Why Ransomware Is Like a Fire – And What to Do About It

Ransomware has become one of the most destructive security threats that organizations face. In fact, a recent survey found that 72 percent of organizations were affected by ransomware in the past 12 months. 

Ransomware isn’t exactly a new phenomenon, so why has it remained such a serious threat? The cybercriminals who use ransomware are always getting smarter. They’re evolving their malware to adapt to changing defenses, and they alter their tactics to get better results. 

In some cases, they may remain in an organization’s network for six months at a time, mapping out data stores so their ransomware has maximum impact. In others, they may be in a network for only two days before they pull the trigger. One new tactic cybercriminals have developed is to rename files and file systems so it's more difficult to restore data from a backup.

The constant evolution of ransomware makes it extremely difficult to defend against because the goal posts keep moving.

Organizations can’t afford to make mistakes with a threat like ransomware, but I see problems regularly. One misstep I see often is that organizations think they’re too small or under the radar to be a ransomware target. Others think that because they have a solid backup plan, they don’t need to focus on other cybersecurity efforts such as monitoring and detection. These mistakes can (and certainly have) resulted in organizations paying steep ransoms. 

When I work with organizations to address these threats, I make sure they understand that a detailed incident response plan is essential. Governance plays a huge role in incident response. Organizations need to know the policies, procedures and control techniques they will employ in their responses to incidents, as well as who will be responsible for carrying out each step. 

These details are critical, because when an incident does occur, people often get stressed and disoriented. Steps get missed. I often compare incident response to dealing with a fire in the kitchen. First, you must know what you’re dealing with. If it’s a grease fire, the last thing you want to do is throw water on it, because that makes it spread. Instead, you should smother a grease fire with something like flour or a towel. If your toaster catches on fire and it’s plugged in, you can’t throw water on that either, or all that water could become electrified. Instead, you should use a fire extinguisher. The same premise is true in incident response. You shouldn’t plan to treat ransomware the way you would deal with a distributed denial of service attack, a virus or an email compromise.

Organizations should have up-to-date incident response playbooks that provide step-by-step instructions. The first thing to do is contain that fire and keep it from spreading. The second thing to do is collect as much evidence as possible before putting out that fire. Make sure that putting the fire out doesn’t destroy something that could help prevent another fire from happening in the future. Then correct steps should be taken to put out the fire. 

From there, make sure there’s nothing else going on — that there isn’t a fire in another part of the house or a spark that went into the attic. Finally, start rebuilding and figure out exactly how this incident happened.

Establishing an effective incident response plan is a strong first step in dealing with cyberthreats such as ransomware. But IT leaders must understand that these plans should be updated regularly. Cyberthreats are evolving constantly, and plans to address these threats must keep pace.

Story by Mikela Lea