Held to ransom

14 June 2021

It’s all about the money

Ransomware attacks in the UK continue to grow at an alarming rate, as cybercriminals target everything from government agencies to high-net-worth individuals and blue chip corporates to small businesses. Robert Shepherd asks the experts why this is and what enterprises can do to thwart the bad actors

Why are we experiencing a large rise in ransomware attacks?

Raj Samani, chief scientist and McAfee fellow: Over the past year, we’ve seen security threats and ransomware attacks continue to evolve in complexity and increase in volume. This is because cybercriminals have quickly and effectively pivoted their tactics to take advantage of the pandemic or poor cyber hygiene. As a result, enterprises endured more opportunistic COVID-19 related campaigns among a new cast of bad-actor schemes. For example, at the end of 2020, we saw a continued increase in threats from Q3 (+240%) to Q4 (+114%), with ransomware increasing by a staggering 69%. Equally the rise in open RDP to the internet has compounded the issue.

Corey Nachreiner, CTO, WatchGuard Technologies

Corey Nachreiner, CTO, WatchGuard Technologies

Corey Nachreiner, CTO, WatchGuard Technologies: For cyber criminals, it’s a bit of a no brainer. With low risk, high returns and virtually unlimited supply of victims, why wouldn’t you? The other factor is the arrival of Ransomware-as-a-Service (RaaS), which increases the scale and volume of attackers. The technical risk is the same, but RaaS greatly lowers the bar of criminal actors who can launch a ransomware attack. Since the RaaS seller has already done the hard work of technically creating and designing the ransomware, even unskilled criminals can make some money by outsourcing that technical effort.

Candid Wüest, VP cyber protection research, Acronis: Ransomware is profitable. As ransomware operators improve their software, and find better extortion techniques, ransomware becomes a preferred method of cybercriminals to make money. Combine this with higher accessibility through ransomware-as-a-service operations, and even less technical criminals can earn a quick pay-out with ransomware.

Rory Duncan, GTM leader, security, NTT: There are currently over 1,800 variants of ransomware, with the top 45 variants reportedly bringing in the most ransom money. Over the last year, cybercriminals have capitalised on global disruption to launch sophisticated ransomware attacks on healthcare providers, governments and critical national infrastructure. While large state-sponsored attacks continue to grab the headlines, however, organisations of all sizes shouldn’t let these breaches distract them from threats closer to home.

“In fact, one of the reasons that there has been such a significant rise in ransomware attacks is that they are easier than ever for cybercriminals to launch. At the end of last year, for example, our research highlighted the growing trend of Ransomware-as-a-Service (RaaS) – a business model that involves cybercriminals selling or leasing ransomware platforms to those looking to benefit financially from disrupting a company’s operations.

“These platforms are becoming more and more accessible. Some of the RaaS options on the market, for instance, are targeted at novice hackers who don’t even need to know how to get onto the dark web to find the latest platforms on offer. Not only that, several of the malicious entrepreneurs use social media and other sources such as YouTube, Vimeo and Selix to advertise and demonstrate how to use their products.

“With these tools readily available to hackers of all levels, it shouldn’t come as a surprise that ransomware attacks are an increasingly attractive option. While results with simple RaaS platforms are, indeed, mixed, those that are successful in launching attacks have increased ransom demands. Unfortunately, some are even practicing double exploitation of their victims – demanding a ransom and still releasing the victims’ personal data for sale on underground forums after they have paid.

Chris Goettl, senior director of product management at Ivanti: One thing to keep in mind about ransomware is that, for threat actors, it is a business. And ransomware has a very effective go-to-market strategy and high return on investment compared to many other forms of cybercrime. Threat actors can either develop their own ransomware tools or utilize Ransomware as a Service (RaaS) solutions to quickly enter the market with a high level of sophistication. Modern ransomware attacks now typically include data exfiltration, so threat actors have many points of leverage to try and get a payout. For example, victims may pay to get decryption keys or keep their data private. And even if they don’t pay, hackers can possibly sell their data on the dark web.

