Cybereason Blog | Cybersecurity News and Analysis

Preparing Your Organization for a Ransomware Attack

Written by Anthony M. Freed | Sep 20, 2022 8:00:00 AM

As ransomware gangs continue moving towards highly targeted attacks, enterprises need to be more wary than ever about making sure their organizations are as prepared as possible to defend against a ransomware attack. RansomOps are now the modus operandi among even the biggest players, and it’s changing the game. 

The evolution of this Ransomware Economy means launching ransomware attacks is getting even easier, where even would-be attackers with limited technical skills can engage in attacks. 

Predictive Ransomware Protection 

Gartner identified the threat of new ransomware models as a top emerging risk facing organizations in 2021. The first step to defending against current ransomware and never-before-seen threats is to stop malware ingress before it starts. To do that, you need predictive ransomware protection

As ransomware.org states, “The key idea is to use technology as much as possible to provide a first line of defense that blocks or handles obvious threats rapidly and automatically.” Putting defensive mechanisms in place – like endpoint protection, NGAV and AI that can spot Indicators of Behavior (IOBs) to give you early detection of bad actors – is the first line of defense to ransom-proofing your environment. 

To stop ransomware at the source, you need AI on the endpoints, detecting atypical behavior to predict and block attack advances. Next, a multi-layered approach ensures the most security, combining Next-Generation Antivirus (NGAV), AV, script-based and fileless protection to make sure known and unknown ransomware doesn’t get through. 

Finally, gaining full visibility from the kernel to the cloud enables you to spot signs of compromise anywhere along the ransomware attack chain, allowing you to stop it in its tracks – before encryption.

Operation-Centric Approach 

Next, adoption of an operation-centric approach is key. This means having full view of the MalOp, or Malicious Operation, meaning seeing the full process of a malware operation from ingress to encryption to ransom note. This allows you to see the ransomware operation “from root cause to every affected endpoint in real-time through multi-stage visualizations that deliver all of the details of an attack across all devices and all users immediately.”

Without this full view, we are left with a siloed, alert-centric approach which puts security teams in a reactive role, leaving blind spots on the network where attackers can remain undetected. 

Forbes contributor Tony Bradley tells of his own realization of the model, sharing, “[More] than 15 years ago... I recognized that the reactionary model of cybersecurity was untenable for the long term. The entire foundation of cybersecurity was built on the premise that attackers get the first move, then security vendors develop defenses for the new threat, and we all cross our fingers and hope they work.”

This ‘reactionary model’ can be mitigated by placing proactive security measures throughout your security stack and network, but to do so, an operation-centric approach (and the visibility and agility it provides) is necessary. “This breaks down the threat intelligence silos, reverses the attacker advantage, and returns the high ground to the defenders by extending detection and response capabilities across the organization,” Computer Weekly states.

Security that Can Scale 

Lastly, you need security that can scale. According to a 2020 survey by IT Security Wire, the volume of security alerts had increased as much as 50% for four out of five SOC analysts over the preceding year. Plus, “more than three-quarters (78%) of security professionals said that it takes over 10 minutes to look into each alert,” and “over 35% of respondents said that their SOC has either tried to increase staff by hiring more analysts or turned off high-volume alerting features.” 

Needless to say, this is no way to handle a record number of attacks and nearly 120% growth in double-extortion ransomware. Manual detection methods are not enough – automation, Artificial Intelligence (AI) and Machine Learning (ML) are needed to scale. 

According to Booz Allen, organizations employing AI/ML can detect more nuanced attacks earlier than those utilizing manual methods alone. “AI/ML can enable security teams to cut through the noise introduced by a constant flood of threat alerts, allowing security professionals to spend less time sifting through alerts and chasing false positives and more time working to improve the organization's overall security posture,” as I mentioned in a previous post. This enables enterprises to force-multiply their security teams, amplifying rather than replacing them. 

As Oleg Skulkin, head of the digital forensics and incident response team at Group-IB shared in an interview with TechTarget, “you can only stop human-operated attacks if you have humans to monitor and detect these attacks.”

It is true that for the foreseeable future, there yet remains a need to mix human and AI/ML techniques, but “even the most skilled human analysts are incapable of quickly and efficiently querying all available telemetry in real-time to uncover meaningful attack indicators.” AI/ML and automated solutions give teams the large-scale data they need to keep up with the barrage of ransomware attacks on the horizon for 2022 and beyond. 

XDR for Early Ransomware Attack Detection

The best way to ensure your organization is prepared to defend against ransomware is to combine the best technologies – for predictive protection, an operation-centric approach, and security at scale – into a single platform that provides ransomware protection from ingress to endpoint. This can be found in an Extended Detection and Response (XDR) solution

An AI-driven XDR solution utilizes AI/ML to integrate telemetry across platforms, application suites, endpoints and other assets, identifying ransomware attacks never before seen. It gives you operation-centric visibility over the ransomware attack chain, revealing attack timelines and freeing your security teams to scale at the rate of risk - creating a ransomware-proof enterprise. 

Simply put, you cannot defend against RansomOps in traditional ways because it’s not a traditional threat. Enterprise SIEMs miss 80% of detections for MITRE ATT&CK techniques, according to a recent report. And a focus on detecting the ransomware executable alone is risky because that is the tail-end of a longer attack sequence, where the adversary already has unfettered access to your network and may be engaging in data exfiltration. 

Ultimately, your multi-layered approach should allow you to analyze ALL data in real-time (not just endpoint data), protect you against double extortion, and prevent never-before-seen executables so you can truly have a proactive anti-ransomware strategy in place.


Cybereason is dedicated to teaming with defenders to end ransomware attacks on the endpoint, across enterprise, to everywhere the battle is taking place. Learn more about predictive ransomware defense here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.