Ransomware is malicious software (malware) that encrypts a victim’s data. It typically spreads through phishing emails, malicious downloads, or exploiting security vulnerabilities.
Ransomware attacks vary in approach; some attackers maintain persistence in a network for weeks or months before deploying ransomware, while others strike quickly. The ecosystem has professionalized — Ransomware-as-a-Service (RaaS) operations provide malware tools and infrastructure to affiliates, while Initial Access Brokers sell compromised network credentials on dark web marketplaces.
Once activated, ransomware spreads through the network, encrypting files and rendering them inaccessible. Modern ransomware attacks also utilize data exfiltration, where corporate data is downloaded, after which attackers threaten to publicly expose PII, PHI, or PCI data to cause financial and reputational harm to your company.
Encrypted environments cripple your business, and data theft creates massive civil liability.
Recovery efforts to bring primary systems back online can take between 2 weeks and 2 months, and fully re-integrating data captured through manual labor-intensive workarounds, can take much longer. Worse, the attackers will target your backup infrastructure first; without a proper immutable backup strategy, you will be forced to pay the ransom or lose your data for sure.
Victims are pressured to pay, usually in cryptocurrency, as attackers threaten to delete and/or leak data. However, paying the ransom doesn’t guarantee the hijacker will follow through, so taking proactive measures is critical.
Ransomware insurance is not enough. At times such insurance can even be a hindrance to resuming operations, as the insurance company will often require forensic analysis of the environment before releasing the environment to technical resources for re-imaging, rebuilding and restoring.
There are three general categories to address, to prevent catastrophic loss due to ransomware attacks.