The Three Requirements of Ransomware Defense (They’re Not What You Think)

Everyone loves an all-in-one solution, especially when it comes to technology. With business networking and IT so complex to begin with, it’s never a bad idea to keep things simple whenever possible.

In reality, there are some cases where all-in-one solutions simply don’t work, or they don’t even exist. Part of the complexity of IT and cybersecurity is that there are layers of aspects at play. Users, hardware, software, providers, vendors, and of course, the hackers who try to bring it all down.

Ask any IT professional and they’ll tell you that there is no such thing as an all-in-one solution for cybersecurity concerns. Cyber defense is addressed by layering many disparate tools, like SIEM/SOC monitoring, antivirus, training, encryption, firewalls, and even physical security measures for data centers and hardware.

That’s the big picture. What many don’t realize is that the individual defensive concerns in cybersecurity often require a layered approach as well. The example we’ll explore today — ransomware — is on the top of everyone’s mind in the aftermath of the largest ransomware attack on record which took place on July 2nd, 2021.

The Three Domains of Defense in a Ransomware Attack

No single tool in the list above can completely protect an organization from ransomware. A ransomware attack takes place over several stages, and measures must be put in place to remediate the attack during each of them.

For the sake of this article, we’ve divided these stages into three “domains of defense”: before, during, and after the attack.

Before: Preventative measures that can be taken to reduce the chance of attack.

During: Remediation which focuses on getting the organization back online and operational as quickly as possible.

After: Protective countermeasures which ensure that the organization’s data can’t be leaked or held for ransom once it’s been stolen.

If you’re familiar with modern IT operations, you probably know that the vast majority of organizations focus only on the “during” stage. They typically plan to use backup systems designed for disaster recovery to restore the network to a point before the ransomware entered the system.

While this approach is sometimes touted as the most logical — or only — answer to a ransomware attack, it’s certainly not. By ignoring the “before” domain, critical steps are missed which would reduce the chance of an attack significantly. And by ignoring the “after” domain, organizations must still contend with the fact that hackers have stolen their data and can still demand payment lest they leak it or sell it. This is often the most terrifying and damaging part of a ransomware attack, but it is commonly left unaddressed by organizations and IT providers.

Let’s take a closer look at each of these three domains:

Before the Attack: Prevention

The medical community has said it for a long time: the best treatment is to never get sick in the first place. This holds true for technology and cybersecurity, because keeping things running is far easier than getting things running again after a critical failure.

Your organization may never face a ransomware crisis, but the chances increase as more sophisticated attacks emerge and as your organization grows, exposing more surfaces to threats. Like many types of disaster preparation or risk management, your goal isn’t to eliminate the possibility of a threat — that’s impossible — but to reduce your chances of it occurring.

When it comes to ransomware, this is typically done through ongoing training. Everyone in your organization should undergo ransomware awareness training, as well as courses on cybersecurity best-practices. Tests should be carried out on an ongoing basis to ensure everyone on your team is embracing the concepts and making good decisions. (Ransomware tests usually involve fake phishing emails sent by the testing company, which makes it very easy to see who is not careful about clicking links or downloading attachments.)

Another preventative measure is choosing IT providers and vendors who are themselves trustworthy and capable. Many ransomware attacks are spreading through poorly-secured IT companies, so working with IT companies or managed services providers who can prove their cybersecurity posture is critical. We’ll talk more about this later.

During the Attack: Remediation

IT professionals usually respond to ransomware attacks by shutting down systems and restoring backups that were created before the malicious code was introduced to the system. This is a relatively straightforward, and usually effective, response.

What you need to concern yourself with is the quality and reliability of those backups. If any issue arises when it comes time to restore, it will be much harder (or impossible) to recover from the ransomware’s effects. Make sure that your IT team or IT provider are regularly testing your backups and are prepared to quickly bring your network back online in case of a crisis.

It’s also important to know how frequently your backups are being created. If it’s only once a week, for example, you could potentially lose six days of work if a backup is restored. Can your organization afford to lose nearly a week’s worth of data? What has been created or inputted during that time that will now need to be redone?

After the Attack: Protection

This is the domain that many IT teams fail to address. What happens to the data that the hackers stole from your servers while you were locked down by their ransomware attack?

Yes, with good backups it’s relatively easy to get your systems operational again, but the bulk of the ransomware’s threat comes from the value of your data. This is why many organizations will immediately pay millions of dollars to the ransomers — they can’t afford to have things like financial data, trade secrets, or medical records leaked or sold on the Dark Web.

Conventional encryption was once considered a means around this threat, but in most cases, these measures are easily circumvented. If the hackers gain access to all of your data, it usually includes the encryption keys needed to unlock that data. Conventional encryption just wasn’t designed around the idea that someone will have an open door to your entire network.

This is where the concept of data vaccination steps in to fill the void. Noftek is on the forefront of this technology, bringing it to U.S.-based organizations and offering them the first practical solution to truly protecting their data.

Noftek Data Vaccination creates a protected area within your network, within which all files are encrypted using a proprietary metakey system. The Noftek agent handles all encryption, decryption, logging, and tracking of these files automatically, and no “keys” are left around for hackers to steal. Files within that protective bubble are always encrypted, whether they’re created using your software, arrive by email, or even pasted into a document. If those files leave the protective bubble, they are rendered useless. They can’t be opened, read, or edited — therefore, they can’t be leaked or sold.

Naturally, this is the first real answer to data ransoming or leaking that the IT community has yet seen. We’re proud to bring this solution to North American organizations and offer the kind of peace of mind that doesn’t come with backups alone.

Ransomware: Other Responses and Responsibilities 

This is a simplified explanation of what steps should be taken to minimize or mitigate the growing threat of ransomware, but there is a bit more to it.

Most of the other responsibilities fall upon your IT provider/team and their technology vendors, so thankfully you don’t have to worry too much about them. They’re the ones who must step up in a crisis and find the vulnerabilities, patch the holes, and keep your IT agile enough to quickly bounce back from threats.

Decision-makers in your organization still maintain the responsibility of finding the most secure IT providers to work with, however. If you’ve been watching the news, you’ve probably noticed that many ransomware attacks have been carried out by first hacking the IT company. Since the IT providers have relatively unfettered remote access to all of their clients’ networks, this allows the bad actors to quickly infiltrate dozens, if not hundreds, of organizations all at once. That said, it behooves you to make sure your IT provider is as secure as possible.

Ransomware is already a dangerous cyberthreat for U.S. organizations and it’s on the rise. The good news is that by layering the three most important elements of ransomware defense — training, reliable backups, and data vaccination — you can virtually eliminate the risk to your organization.

Leave a Comment

Your email address will not be published. Required fields are marked *