Jul 5, 2021, Consulting, Infrastructure

Ransomware – Identify, Protect, Detect, Respond, Recover

Jacek Bochenek Cloud and Security Team Leader - CISSP, CISM, CCSP

In today’s world we hear about ransomware attacks almost every day. They affect a wide range of businesses, ranging from small to large corporations. It doesn’t matter if the company is public or private. Even public health institutions are not let alone. As I write this article, the Swedish supermarket chain Coop had to shut down its operations because of an attack. 

What is ransomware?

To explain what ransomware is, we must first know what malware is. Malware is a type of software that spreads itself across a wide range of devices, just to wreak havoc. There was a time where worms like Code Red, Dabber, Doomjuice were the prevailing type of attack. Today, they’re substituted by ransomware attack. When we look at that phrase carefully, it’s easy to notice that it is made of two words – ransom and malware. That’s the main difference – the goal of a ransomware attack is to make money for the attacker.

Ransomware tactics

When we look at who is attacked, we will notice that mostly businesses are affected by the attacks. This is no surprise since the attacker can get more money from a company than a private owner. Remember, the goal of the attack is to make money. The larger the corporation the larger are the financial demands. 

So far we know the definition of ransomware attack, its goal, and who is mostly affected. But how does the attacker convince the company to pay the ransom? There are three main tactics in use today. 

First off all, during a successful ransomware attack, all documents are encrypted. The system itself is let alone, so the victim can run it and see what happened. Yes, after the attack, usually there is a file with instructions on how to pay the ransom, and how to get the decryption key. Some groups change the background image, so just in case you’ve missed the file, you’ll know for sure that you’ve been attacked and you must pay the ransom. Some may say, “ok, I’ll decrypt the files myself”. Let me just say it – good luck. With today’s modern encryption algorithms it is impractical and it would take a long, long time which the attacked company doesn’t have. 

Some may be tempted to restore files from backups. Well, even two or three years ago it would have been a feasible solution, but since then the attackers changed their tactics. Now, before they encrypt the files, they steal them and threaten the victim company to publish the files if they don’t pay the ransom. As a result, a lot of companies would rather pay the money, than have their reputation destroyed. 

If this wasn’t enough, now ransomware groups go after the companies that cooperated with the victim company, threatening them to launch for example a DDOS attack against them.

The ransomware business

As we said earlier, the goal of a ransomware attack is to make money. When we look closely at the operations, we will see that the attackers are operating more like well organized companies, except that they make money illegally. The groups have their service desks where the victim is guided through the payment and then eventually file decryption process.

Some groups don’t do their attacks themself, but rather sell the services as RaaS – Ransomware as a Service. They go even further. They have their own underground legal system that lets them settle any disputes between the different groups. 

No matter how you look at it – they want to make money. And they do make money – every year even more. That’s why more and more companies buy insurance just in case they get attacked and have to pay some incredibly large sums.

Ransomware protection

When we look at the NIST Cybersecurity Framework, we will see that it breaks down cybersecurity into five different phases – identify, protect, detect, respond and recover. It is not sufficient to only protect through technology but also through awareness training. You have to educate the user, because most attacks target the end user. In my previous article – “Brain Hacking”, I’ve described the different methods attackers use to make people do what they want, through the use of social engineering. It is also important to note that today, most ransomware attacks are initiated through email. 

The quicker you realize that at some point the software will fail, and a ransomware attack will go through, the better you can prepare against this attack. A better approach is to not only protect but also deploy detective techniques. This way, if your protections fail, you can catch the attack quickly and respond to keep it under control. To do that, though, you need to identify what it is you are looking for. This is where threat intelligence is useful.

Threat intelligence

Threat intelligence is a way to help counter the problem of anti-malware being insufficient. As we said earlier, it is not possible to protect against all attacks, but if you get a head start and educate yourself, you can implement controls across your organization that can help you minimize the damage. 

You can look for different threat intelligence data by yourself on the internet, searching the deep web, looking and reading about different attack methods by yourself, but this is a time consuming process. A better approach is to subscribe to commercial intelligence thread feeds. This will enable you to get these pieces of information and incorporate them into a SOC/SIEM solution. They can be used in prevention and detection rules. These pieces of data, which may be IP addresses, email addresses, domain names, or similar, are commonly called indicators of compromise. This will enable you to quickly identify compromised systems and respond accordingly.

Just to realize what is the scale of the problem we’re defending against, take a look at the statistics. According to the website av-test.org, well over one billion individual pieces of known malware exist in the world. In any given month over the last couple of years, between 8 and 17 million new pieces of malware were introduced.

Ransomware remediation

So far we are able to identify, protect and detect ransomware attacks, but what if the attack goes through? That’s where the last two parts go into play. We must be able to respond and recover from such an attack. So, what are the main steps and things we must prepare and be aware of?

  1. Implement a solid backup strategy — when a ransomware attack happens, having a solid backup strategy can help the process of recovery go more smoothly. Systems can be wiped and reinstalled, then restored from backup.
  2. Implement security awareness training — security awareness training can help keep employees vigilant to the different ways attackers might try to take advantage of users to gain access to the environment.
  3. Consult with legal counsel — make sure you have plans in place with legal counsel. They will understand legal and regulatory considerations.
  4. External entities — you are likely going to need help if you are impacted by a ransomware event, so get retainers in place for the following: incident response company, ransomware negotiation company, crisis communication company, and external counsel experienced with security-related incidents.
  5. Introduce or enhance threat intelligence — getting a threat intelligence provider will help you better protect and respond to all of the threats in the world today.


When it comes to cybersecurity, we must always be aware of the threats. It is not only important to protect through technology, but we must also be able to identify successful attacks. When that happens, we need to be prepared to respond and recover from such an attack. The main word is – preparation. When the attack happens, there will be no time to prepare. If you’d like to get more information on how to prepare, we’ll be more than happy to help you and your company.