In thinking through ransomware attacks in this way, it becomes very clear why threat actors have been so successful in the past couple of years and why ransomware is an intensifying problem for all organizations. There are more players in the ransomware space than ever before. And the average ransom is not the $500 Bitcoin that it used to be. On average, organisations pay $233,217 and suffer 19 days of downtime following a ransomware attack.

Sergei Serduyk, VP of product management, Nakivo: Even though a popular saying suggests otherwise, some crime does pay. A ransomware attack is a highly profitable crime the frequency of which has increased manyfold since the start of the Covid-19 pandemic. Sensing the vulnerability of organisations adjusting to the work-from-home reality, the attackers explore additional opportunities to make money illegally. The trend is exacerbated by the rise of cryptocurrencies, which offer an anonymous means of payment. The frequency of ransomware attacks is only going to accelerate if organisations don’t improve their cybersecurity posture and ensure that they don’t need to pay criminals to get their data back.

Andrea Babbs, UK general manager, Vipre: The United Kingdom’s National Cyber Security Centre (NCSC) handled a record number of cybersecurity incidents over the last year, a 20% increase in cases handled the year before. Cyber criminals took advantage of the Covid-19 pandemic, targeting vulnerable employees working on personal computers or open networks, who were working harder, faster and longer hours than ever before. The help and support from those in IT is not so immediate. Now more than ever, the responsibility must be reinforced throughout the entire business. Unfortunately businesses often pay the ransom, and if they pay once they will pay multiple times. A successful ransomware attack can be used various times against many organisations, turning an attack into a cash cow for criminal organisations.

Mark Raeburn, managing director at Context, part of Accenture Security: Ransomware has been on the rise for the past few years and is what keeps many CSOs and CEOs awake at night. Accenture’s Cyber Investigations and Forensic Response (CIFR) reported a 160% year over year (YoY) increase in ransomware events in 2020. There are many factors behind this but over the last year, Covid-19 has made things far more complicated for cyber security professionals, while presenting new opportunities for bad actors. Remote working opened the door to targeting individuals’ vulnerabilities, and we have seen endless new ransomware lures and traps that imitate credible sources involving Covid-19 advice or actions.

Nigel Thorpe, technology director, SecureAge Technologies

Nigel Thorpe, technology director, SecureAge Technologies

Nigel Thorpe, technology director, SecureAge Technologies: Ransomware is still easy pickings - organisations are woefully open to these attacks. Cybercriminals can either target one or a select number of organisations - or even individual people, or they can take a scatter-gun approach. Broadcasting attacks tend to lead to smaller individual receipts for the cybercriminal, but ransoms soon mount up. The more targeted attacks select organisations where loss of their IT systems will lead to major problems - like the Colonial oil pipeline in the US or the Irish Health Service attacks. In these kinds of cases there’s a high probability of the ransom being paid. And if you’re the cybercriminal it is still highly unlikely that you will get caught. We still see frequent attacks but no arrests. Law enforcement in this whole area needs to start making an impact.

Taking action

What’s the first thing an enterprise should do if it is subjected to a ransomware attack?

Rory Duncan, GTM leader, security, NTT

Rory Duncan, GTM leader, security, NTT

Rory Duncan, GTM leader, security, NTT: Having a thorough incident response plan in place is crucial for business continuity – and this should be first place you look if you find yourself on the receiving end of a ransomware attack.

“A successful proactive incident response plan involves a number of key components. Defining the incident response team and their roles and responsibilities, alongside identifying any skillsets that do not exist within your organisation, should be the first point of action. Outlining the communication process for during and after the incident is also important – this includes clearly defining when to alert industry regulators or law enforcement. In addition, laying out the criteria for declaring exactly when an incident has started and ended is critical. Documenting the incident from start to finish, including dates and times, should also be included within the plan, as any information about the attack is pertinent for reporting the crime and using in future training programmes.

