Protecting your brand in the digital age is fraught with challenges. Ransomware and other targeted attacks have been increasing in both frequency and complexity. Researchers discover new vulnerabilities daily while cybercriminals continuously exploit older, known vulnerabilities in new ways.

Addressing the polymorphic nature of these threats requires a coordinated approach. It requires a strategy aimed at prevention, detection and response. You must leverage skills and tools within your organization and pull resources from the widest degree of available security intelligence to act, at scale, in response to the severity of a given threat.

The U.S. Computer Emergency Readiness Team (US-CERT) estimated that on average, more than 4,000 ransomware attacks have occurred per day since Jan. 1, 2016. This represents a 300 percent increase over the previous year.

How Ransomware Attacks Work

The Locky variant of ransomware, for example, follows a pattern of operation similar to many other ransomware variants. Its chain of operation proceeds as follows:

  1. Delivery and distribution: Locky is spammed out as an innocuous-looking invoice requesting the recipient’s immediate attention.
  2. Payload detonation: Embedded in the email is a Windows executable file that, once opened, infects the machine and begins execution. Sometimes this happens immediately and sometimes it’s triggered by an end user or system operation, depending upon the variant.
  3. External command-and-control (C&C): Locky establishes connection with an external C&C server and receives the unique encryption key.
  4. Identification and encryption: Locky identifies and targets file stores and can spread laterally to networked and removable drives. Locky targets over 100 known file types.
  5. Demand and collect ransom: After encrypting these files, Locky takes over the victim’s wallpaper and provides details on how to decrypt the files. The instructions lead to a page requesting payment in bitcoin in exchange for a key.

Threat Response

Many users, feeling that they are without recourse, are compelled to pay the ransom. In other cases, victims may choose to forego their locked files and write them off as corrupted or otherwise lost.

You should report and respond to malware as soon as it is discovered. Ransomware can spread laterally, lie dormant and persist in the environment even after the initial attack. Simply doing nothing or giving up is not an option. It is important to completely root out the breach and take the appropriate escalation and reporting steps. But protection and detection are still not enough — you must also have a well-formulated response.

With a security operations and response program in place, organizations are able to integrate the various sources of security intelligence and make pertinent decisions, understand the trade-offs and respond with precision. This enables the chief information security officer (CISO) to programmatically take the actionable data and form responses that are in line with industry best practices and the company’s stated policies. Armed with intelligence and analytics, the CISO can execute the most appropriate and effective response.

Protecting Your Brand With Security Intelligence

Effectively protecting and defending against ransomware requires an orchestrated effort. Typical to most complex problems, there are no simple guarantees. There are, however, a number of important measures and best practices that organizations can put in place to defend the organization against ransomware. These include:

  1. Robust user training: Users need to be trained — and retrained. There are few shortcuts here. Users must understand their role in data loss prevention, how they can avoid phishing and ransomware attacks, and how to identify and prevent social engineering attempts.
  2. A disciplined backup and restore regime: It is important to back up files regularly. That means verifying the integrity of the backups and testing restoration procedures to ensure they are working. The best practice is to avoid connecting them permanently to the computers and networks they are backing up.
  3. Prevention and detection at the endpoints, perimeter and cloud: Locky exhibits malicious behavior that can be identified and blocked at the endpoint. Additionally, because Locky relies on external C&C servers to encrypt files, these known malicious domains, ranges and suspect IPs can be identified and blocked on the network, effectively stopping the lock before the key exchange happens.
  4. Vulnerability management, including patching and fixing: It is critical to identify known application and software flaws within the environment. The best vulnerability management programs include network and application scanning to discover potential vulnerabilities. They also include the ability to prioritize risks and expedite remediation by fixing vulnerabilities, applying patches across all endpoints and further securing the environment against future compromise.
  5. Security intelligence and analytics: With an enterprise security information and event management (SIEM) platform, organizations are able to apply security intelligence across their enterprise. SIEM enables IT professionals to conduct context, behavior and time-based analytics to evaluate the widest degree of data and focus their efforts on the threats and responses that matter most. Once identified, incidents can be forwarded, with the contextual data, to your incident response team for further analysis and remediation.
  6. An incident response platform: Predefined response plans, established run books and guided instant responses are critical to expediting the reduction and removal of threats. An incident response platform provides a single hub for organizing and orchestrating response activities. Action plans and an expert knowledge base can lead your team though the most effective response while allowing for customization to your standard operating procedures.

Unlocking the Power of Your Defenses

You can combat ransomware. Protecting your environment requires a coordinated and organized effort. Armed with the right tools, processes and skills, you can protect and defend your brand – even in this era of escalating attacks.

Download the complete Ransomware Response Guide

More from Intelligence & Analytics

2022 Industry Threat Recap: Manufacturing

It seems like yesterday that industries were fumbling to understand the threats posed by post-pandemic economic and technological changes. While every disruption provides opportunities for positive change, it's hard to ignore the impact that global supply chains, rising labor costs, digital currency and environmental regulations have had on commerce worldwide. Many sectors are starting to see the light at the end of the tunnel. But 2022 has shown us that manufacturing still faces some dark clouds ahead when combatting persistent…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

The 13 Costliest Cyberattacks of 2022: Looking Back

2022 has shaped up to be a pricey year for victims of cyberattacks. Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets alike. While organizations may choose not to disclose the costs associated with a cyberattack, the loss of consumer trust will always be a risk after any significant attack. Let’s look at the 13 costliest cyberattacks of the past year and…