How to Create an Effective Ransomware Response Plan
Organizations need to be capable of responding effectively to a ransomware attack in order to minimize impact to the business. Here are three things they should consider along the way...
Anthony M. Freed
How many ransomware attacks did Retailers suffer in 2021? As reported by Infosecurity Magazine, the volume of ransomware attacks grew 105% between 2020 and 2021 to 623 million attack attempts. Much of this growth took place in the Public sector, with government agencies encountering a rise of 1885%.
Other sectors witnessed more modest increases. For instance, ransomware threats in the Retail sector surged by 21% during the year. That upturn resulted in 44% of Retail organizations suffering a ransomware attack throughout 2021. This volume was higher than the global average of 37% of organizations.
Ransomware actors have a penchant for targeting organizations that need 100% uptime for their operations, noted ZDNet, and such is the case with Retailers. Organizations in the Retail sector need to serve customers consistently, and they can’t do this without extended supply chains, third-party dependencies, and always-on production systems.
Such complexity leaves Retailers and their suppliers a prime target for a ransomware attack, especially during the crucial holiday season when sales peak. Ransomware actors know this, so they single out these organizations knowing that Retailers will be more inclined to pay–and less inclined to negotiate–if they experience a ransomware infection that disrupts business operations.
But there’s even more to ransomware actors’ interest in Retailers than that. For instance, ITPro found that attackers single out Retailers to try to steal customers’ payment card details and other sensitive information. Malicious actors can use that information to conduct credit card fraud, steal victims’ identities, and/or sell the data to make some money on a dark web marketplace.
Simultaneously, Retailers are increasingly integrating Internet of Things (IoT) devices like security cameras, point-of-sale (PoS) systems, and production/logistics controls into their environments. Many of these devices lack security by design, an oversight that leaves organizations even more susceptible to a ransomware attack.
In the study cited above, 54% of Retailers said that ransomware actors had successfully encrypted their data. This was about the same proportion (56%) of organizations in the Retail sector that succeeded in restoring their data from backups.
Following the ransomware attack, approximately one-third of the victims elected to pay the ransom. But those victims retrieved an average of just two-thirds of their data, and only nine percent got all their data back.
This explains the various damages that Retailers experienced following a ransomware attack. In our recent report, titled Ransomware Attacks and the True Cost to Business, we learned that three-quarters of Retail organizations reported a significant loss of revenue after suffering a ransomware infection.
Nearly half (58%) of Retailers said they also experienced employee layoffs after falling victim to ransomware actors. Meanwhile, a ransomware attack forced a third of Retailers to temporarily suspend or halt their business operations altogether.
One of the biggest challenges is that Retail organizations, like most other sectors, are using multiple security tools that fail to integrate. Indeed, CyberNews reported that nearly three-quarters of Retailers use more than one security technology across various business sites. Such complexity makes it difficult for IT and security teams to determine which department (or group of departments) is responsible for operating those security tools.
Retail organizations subsequently struggle to defend themselves against security threats. For instance, attackers use Magecart-style malware to skim customers’ payment card details and other information from e-commerce sites’ checkout pages. WeLiveSecurity noted that malicious actors also sometimes abuse vulnerabilities in WordPress plugins to infiltrate affected websites’ databases and to steal customers’ data.
Acknowledging the risk ransomware poses to business operations, Retailers need to make sure that they can respond effectively to a ransomware attack to minimize its impact on the business. Here are key things they should consider along the way:
The challenges associated with paying the ransom illustrate an essential reality of ransomware response—namely, that it’s minimally effective when attackers are themselves prepared and intent on undermining organizations’ response efforts.
For example, ThreatPost reported on a recently documented Conti ransomware variant that came with the capability to exfiltrate data from backups and then manually remove those backups. Ransomware gangs like Conti employ these tactics to force victims into a position where they’re more inclined to pay.
Simultaneously, paying the ransom rarely closes out a ransomware incident. In our report cited above, we learned that 80% of victims who paid a ransom ended up suffering another attack. About half (46%) of those respondents thought the same attackers had chosen to target them again. Meanwhile, a third noted that a different set of threat actors had perpetrated the attack, raising the possibility the initial gang had sold network access to the victim on the dark web.
Finally, organizations can’t always depend on third parties to cover all the ransomware attack costs. Nearly half (42%) of survey respondents had cyber insurance policies but revealed that their insurer covered only a portion of their losses.
Organizations are adopting AI-Driven Extended Detection and Response (XDR) solutions to enable their security teams to better automate triage, investigation, and remediation efforts at scale to detect ransomware attacks at the earliest stages of an attack.
AI/ML-driven XDR can enable security teams to cut through the noise introduced by a constant flood of threat alerts, allowing security professionals to spend less time sifting through alerts and chasing false positives and more time working to improve the organization's overall security posture.
An AI-driven XDR solution can analyze large telemetry data sets with a high degree of accuracy to identify the most subtle Indicators of Behavior (IOBs) at a scale that manual human analysis can never match. The advantage here is in automating the detection of events that usually require human analysis and relieving security teams of the inefficient task of sorting the signal from the noise on the network.
Ransomware purveyors are moving away from high-volume attacks with low ransom demands for more focused, custom attacks aimed at individual organizations selected for the ability to pay multi-million dollar ransom demands. These more complex ransomware operations, or RansomOps, involve highly targeted, complex attack sequences by sophisticated threat actors.
Cybereason recently published a whitepaper titled RansomOps - Inside Complex Ransomware Operations and the Ransomware Economy, which details this trend in more advanced, targeted ransomware attacks and the thriving ransomware ecosystem supporting them.
An AI-driven XDR solution allows analysts to quickly identify malicious chains of behavior, never before seen malware variants, and detect complex RansomOps earlier to swiftly remediate known and unknown threats regardless of where they occur in an organization’s environment.
Cybereason is dedicated to teaming with Defenders to end ransomware attacks on the endpoint, across the enterprise, to everywhere the battle is taking place. Learn more about Cybereason AI-driven XDR here, browse our ransomware defense resources, or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.
Anthony M. Freed is the Senior Director of Corporate Communications for Cybereason and was formerly a security journalist who authored feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets. Anthony also previously worked as a consultant to senior members of product development, secondary and capital markets from the largest financial institutions in the country, and he had a front row seat to the bursting of the credit bubble.
All Posts by Anthony M. FreedOrganizations need to be capable of responding effectively to a ransomware attack in order to minimize impact to the business. Here are three things they should consider along the way...
One in three retailers attacked will pay the ransom, but less than ten percent will receive all their data back, and 80% of victims who pay the ransom end up getting hit with another attack Why are retailers such an attractive target when it comes to ransomware?
Organizations need to be capable of responding effectively to a ransomware attack in order to minimize impact to the business. Here are three things they should consider along the way...
One in three retailers attacked will pay the ransom, but less than ten percent will receive all their data back, and 80% of victims who pay the ransom end up getting hit with another attack Why are retailers such an attractive target when it comes to ransomware?
Get the latest research, expert insights, and security industry news.
Subscribe