“Your plan should also include practical processes for mitigating the attack, which can be broken into three phases: containment, removal and restoration and recovery. During the containment phase, the focus should be on limiting the scope of the attack and preventing any further damage. The removal and restoration stage involves taking the appropriate steps to remove malicious content from affected systems. Lastly, as part of the recovery phase, you should test and verify that the compromised systems are clean and fully functional.

“When it comes to ransomware attacks, it’s safe to assume that at some point your organisation will suffer a breach. With our 2021 Global Threat Intelligence Report finding that 58% of organisations feel unprepared for a malware attack, however, it is clear that more needs to be done to educate businesses of all sizes on how to react when they fall victim. Developing an incident response plan is a good place to start - if you do not already have one, now is the time to write it and embed it in everything you do.

Nigel Thorpe, technology director, SecureAge Technologies: As soon as a ransomware attack is identified, pull the plug! At this stage you’re unlikely to know any details so you need to stop the infection spreading. So, powering off machines and unplugging networks is a good first step. If nothing else this gives a breathing space so you can plan your next steps, most likely bringing up one machine in a ‘safe mode’ to start to identify the problem and plan remedial actions.

Sergei Serduyk, VP of product management, Nakivo: The immediate response to a ransomware attack should be the isolation of the affected systems. By removing the infected devices from the network, it is possible to stop the spread of ransomware. In addition to containing the spread, the isolation can also help disrupt the communication between ransomware and cybercriminals. The disruption of communication is essential because cybercriminals might use it to steal or destroy infected data.

Candid Wüest, VP cyber protection research, Acronis

Candid Wüest, VP cyber protection research, Acronis

Candid Wüest, VP cyber protection research, Acronis: In the case of a ransomware attack, it can be natural to think about shutting down the affected system immediately. The problem with this is that you may lose logs that can help you identify the attacker and attack vector. It is important to collect the ransom note, and relevant logs, but before that, the system should be taken offline by unplugging network cables and shutting off Bluetooth and WIFI. IT and security teams should immediately separate systems from the network and begin looking for signs of ransomware on other systems.

Raj Samani, chief scientist and McAfee fellow: When a business finds itself victim to a ransomware attack, it may be tempted to pay up since it’s not just the encryption that will cause concern but also the threat of leaking data. In such instances, the victim companies are encouraged not to pay the ransom. There is no guarantee that payment will result in the return of data and access or prevent the sale of sensitive data on the dark web. Instead, businesses should use the No More Ransom portal as the first port of call to determine if a decryption tool exists when impacted by ransomware.

Chris Goettl, senior director of product management at Ivanti: The first step is always to understand your situation. Depending on when and how the attack was detected, this could be a very tight window. Get to a sufficient level of detail to communicate to leadership and activate the right level of response. Isolate affected areas and work to contain the spread.

The US Office of Foreign Assets Control (OFAC) also recently released an advisory stating that any company that is subject to a ransomware attack should engage with the proper law enforcement authorities and must adhere to economic sanctions and federal guidance. Many cyber gangs are nation-state backed and so paying them can violate OFAC guidelines, subjecting businesses to legal repercussions and potential fines if they pay up, as well as potentially encouraging further attacks.

Corey Nachreiner, CTO, WatchGuard Technologies: Immediately disconnect infected computers, laptops and other devices and consider turning off your Wi-Fi, disabling network connections and disconnecting from the internet. Hopefully, you have backups and an incident response plan in place to define roles and responsibilities of staff and third parties. But before you start to restore data, make sure your backups are free from any malware. You will also need to reset credentials including passwords - especially for administrator and other system accounts - but don’t lock yourself out of systems that are needed for recovery.

