Ransomware Resilience: Evolving Data Protection

Ransomware has been a concern since the internet’s early days. But the threat today is bigger than ever — and so are the costs.

Indeed, IBM’s latest “Cost of a Data Breach” report discovered that the average cost of a data breach in 2023 was $4.45 million each. The average downtime from an attack, meanwhile, is nearly 19 days. No wonder the Institute of Internal Auditors called “cybersecurity, IT governance and data security” the top business risk of the year last year.

To protect themselves, their data and their bottom line, many companies are rethinking their ransomware solutions.

The Rise of Ransomware Attacks

Two-thirds of organizations experienced a ransomware attack in the last year, IT security company Sophos reported in its latest “The State of Ransomware” report. Of those businesses, 84% lost revenue.

“Famously, Willie Sutton said he robbed banks because that’s where the money is,” said Allan Liska, ransomware researcher at Recorded Future. “Right now, ransomware is where the money is.”

One reason for that is social media. Because so many people post not only personal data on their profiles but also company data from their employers, ransomware attacks are infinitely easier for attackers to execute.

“The biggest attack platform for any adversary is LinkedIn,” Liska said. “If I want to send a phishing email, I type in a company name and get a list of people and what they do. I just need to figure out the email format for that company to build my phishing list.”

Making matters worse is the fact that many organizations stick with outdated cybersecurity strategies, suggests Christian Simko, vice president of product marketing at AppViewX.

“Most companies take a traditional, castle approach,” Simko said. 

“You’re surrounding all the stuff in your castle — servers, data, critical business applications — and you just keep fortifying the perimeter. Now, the perimeter has blurred with the cloud and containerized environments. Your data and applications can be in all sorts of locations. Where is your perimeter?”

Evolving Ransomware Solutions

Tuhina Goel, director of product marketing at Nutanix, said the focus of newer, more sophisticated ransomware attacks is targeted at 'data', the prized possession of organizations. She said companies are taking a multi-pronged approach to data security that includes employee education and the use of tools like Nutanix Data Lens, which monitors and block potential threats, among other things.

“Given the alarming statistics and evolving threats, CIOs, CISOs, and IT teams are focusing on boosting their data storage protection to safeguard data from bad actors and insider threats,” said Goel. 

“The approach we have taken with Nutanix Data Lens is aligned with the NIST Cybersecurity Framework to actively monitor, detect, respond, and recover. Ultimately, it provides a framework for enterprises to manage their cybersecurity risks by better determining the scope of an attack and responding swiftly.

She said there’s no silver bullet solution. 

“It’s an intentional, multi-step process,” she said. “Start with employee training. Have an incident recovery plan. Ensure vendor security and conduct regular security audits. It’s not a matter of whether an attack happens. It’s when.”

Along with tried-and-true defenses like antivirus software, enterprises are increasingly interested in simulating ransomware attacks with “red teams” composed of ethical hackers who can help them discover cybersecurity vulnerabilities and implement ransomware prevention best practices. Unlike penetration testing, which seeks out specific vulnerabilities, red teams find holes anywhere in a company’s defenses.

As hybrid cloud adoption and AI capabilities increase, companies store their data on a mix of public and private clouds and on-prem data centers. Though hybrid cloud adoption may introduce more attack surfaces, businesses aren’t powerless. Preventative measures that can help include creating offline backups through private clouds, disabling common attack ports and implementing multi-factor authentication. 

By moving multi-layered applications or data centers into a separate environment, red teams use non-disruptive rehearsals to dissect cloud configurations, security, identity and access management, and more.

For example, a red team ransomware approach may run a phishing or whaling simulation while concurrently analyzing infrastructure scripts and security endpoints within the cloud. Spotting misfires allows a company to reverse-engineer ransomware solutions.

Cloud vendors also are refocusing their monitoring efforts, according to Goel. 

“There’s a new term called ‘cyber storage,’” she said. “As a storage vendor, you have to provide active monitoring and blocking detection on any kind of threat, like a data threat — a ransomware threat at the storage level. Now, we’re going much deeper. Vendors are expected to provide this kind of cybersecurity model.” 

Liska shared another challenge: Companies often miss something within their network asset management when giving information to red teams. “For a true red team test, you want them to figure out what your external and internal view looks like,” he said. “They may find things you didn’t know about.”

Perhaps the biggest benefit of red teams is speed. “How fast can you mitigate an attack or find the root cause? How fast can you shut it down?” asked Simko, who said being unprepared can prove costly to both reputation and finances. “Companies are just paying the ransom because it’s too much to alleviate. Once they come in and encrypt everything, you can’t break that data.”

Ransomware Prevention Best Practices

Cybercriminals target organizations “they deem to have weaknesses,” Simko said. Addressing those weaknesses in ways that build ransomware resilience requires not only technology but also people.

Former corporate spy Robert Kerbeck, author of Ruse: Lying the American Dream from Hollywood to Wall Street, has seen this up close. Major corporations have hired him to pose as rival company executives, calling employees and using social engineering to extract valuable information.    

“Social engineering is the go-to method for ransomware attacks because it’s so easy,” Kerbeck said. “The weakest link in cybersecurity is and always will be the human being.”

Kerbeck noted that most ransomware attacks have three things in common. First, there’s typically a measure of authority — the attacker poses as someone in a position of power. Second, there’s often time pressure that creates a sense of urgency. Finally, there’s often an insidious form of FOMO, the fear of missing out; employees want to be team players and worry about the repercussions of noncompliance.

To improve ransomware resilience, organizations must educate employees about all three of these red flags.

“If the red team is doing penetration testing and doesn’t include the social engineering part, it’s a complete waste of time and money,” Kerbeck said.

Furthermore, education must include the entire team — from the CEO at the top to interns at the bottom.

“Security is not one person’s responsibility,” Goel said. “It’s everyone’s responsibility.”

Editor's note: Learn how to proactively identify security gaps and gain actionable insights to elevate data security measures with Nutanix Data Lens.

Joey Held is a writer and podcaster based in Austin, Texas and the founder of Fun Fact Friyay and Good People, Cool Things. Connect with him on Twitter or LinkedIn.

© 2024 Nutanix, Inc. All rights reserved. For additional legal information, please go here.