We already know ransomware is out of control. According to SonicWall’s mid-year Cyber Threat Report, there were more ransomware attacks in the first half of 2021 than in all of 2020 — 304.7 million of them just by June of this year. Attackers encrypt and delete backups, exfiltrate and sell data, and even sell access to compromised environments — and they’re adapting and adjusting as they go to maximize the likelihood of getting paid.  

So, what can organizations actually do to deal with this tidal wave of attacks? There are already many prevention techniques and technologies. Yet attacks still happen, are still successful, and attackers are still getting paid. It’s time for organizations to ask themselves the question, “Are we ransomware ready?” And then think about what ransomware readiness really looks like.  

What is ransomware readiness?

Many organizations think that if they have a robust patching program and secure backups, they’re all set. But that's not the case anymore. How do patching programs handle zero- and one-day vulnerabilities? And how quickly can your organization really get significant patches applied? Backups are good, and secure backups are better – but what about when the attackers exfiltrate data and are threatening to release sensitive information?

These are just a few of the reasons that it’s essential to prepare proactively for an attack, so investigation and recovery methods are in place before an attack occurs. Forensic data collection is important, but many cloud service providers (CSPs) don’t actually store that data for long. Plus, attackers are all too ready to delete forensic data to make it harder for incident response teams to investigate effectively.  

For organizations in the early stage of cloud modernization, it took 231 days to identify and 98 days to contain a cloud-based breach.
Source: IBM's Cost of a Data Breach Report 2021

The importance of forensic data

Incident responders use forensic data to understand how attackers infiltrated the environment and how long ago they got in, so it’s possible to prevent them from attacking again an hour after they've been paid the ransom money. Yet, if you have just seven days of forensic data from your CSP, how will you be able to look back far enough if you found out about the breach 231 days later?  

In the case of ransomware, many organizations don’t have access to their forensic data, endpoints, and backups, which it makes it particularly challenging to investigate the incident. That’s one of the reasons it's important to store that data separately, assuring that it will stay intact and accessible when needed. It's ideal to store a thousand days of forensic data, so a ransomware attack occurs, there are three years of data to analyze and review for indicators of compromise. This data and analysis enable faster investigation.

Mitiga's Ransomware Readiness Dashboard

If you pay the ransom, are you safe?

Many organizations believe, or at least hope, that if they do choose to pay a ransom and receive the private key to decrypt their data, they’re ready to return to business as usual. Unfortunately, the incident is not necessarily over at that point. It’s important to review and analyze forensic data to understand when the environment was last clean and to learn how to prevent the same attackers or other attackers from taking advantage of the same vulnerability to repeat the attack. Cybercriminals scan for vulnerabilities, leveraging them to launch new attacks. So payment alone is no guarantee that an organization is safe from another ransomware attack; it's important to find and patch the vulnerabilities and return to a clean environment.  

Don’t pay the ransom... and still manage risk  

In some cases, organizations choose not to pay the ransom, but making that decision can be quite difficult. Assume your organization gets hit with a ransomware attack, and you have 48 hours to make a decision about whether you need to pay. What information is needed to make an informed decision not to pay?  

The first hours of a ransomware event are a time of immense pressure: the cybercriminals increase pressure by threatening to release data, which in turn increases the potential for reputational, regulatory, and even litigation damage. While technical teams struggle to understand the situation and get services back online, they also need to understand the threat:  

  1. How much data has been exfiltrated?
  1. How significant is this exfiltrated data?  
  1. How much is this data worth?  
  1. What is the impact of this data being released?
  1. Are the criminals just bluffing?  

How quickly could your organization launch an investigation, and do you have the readiness training and forensic data you need to make complex decisions quickly? Here are a couple of examples of recent ransomware attacks that we've seen through our emergency services.  

Case Study 1: regulated healthcare provider

This healthcare provider hosted significant volumes of patient information on cloud infrastructure. A ransomware gang gained access to their environment and encrypted exposed data, demanding immediate payment of a nine-figure ransom or the attackers threatened to publish patient information. The healthcare provider had 72 hours to comply.  

With an ever-shrinking deadline, the healthcare provider had two priorities:

  1. Get operations back up and running from the affected database
  1. Understand how real the threat to publish the data was and mitigate downstream risks (reputation, regulation, litigation)

To address these priorities, the provider considered whether they needed to pay the ransom. Technical, legal, and PR teams were already at work, preparing how to handle the next steps. Insurers were preparing to pay the ransom to mitigate risks. The provider also called in Mitiga as an expert in incident response in the cloud.