Mark Raeburn, managing director at Context, part of Accenture Security: The first piece of advice is not to panic and take a deep breath – it has happened to many organisations before and it doesn’t mean your business is going to make the headlines in tomorrow’s news. You may want to consider calling in external experts. In many cases, a specialist security firm with experience in cyber incident response will be more adept at dealing with this kind of incident than your internal IT teams may be. They can help to identify how the attack occurred and build a comprehensive understanding of the intrusion and measured impact. This is critical during and after the incident to inform defence posturing, comprehensive take-back planning in a domain compromise and safe recovery of business operations.

Andrea Babbs, UK general manager, Vipre

Andrea Babbs, UK general manager, Vipre

Andrea Babbs, UK general manager, Vipre: Contain it and report it. Our advice in this type of situation is always to work with the authorities to try to rectify the issue and follow their guidance – they are the professionals with the experience to manage the outcomes, which are hopefully towards the positive. Often, many ransomware attacks go unreported - and this is where a lot of criminal power lies. By the time a ransomware attack has been successful, the opportunity for prevention has unfortunately passed. VIPRE’s advice is always ‘prevention is better than cure’. But damage limitation and containment are important right from the outset. Most organisations should have a detailed disaster recovery plan in place and if they don’t, they should rectify this immediately. The key to any and every disaster recovery plan are backups, as once the breach has been contained, businesses can get back up and running quickly and relatively easily, allowing maximum business continuity. As soon as the main threat has passed, we would recommend that all organisations conduct a full retrospective, ideally without blame or scapegoats, and share their findings and steps taken with the world. Full disclosure is helpful - not only for the customer, client or patient reassurances, but also for other organisations to understand how they can prevent an attack of this type being successful again.

Who and what criminals are targeting

Is ransomware more of a problem for enterprises or high-net-worth individuals?

Nigel Thorpe, technology director, SecureAge Technologies: Ransomware is generally more of a problem for enterprises simply because they manage more data that is sensitive than high-net-worth individuals. Organisations also use their IT infrastructure to manage their entire business, through the whole supply chain and, for example, if you own an oil pipeline network, then this too is managed via IT systems. There have been many stories over the past few years of organisations that have been severely hampered through ransomware attacks. And in the case of healthcare, people’s lives are at risk when IT fails. If law enforcement bodies start to make an impact on cybercriminals targeting organisations then it is likely that high-net-worth individuals will become more attractive targets because they will want to keep their private information private while not appearing in the public gaze as a result of actions that could be seen as foolish.

Candid Wüest, VP cyber protection research, Acronis: Nobody is exempt from ransomware attacks. Most ransomware operators only care about the money they can make from the attack, which means that they will go after enterprise targets just as readily as individuals with a high-net-worth. The advantage attackers have in an enterprise environment is the larger human element at play. They can spam enterprise email addresses with a bad link or document used to install and run the ransomware, and it is much more likely they will find someone who will interact with it.

Raj Samani, chief scientist and McAfee fellow: Many of the recent large ransomware attacks are what we would regard as big game hunting - in other words, attacks targeting large enterprises because their ability to pay exorbitant ransoms are considerably easier. However, this does not mean that cases of groups targeting individuals have gone away.

Corey Nachreiner, CTO, WatchGuard Technologies: While every day we hear about ransomware attacks on large enterprises due to the obvious impact and data protection regulations that require a company to disclose such attacks. We hear less about high profile or high net worth individuals, but we can assume these attacks are just as prevalent but simply kept under wraps – whether ransoms are paid or not. For the ransomware criminals, they can target specific organisations or individuals or simply take a scattergun approach and see who bites.

Chris Goettl, senior director of product management at Ivanti: Large enterprise and high net worth individuals make headlines more, but ransomware targets a lot of small businesses. More than half of ransomware attacks target sub 1,000 size companies. The smaller organizations are often disproportionately targeted because they do not have as much financing, staffing or expertise to repel sophisticated cyber threats. For smaller organizations, a payout may even be more likely because their choices could be to pay or close their doors forever. 

