Chris Stegh / / Categories: Security

Preparing for Human-Operated Ransomware

Ransomware is now a (White) household name. How serious has it gotten?

  • Critical energy, food, transportation, and healthcare networks are under attack.
  • Nation state-funded adversaries sell ransomware as a service.
  • Backdoors from software supply chain vulnerabilities have been left opened.
  • Insurance companies are requiring more diligence and red tape. One French insurer had a bright idea to deny claims when their policy holders paid the ransom. Then, they themselves got ransomed.

The costs are staggering. Per Sophos’s “The State of Ransomware 2021,” the average total cost of recovery from a ransomware attack has more than doubled in a year, increasing to $1.85 million in 2021. The average ransom paid is $170,404, and only 8% of organizations managed to get back all their data after paying a ransom, with 29% getting back no more than half of their data.

While 2021 seems severe, this didn’t happen overnight. Ransomware existed in small pockets before 2013, but the business model took off then with the introduction of cryptolocker. The most recent surge in ransomware evolution can be traced to WannaCry and (Not)Petya in 2019. The human-operated ransomware business model has expanded into an enterprise-scale operation, with adversaries threatening disclosure of data and/or locking up the entire company.

The National Security Council's chief cybersecurity adviser advised that “business executives should immediately convene their leadership teams to discuss the ransomware threat and review corporate security posture and business continuity plans.”

To review that posture, Enabling and Microsoft recommend organizations assess their:

  • Current patches
  • Macro File blocking and surface area reduction techniques
  • File Permissions
  • Backups
  • Network shares
  • Application whitelisting
  • Least privileged admin access
  • MFA
  • VPN credentials 
  • Controlled folder access
  • Incident response plans
  • Secure Boot & Credential Guard
  • Pass the hash protections
  • OneDrive File Restore

Organizations should urgently take action to shore up any gaps in their systems and processes. A short checklist to prevent, detect, and respond to ransomware is shown in the grid below.Ransomware Blog 1


Some of the Microsoft tools that can be brought to bear to thwart a ransomware attack are shown here.

Ransomware Blog 2

Finally, since even the best protections are vulnerable to the next unknown attack vector, organizations should have contact lists for CISA and/or the FBI to log the incident and to get help.

Work with our team of Cloud Computing Consultants who have done this so many times they know all of the “minefields” to prevent missteps.

Tags: Security