Within a day, Mitiga established the scope of impact, identified the specific databases affected, and proved that it was feasible for the provider to recover immediately. Mitiga also demonstrated that the cybercriminal gang was unable to exfiltrate any data. The threat to publish private patient information was a bluff! With this information, the healthcare provider decided not to pay the ransom and all their services were restored within a day.  

Case Study 2: international financial services and investment house  

This international financial services and investment house deployed using a hybrid environment, combining a cloud environment with end-points (laptops). The ransomware gang again encrypted exposed files and claimed to have exfiltrated client financial data. Again, they sent a nine-figure ransom demand, in this case with a deadline of 48 hours.

The investment house considered the stolen data affected to be of low value and believed that the attack had limited operational impact. Nevertheless, they needed to determine the level of risk and the sensitivity of the data. If client data had indeed been stolen, there would be a regulatory impact and affected clients needed be informed as soon as possible. But which clients?  

To get the information they needed to make the right decision, without unnecessarily informing clients who were not impacted, the organization called on Mitiga to analyze and investigate both the attack and the impact. Mitiga quickly confirmed that data had been exfiltrated, that the exfiltrated data contained client information, and which clients were impacted.  

Based on the investigation, Mitiga found the credentials of the repository that the attacker used to store the stolen data. The Mitiga incident responders used these credentials to access the repository, to define exactly what data was stolen, and to support the customer as they decided on next steps. The organization appropriately notified the regulator and the specific clients impacted in the event. The organization was able to avoid paying the ransom because they had the information needed to identify the exact level of risk and act quickly.

Ransomware readiness and risk management

These intense hours and the need to answer critical questions quickly can cloud judgement and hamper decision making. Rapid insight and analysis can help leadership teams and BODs cut through this fog of confusion and stress, but for many it remains a challenge to respond to ransomware attacks quickly. Taking a proactive approach and adopting a readiness mindset can help organizations manage risk.

Protecting your enterprise against ransomware: Read the eBook

LAST UPDATED:

May 3, 2024

Don't miss these stories:

Why Wi-Fi Isn’t Enough: Joseph Salazar on Wireless Airspace Security

In this episode of Mitiga Mic, we sit down with cybersecurity veteran Joseph Salazar, now with Bastille Networks, to uncover the vast and often invisible world of wireless attack surfaces. From Bluetooth-enabled coffee mugs and smart thermostats to malicious USB cables that launch attacks from parking lots, Joseph walks us through real-world threats that operate outside your firewall and beyond traditional security tools.

From Breach Response to Platform Powerhouse: Ofer Maor on Building Mitiga for Cloud, SaaS, and Identity Security

Solutions Platform Helios AI Cloud Security Data Lake Cloud Threat Detection Investigation and Response Readiness (TDIR) Cloud Detection and Response (CDR) Cloud Investigation and Response Automation (CIRA) Investigation Workbench Managed Services Managed Cloud Detection and Response (C-MDR) Cloud Managed Threat Hunting Cloud and SaaS Incident Response Resources Blog Mitiga Labs Resource Library Incident Response Glossary Company About Us Team Careers Contact Us In the News Home » Blog Main BLOG From Breach Response to Platform Powerhouse: Ofer Maor on Building Mitiga for Cloud, SaaS, and Identity Security In this premiere episode of Mitiga Mic, Mitiga’s Co-founder and CTO Ofer Maor joins host Brian Contos to share the journey behind Mitiga’s creation—and how it became the first purpose-built platform for cloud, SaaS, and identity detection and response. Ofer discusses why traditional incident response falls short in modern environments, how Mitiga built its platform from real-world service experience, and the crucial role of automation and AI in modern SOC operations.

Helios AI: Why Cloud Security Needs Intelligent Automation Now

Mitiga launches Helios AI, an intelligent cloud security solution that automates threat detection and response. Its first feature, AI Insights, cuts through noise, speeds up analysis, and boosts SecOps efficiency.

Hackers in Aisle 5: What DragonForce Taught Us About Zero Trust

In a chilling reminder that humans remain the weakest component in cybersecurity, multiple UK retailers have fallen victim to a sophisticated orchestrated cyber-attack by the hacking group known as DragonForce. But this breach was not successful using a zero-day application vulnerability or a complex attack chain. It was built on trust, manipulation, and a cleverly deceptive phone call.

No One Mourns the Wicked: Your Guide to a Successful Salesforce Threat Hunt

Salesforce is a cloud-based platform widely used by organizations to manage customer relationships, sales pipelines, and core business processes.

Tag Your Way In: New Privilege Escalation Technique in GCP

GCP offers fine-grained access control using Identity and access management (IAM) Conditions, allowing organizations to restrict permissions based on context like request time, resource type and resource tags.