Mark Raeburn, managing director at Context

Mark Raeburn, managing director at Context

Mark Raeburn, managing director at Context, part of Accenture Security: Ransomware is a familiar and favoured threat tactic of cybercriminals and traditionally, has been about gaining access to systems, encrypting or stealing data – which could equally target an enterprise, celebrity or high earner.
But more recently, we’ve seen ransomware take on a more sinister turn. Attackers are getting onto enterprise networks and staying there. They aren’t just encrypting data; they are threatening to ruin a company’s reputation by letting everyone know they have taken it. We are also seeing an increase in ransomware specialists. For example, there might be someone offering Ransomware as-a-Service from the dark web. That person may sell the service to someone who gets access into the organisation and makes it encryption-ready. Then, they may pass on that information to someone who is an expert in hunting and seeking out what can be monetised. Suddenly, you’ve got a team that knows what to look for, how to find it and how to move laterally around the organisation all working together.

Andrea Babbs, UK general manager, Vipre: With the increasing number and more innovative nature of cyberattacks, businesses of all sizes must prioritise cybersecurity. Whether a business is a start-up or a larger corporate organisation, all companies are at risk of a cyber-attack. We often see multi-million pound enterprises on the news when they suffer from a data breach, such as Estée Lauder, Microsoft and Broadvoice. Different sectors are targeted for different reasons, such as the highly sensitive Intellectual Property (IP) stored by pharma organisations, or the sensitive and confidential nature of data handled in financial institutions.

But, no organisation is too small to target, including small and medium-sized businesses (SMBs), who are the target for an estimated 65,000 attempted cyberattacks every day, according to new figures. Unfortunately, these types of businesses may not have the same infrastructure and resources in place to survive such attacks, as it is found 60% of small companies go out of business within six months of falling victim to a data breach or cyber attack.
No matter the size of an organisation, the effects of a cyber attack can be devastating financially, as well as having longer-term damage to business reputation. Small businesses remain at the same level of security risks as those which are larger. Nevertheless, SMEs can safeguard their data and themselves from these types of attacks by investing in their cybersecurity and being conscious and informed of the threats they face.

Why criminals CONTINUE

With so many security tools at our disposal, how do criminals continue to hack so effectively?

Candid Wüest, VP cyber protection research, Acronis: Cybercriminals have time and patience on their side, as well as often having a significant budget for development of new tools. Defenders are often limited in their budgets and labour hours, putting them at a disadvantage against the adversaries. Even with the best defence tools, human eyes and intuition must still be used to effectively defend against attacks.

Andrea Babbs, UK general manager, Vipre: Cybercriminals are becoming more advanced and innovative in their tactics. We have seen an increase in fileless attacks which exploit tools and features that are already available in the victim’s environment. These can be used in combination with social engineering targeting, such as phishing emails, without having to rely on file-based payloads.

Bad actors are also able to spot weaknesses in workforces, particularly preying on those who are working from home as a result of the ongoing pandemic, away from their trusted IT teams. In fact, a recent survey found that 90% of companies faced an increase in cyber attacks during COVID-19.

It is no surprise that hackers use humans to their advantage, as according to data from the UK Information Commissioner’s Office (ICO), human error is the cause of 90% of cyber data breaches. Humans make mistakes – stressed, tired employees who are distracted at home will make even more mistakes. Whether it’s sending a confidential document to the wrong person or clicking on a phishing email, no organisation is immune to human error and the damaging consequences this can have on the business.

IT and data security is a multi-faceted, complicated area, and one which must receive investment in each layer, from the technology to the people to the tools we give to the users. If you do not have the right technology in place to keep your data safe, then you will face problems – but the same goes for having the right tools and training available to your users. Data security is a difficult and never-ending task, one which requires ongoing investments on multiple fronts by every organisation in the world.

