attack vectors and pathways

Gartner Peer Review offers its list of SIEM solutions here.

Ransomware Response and Recovery

Mid-size enterprises like yours typically generate a massive amount of data. With data loss and downtime incredibly costly, it’s crucial that you have plans and strategies in place to minimize the damage a ransomware attack, breach, or other data disaster causes

Incident Response and Disaster Recovery Plan

You must have an up-to-date incident response plan specifically for ransomware that includes:

• Clear roles, responsibilities, and communication links for the response team
• Specific steps for isolating infected systems to prevent the spread of ransomware
• Communication guidelines for internal stakeholders and third parties such as customers and partners

You also need a comprehensive, regularly updated IT disaster recovery plan. A Step-by-Step Guide to Creating a Disaster Recovery Plan is available here.

Network Segmentation

By dividing your network into multiple segments, with each functioning separately, you can limit ransomware’s spread by:

• Isolating network segments so if one is compromised, the others aren’t affected
• Containing the ransomware to a controlled environment where it is easier to manage and eradicate

Automated Backups

Automated backups that meet the recovery time and recovery point objectives (RTOs/RPOs) established in your disaster recovery plan are the ultimate key to ransomware resilience. With regular backups, you can be sure your data is restored quickly—without paying the ransom. While Arcserve Unified Data Protection (UDP) offers a comprehensive approach and multilayered defenses, whatever data protection solution you choose for backing up your data should:

Automate backups based on the policies and settings you establish
• Support implementation of the 3-2-1-1 backup strategy, making it easy to keep backup copies of your data onsite, offsite, in the cloud, and air-gapped
Immutable storage for at least one backup copy, ensuring your data can never be altered or deleted by unauthorized users

Get Expert Help With Your Ransomware Defenses

Arcserve Technology Partners are here to help you implement a multilayered ransomware defense strategy. Choose an Arcserve Technology Partner, or request a demo to experience the power of Arcserve UDP for yourself.

You May Also Like