As Ransomware costs balloon, it’s last call for legacy security

Nov. 29, 2021
A strong security posture against ransomware can be achieved only when organizations recognize the need to proactively adapt and evolve

Ransomware attacks are growing more costly. But amid the financial and reputational wreckage, there may be an unexpected silver lining. Perhaps the rising average bill, at last, provides vulnerable organizations with an inarguable business case for upgrading obsolete legacy defenses.

2021 saw a steady parade of new, high-profile ransomware victims, from Colonial Pipeline to meat processor JBS to Kia Motors America. The good news, according to recent reports from Sophos and Microsoft, is that the volume of attacks keeps declining, year over year. But don’t take that to mean old defense systems suddenly, mysteriously became more effective. And it certainly doesn’t signal ransomware is now less on-trend, and we might consider relaxing. Fewer attacks merely signal a more considered, efficient strategy from the black hats: sharper focus on more lucrative targets.

Remediation Costs Soar

The bad news is that from 2019 to 2020, the average remediation cost of a ransomware attack more than doubled, according to Sophos, to $1.85 million. In the United States, it’s even higher -- $2.09 million -- and in March 2021 CNA Financial reportedly paid its attackers $40 million. If that’s accurate, it would be the highest known ransom payout to date.

Like flat tires, migraine headaches, and flight delays, ransomware attacks are an unpleasant, incurable reality for the foreseeable future. Today, no single region, country, or industry is safe from such attacks or their costs. The White House is implementing counterinitiatives, including a multi-agency ransomware task force and Congress is proposing the “Ransom Disclosure Act,” but the tide will not be turned by Washington alone. Nor can ransomware attacks be reliably mitigated by employee training; employees often create entry points for attack by falling for phishing links, but it’s unrealistic to expect a zero-error workplace.

Nor is it possible or feasible to achieve perfect, bulletproof security at an organization's perimeter using legacy security strategies and tools. These solutions have proven ill-equipped to keep pace with modern technology stacks, new cloud environments, and the everchanging and evolving threat landscape.

Top Option Must Be a Bold Strategy

The only option is the bold option. Organizations must implement more robust security mechanisms. As optimists, we can hope the rising per-incident cost of ransomware attacks, and their tendency to make headlines, lasers away the last traces of corporate complacency about this crisis.

Let’s take a moment to step back.

Most ransomware attacks encompass four key phases:

  • An attacker infiltrates one or more systems in the target organization.
  • Often undetected, the attacker penetrates deep into the organization’s data systems.
  • Hours, days or weeks later exfiltration and encryption of data occur, causing the organization to lose control over its own critical information.
  • With the target organization in damage-control mode, a ransom demand is issued. 

In the face of this established attack pattern, organizations must adapt and combine several different measures to approach high-level security. They include systems that block all known malware delivery infrastructure and payloads, limitations on internet-accessible services, and multifactor authentication (MFA) requirements. Merge these tactical steps with a comprehensive detection and response strategy which includes vigorous detection capabilities (across endpoint, network, and cloud) designed to detect ransomware attacks as early as possible and rapid response capabilities to stop attackers in their tracks.

Having mechanisms in place that enable rapid, accurate identification of unusual, suspicious activity within a network environment can flip the four-step script above. Rapid detection, post-penetration, can position an organization to disrupt an attack before it gets to the exfiltration and encryption stages.

Most recent ransomware attacks have targeted traditional on-premises networks, but that tendency is not built to last. As cloud and SaaS applications become go-to business solutions and richer repositories for critical data, we will see more opportunistic ransomware incursions focused on the cloud. This is likely to mean attacks on public cloud assets and data stored in business-critical SaaS applications. Security solutions implemented by organizations today must anticipate and adapt to evolving cloud environments.

Status Quo Has Got to Go

The most disquieting motif of the ransomware era is not the attackers’ audacity, success rate, or profit margins. It has been the consistently expressed conviction, in high corporate places, that current protections are good enough. As the 2010s concluded, credible surveys found fewer organizations viewed ransomware as a threat -- and that most senior executives felt their IT infrastructure was secure. This amid a ransomware rampage. My industry colleague Jay Chaudhry at Zscaler is quite correct to call out the creeping danger to organizations posed by “WADITWay Disease,” as in: We’ve always done it this way.

Our secure digital future depends on pivoting to do something new. A strong security posture against ransomware can be achieved, but only when organizations recognize the need to proactively adapt and evolve their security strategies, not simply react to attacks with legacy solutions – after the damage is done.


About the author: Hitesh Sheth is President and CEO of Vectra AI, a leading threat detection and response company based in San Jose, California.






Sponsored Recommendations

EPS releases new switch erasure update with power automation

The feature is designed to dramatically improve the simplicity and productivity of erasing network devices.

What Missouri courts learned from a cyber attack

The ordeal highlighted both opportunities to improve as well as strengths that helped stop the incident from becoming a full-blown crisis.

Dallas ransomware: Hackers used stolen credentials to access city data, report says

Hackers used stolen online credentials to get into the city of Dallas’ system and steal files during a cyberattack earlier this year, according to a city internal review of the...

Pros & Cons: Bleeding Edge Security Tech

A closer look at the benefits and risks as integrators turn to newer, largely unproven technologies to improve margins