Chris Goettl, senior director of product management at Ivanti

Chris Goettl, senior director of product management at Ivanti

Chris Goettl, senior director of product management at Ivanti: Threat actors only need to find one weak point to gain a foothold and from there they can find the next weakness and the next, whereas security professionals must defend against a variety of weaknesses that are never ending.

Plus, hackers do not use a single attack method; ransomware attacks are sophisticated and multifaceted. In many cases, ransomware attacks behave much like advance persistent threats (ATPs). The attacker will exist within an organization for months typically. They will map out the environment, identify what workloads and systems will have the most impact on the organization and they will find sensitive data to exfiltrate. Once they are prepared, they will launch the encryption portion of the attack, but by then it is often too late. 

Social engineering, email phishing, and malicious email links are major vectors that criminal organizations use to infiltrate environments and deploy malware. Unpatched vulnerable software also leaves organizations unprotected from malicious cyber threat actors exploiting known threat vectors to get a foothold into connected endpoints and then move laterally up the cyber kill chain to evolve into an ATP. In fact, this year’s Verizon DBIR report noted that attackers continue to exploit older vulnerabilities, and that patching performance in organizations has not been stellar. While patching technologies have existed for years, many companies still struggle with vulnerability remediation.

Corey Nachreiner, CTO, WatchGuard Technologies: You can put in multiple layers of security to protect from ransomware attacks, but it is no secret that humans are the weakest link in any security strategy. Recent Verizon Data Breaches Investigations Reports suggest that some 90% of breaches start with a phishing or social engineering attack. Most of the investment in cyber security over the last 10 years has been focused on securing computers and networks through technical defences, but as we have got better at patching and preventing IT vulnerabilities, the cybercriminals have focused more on exploiting human weaknesses.

Mark Raeburn, managing director at Context, part of Accenture Security: Ransomware has become a very lucrative and low-risk activity for criminal groups, who are investing large amounts of money honing their trade. Phishing continues to be the most common infection vector for ransomware and the sophistication and sheer volume of emails and texts will inevitably catch some people out. Other methods of infection include drive-by attacks or watering hole attacks, where attackers infect popular sites with malware.

Nigel Thorpe, technology director, SecureAge Technologies: The main problem is people. As soon as a person is involved the opportunity for misjudgement or mistake is huge. Most people are not - and should not be expected to be - IT security experts. Cybercriminals are well aware of this and create tempting and targeted ‘bait’ that appears to be legitimate. For a well-constructed phishing attack there should be no shame on behalf of the individual who clicks that link - the security system should have prevented any potential damage in the first place. However, most organisations continue to use main-stream cyber security tools, which over time have become highly complex. And where there is complexity there will undoubtedly be security gaps, misconfigurations and mistakes.

Raj Samani, chief scientist and McAfee fellow: We have to recognize that there are still multiple ways to detect a potential ransomware attack. Typically, attackers use entry vectors that have been well documented, and once inside the environment there are behaviours that can point towards compromise. Of course, the challenge for any organisation is to identify these indicators in the sea of alerts they have to contend with every day.

What can be done

Is stopping ransomware just a case of shifting from detection to prevention?


Sergei Serduyk, VP of product management, Nakivo

Sergei Serduyk, VP of product management, Nakivo: Yes. In the case of ransomware, an ounce of prevention is worth infinitely more than a pound of cure, which often comes in the form of a ransom. Rather than paying an exorbitant ransom, organisations should engage in comprehensive ransomware protection. This includes the use of multi-factor authentication (MFA), firewalls, intrusion prevention systems (IPS), endpoint detection and response (EDR) systems and employee education. Just as important, if not more so, is backing up critical data to ensure seamless recovery after a ransomware attack.

Candid Wüest, VP cyber protection research, Acronis: Detection and prevention are both important parts of defending against ransomware. As the ransomware operators continue to improve their platforms, it will become more important to focus on attack prevention, while not losing focus on detection of anything that might get past our initial defences. The harder it is to attack our systems, the less profitable it will be for cyber criminals, reducing their incentive to attack.

