“Security and risk management leaders need to look beyond just the endpoints to help protect the organisation from ransomware.”
— How to Prepare for Ransomware Attacks, Gartner
Ransomware poses a significant risk to organisations. These attacks, which often begin with a simple click on an inconspicuous email or a link, can result in a complete shutdown of business operations until ransoms are paid. And now, we’ve reached a critical point where ransomware is a global security issue. Organisations and countries are evaluating how best to defend against this costly threat.
In a report, How to Prepare for Ransomware Attacks, Gartner analysts Mark Harris, Brad LaPorte and Paul Furtado provide guidance on how organisations should prepare for ransomware attacks.
Ransomware attacks become human operated
In the report, Gartner highlights that “Recent attacks have evolved from the autospreading attacks, such as Wannacry and NotPetya, to more targeted examples, which attack an organisation, rather than individual endpoints.” In many recent ransomware attacks, the cyber criminal gained initial access via malware, compromised credentials or a vulnerable internet-facing service. Proofpoint threat research has observed that ransomware operators often buy access from initial access brokers or ransomware affiliates, who infiltrate targets and then sell access to ransomware actors for a portion of the illicit profits.
Protecting against ransomware requires an integrated, layered approach
Because ransomware attacks have evolved to human-operated attacks, as per our understanding, the Gartner report recommends that organisations develop a multi-layered strategy to protecting against ransomware. According to the report, “Protecting organisations against these attacks goes beyond endpoint protection and encompasses many different security tools and controls.”
Ransomware attacks start with the initial compromise, often a phishing or targeted attack to deliver malware or steal credentials. According to research by Unit 42 of Palo Alto Networks, email remains the top attack vector for ransomware, accounting for more than 75% of attack origins. Because email is one of the key attack vectors, it’s crucial to invest in advanced email security to identify and stop initial access. Gartner also calls out “Technologies such as web isolation can also limit the impact” of phishing and targeted attacks.
Most ransomware attacks begin with users engaging with a malicious link or attachment delivered via email. The average failure rate of users is 11%, according to our 2021 State of the Phish. As such, the Gartner report points out that “security awareness for users is also important.” Implementing an effective, targeted security awareness training program enables you to educate your users about ransomware and allow them to protect your organisation through phishing reporting. Training users most targeted within the organisation and interacting with real threats will be one of your best defences against ransomware attacks. After all, users are an organisation’s last line of defence.
Security teams are often understaffed and overwhelmed with alerts that need to be quickly triaged and investigated. Leveraging automation tools and email-focused security orchestration automation and response (mSOAR) capabilities can help improve response time and reduce the workload of your security team. Proofpoint customers have seen a reduction of up to 90% in investigation and response resources when dealing with malicious messages. This customer was able to realise $345,000 of direct full-time equivalent savings over three years.
In the report, Gartner discusses the critical steps necessary to defend against ransomware attacks and outlines what to do before, during and after an attack:
- Pre-incident, which includes a preparation strategy and multi-layered prevention that goes beyond endpoint protection
- Peri-incident, which includes the detection of attacks underway and mitigation techniques to minimise the impact
- Post-incident, which includes recovery and root-cause analysis that should be fed back into the preparation plan
To pay, or not to pay?
When it comes to ransomware, one of the key questions organisations face is, “Should we pay the ransom?” The Gartner report discusses considerations about this important question. One thing is clear, organisations need to have an answer to this question before they face a ransomware attack.
To learn more about how to prepare for ransomware attacks, download the Gartner report, How to Prepare for Ransomware Attacks.
Gartner, How to Prepare for Ransomware Attacks, Mark Harris, Brad LaPorte, Paul Furtado, 16 November 2020
Gartner is a registered trademark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.