This post was written with contributions from Andrew Gorecki, Camille Singleton and Charles DeBeck.

May and June bring warm weather, backyard barbecues and, in recent years, an uptick in ransomware attacks. Why?

“It’s possible workers are distracted because the sun is out and kids are out of school,” said Charles DeBeck, a former senior strategic analyst with IBM Security X-Force. Experts like DeBeck monitor attacks to determine if the uptick becomes an established seasonal pattern.

Ransomware is a severe threat, no matter the season. For over three years, ransomware has been the most prevalent cybersecurity attack type, as the IBM Security X-Force Threat Intelligence Index 2022 notes. The average cost of a ransomware breach is $4.62 million, including lost revenue and response expenses, according to the Cost of a Data Breach Report. That sum excludes the ransom itself, which can run into the millions.

While it’s critical to focus on prevention, companies also need to strategize in advance for a possible attack.

“A lot of organizations have response plans, but there’s great variance in the quality of these plans and whether they’ve been properly tested,” said DeBeck. Reacting quickly and decisively to an attack can make a vast difference in how much damage is done.

This year’s Threat Intelligence Index breaks down five critical steps in an effective ransomware response plan. We asked three experts from IBM Security for more details on what preparations should include.

Step one: Checklist of urgent action items

The most effective response plan includes a list of steps to take right away in a crisis. Develop a step-by-step playbook of tasks to contain an attack, such as isolating hardware and shutting down services. Include steps to contact management and law enforcement, such as the FBI.

“Cyberattacks are often conducted by organized cyber crime and nation-state sponsored threat actors. For this reason, it’s important to notify law enforcement about a crime against your organization,” said Andrew Gorecki, global remediation lead for X-Force.

“The intelligence victim organizations share with law enforcement and government agencies is imperative to helping fight cyber crime and strengthening collaboration between private and public sector organizations,” he added.

Containing an attack quickly is key. Assuming that the attack has already encrypted your data, it’s essential to have a plan to restore data from backups safely. The longer you wait, the larger the impact will be on operations. Back up data frequently and test restoration procedures often.

Step two: Assume data theft and data leakage

Ransomware attacks used to be fairly simple. The attacker rendered your data useless through encryption, then promised to hand over a decryption key if you paid up. Today’s attackers aim to improve their payout amounts by threatening to leak stolen data, such as:

  • Sensitive material that business rivals can use
  • Confidential messages that can embarrass executives or tarnish the company’s good name
  • Protected data, such as customers’ credit card information, which could result in legal liability or regulatory fines if leaked.

“Ransomware attackers have found that this kind of ‘double extortion’ tactic is extraordinarily effective, and we see it in almost every attack now,” said Camille Singleton, manager of the X-Force Cyber Range Tech Team.

The problem can worsen if your company holds data that belongs to someone else, like a business partner.

“Attackers know that if they steal data that belongs to a different organization than the one they’re attacking, that gives them added leverage,” said Singleton. Pressure from the victim’s partners and the threat of breaching a contract raises the stakes.

Step three: Prepare for cloud-related attacks

Knowing that enterprises rely more and more on cloud environments, attackers develop specific tools that are purpose-built to exploit common cloud-based operating systems and application programming interfaces. Nearly a quarter of security incidents stem from threat actors pivoting into the cloud from on-premises networks, according to the Threat Intelligence Index.

In fact, attackers today are focusing their attacks on cloud environments with new versions of Linux-based ransomware. About 14% of Linux ransomware in 2021 comprised new code, according to an analysis by X-Force Threat Intelligence partner Intezer.

Enterprises need to strengthen cloud-based systems and ensure passwords comply with policies. A zero trust approach — which assumes a breach has happened and uses network verification measures to thwart attackers’ internal movements — makes it more difficult for cloud attackers to gain a foothold.

Step four: Stay updated on best backup practices

Traditional backups to old-school tape drives, a possible line of defense against ransomware, can be very slow due to their mechanical nature. Tapes also wear out, which can increase the risk of data loss.

Gorecki recommends rethinking how to approach cyber recovery. Disaster recovery (DR) strategies are not effective in ransomware recovery. Instead, consider creating logically air-gapped snapshots of primary storage, providing immutable, incorruptible data copies. Modern, effective cyber vault solutions offer validation and verification of data. This new backup approach lets victims recover more quickly from ransomware attacks.

Step five: Decide whether to pay a ransom

It’s commonly said — and law enforcement agrees — that organizations should never pay a ransom. Yet, some victims do pay, especially if lives are at risk, such as in a hospital setting, or if extensive system downtime threatens the viability of the business. Every organization should run through practice drills to consider what they’d do in tough scenarios.

Businesses need to weigh the following elements before paying a ransom:

  • The value of the data lost
  • The potential fallout from a data leak
  • The quality of backups
  • The expediency of restoring backups.

Paying a ransom doesn’t guarantee you’ll get your data back or that encrypted data can be restored without corruption. Even if things go according to plan, decryption can be a lengthy process. One company that paid millions of dollars in ransom to attackers in 2021 reportedly decided to restore its data from its own backups anyway. The attackers’ decryption tool was too slow.

“Whether or not you pay is ultimately a business decision,” Gorecki said. “Will paying prevent damage to your brand or help you recover more quickly? If you can quantify the potential damage in financial terms, you can compare that to the price of the ransom.”

A final note: protecting yourself from ransomware is a long game that requires constant attention to both your infrastructure and industry trends. Attackers’ tools and tactics will keep evolving, and companies need to meet the challenge. Regardless of whether ransomware attacks pick up, as they have in recent years, now is always the right time to plan ahead.

More from Defensive Security

Why federal agencies need a mission-centered cyber response

4 min read - Cybersecurity continues to be a top focus for government agencies with new cybersecurity requirements. Threats in recent years have crossed from the digital world to the physical and even involved critical infrastructure, such as the cyberattack on SolarWinds and the Colonial Pipeline ransomware attack. According to the IBM Cost of a Data Breach 2023 Report, a breach in the public sector, which includes government agencies, is up to $2.6 million from $2.07 million in 2022. Government agencies need to move…

X-Force uncovers global NetScaler Gateway credential harvesting campaign

6 min read - This post was made possible through the contributions of Bastien Lardy, Sebastiano Marinaccio and Ruben Castillo. In September of 2023, X-Force uncovered a campaign where attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials. The campaign is another example of increased interest from cyber criminals in credentials. The 2023 X-Force cloud threat report found that 67% of cloud-related…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today