Mark Raeburn, managing director at Context, part of Accenture Security: There is a certain inevitability to ransomware and none of us can afford to be complacent. But there are some practical steps we can take to improve the outcome. Properly test and test again. Many companies will believe they are well equipped to prevent ransomware but testing your defences is the best way to find out. Manage the problem and have a plan. For example, segregate the data that you care about, compartmentalise where you can and harden your network. These aren’t new approaches, but it’s important to get the basics right.
Being held to ransom is scary — I’ve known business leaders who have had physical threats of violence as well as the threat of releasing the stolen company data. But with the right preparation and testing, there’s a much better chance of being able to maintain business continuity without paying the ransom.


Raj Samani, chief scientist and McAfee fellow

Raj Samani, chief scientist and McAfee fellow: Despite efforts to mitigate the risks, ransomware is not going away anytime soon. The tactic is too profitable and effective for cybercriminals. There are, however, ways to cut down the number of successful ransomware – or digital extortion – attacks. For example, organisations should follow basic cyber hygiene best practice. One of the key concepts to consider is that prevention is better than a cure. With this in mind, organisations should recognise what ransomware attackers are targeting and secure them before attacks occur.

Beyond simply detecting attacks, businesses can use technology that can learn from previous breaches to help prioritise threats, predict the types of campaigns that will be launched against them, and pre-emptively improve their defensive countermeasures. To support this approach, they should also build an open, flexible architecture that can adapt as needed without the need for bolt-on security.

In this way, they can achieve complete data and enterprise protection capabilities, underpinned by a holistic, proactive and open security architecture. Adopting a Zero Trust mindset can also help businesses to maintain control over access to the network and all instances within it, such as applications and data, and restrict them if necessary.

Rory Duncan, GTM leader, security, NTT: Stopping ransomware is not simply a case of shifting from detection to prevention. In fact, for a business to become secure by design, both are equally important and should be executed as part of four, overarching steps: predict, prevent, detect and respond.

“Prevention is, of course, fundamental for ensuring that your organisation has done everything possible to prepare for ransomware threats. Importantly, paying a ransom will not guarantee that your data will be recovered, so creating a robust back-up strategy will help you recover most, if not all files, in the event of a ransomware attack. What’s more, taking a Zero Trust approach to security is critical. The mass rise in remote working and distributed workforces over the last year has meant that businesses are struggling to define their network perimeters. In other words, traditional perimeter approaches to network security are not holding up and this has put organisations at a higher risk of being breached. By adopting the Zero Trust principle of “never trust, always verify” and implementing identity management and networking security controls and organisations can boost their network resiliency and address threats such as ransomware. Beyond this, introducing security awareness training should be a main component of every security programme, helping to reduce the risk of employees falling victim to ransomware via phishing emails, for example.

“Even with all of this in place, however, ransomware attacks are constantly evolving and cybercriminals are savvy, stopping at nothing to penetrate an organisation’s defences. This is why having strong detection tools in place is equally as vital. Common detection methods such as anti-virus, IPS/IDS and sandboxing are all important for detecting known attack signatures. Meanwhile, new and unknown attacks require heuristics and anomaly-based detection such as behaviour modelling and machine learning. While these advanced, automated tools help organisations with huge volumes of data, human enrichment is still needed to pinpoint false positives and the needles in the haystack.

“Taking a holistic, Zero Trust approach to security is crucial in every industry. In sectors where IT and OT environments are becoming increasingly connected, having an all-encompassing view when securing IT and OT networks is particularly important. As demonstrated with the recent Colonial Pipeline attack, the potential for a ransomware attack on IT systems to cross over into an organisation’s OT environment is a very real possibility. While it appears that Colonial was able to stop the spread of malware to the OT side, organisations should take this as lesson and apply the same monitoring and Zero Trust architectures to OT systems as they do IT environments.