This post was written with contributions from Andrew Gorecki, Camille Singleton and Charles DeBeck.

May and June bring warm weather, backyard barbecues and, in recent years, an uptick in ransomware attacks. Why?

“It’s possible workers are distracted because the sun is out and kids are out of school,” said Charles DeBeck, a former senior strategic analyst with IBM Security X-Force. Experts like DeBeck monitor attacks to determine if the uptick becomes an established seasonal pattern.

Ransomware is a severe threat, no matter the season. For over three years, ransomware has been the most prevalent cybersecurity attack type, as the IBM Security X-Force Threat Intelligence Index 2022 notes. The average cost of a ransomware breach is $4.62 million, including lost revenue and response expenses, according to the Cost of a Data Breach Report. That sum excludes the ransom itself, which can run into the millions.

While it’s critical to focus on prevention, companies also need to strategize in advance for a possible attack.

“A lot of organizations have response plans, but there’s great variance in the quality of these plans and whether they’ve been properly tested,” said DeBeck. Reacting quickly and decisively to an attack can make a vast difference in how much damage is done.

This year’s Threat Intelligence Index breaks down five critical steps in an effective ransomware response plan. We asked three experts from IBM Security for more details on what preparations should include.

Step One: Checklist of Urgent Action Items

The most effective response plan includes a list of steps to take right away in a crisis. Develop a step-by-step playbook of tasks to contain an attack, such as isolating hardware and shutting down services. Include steps to contact management and law enforcement, such as the FBI.

“Cyberattacks are often conducted by organized cyber crime and nation-state sponsored threat actors. For this reason, it’s important to notify law enforcement about a crime against your organization,” said Andrew Gorecki, global remediation lead for X-Force.

“The intelligence victim organizations share with law enforcement and government agencies is imperative to helping fight cyber crime and strengthening collaboration between private and public sector organizations,” he added.

Containing an attack quickly is key. Assuming that the attack has already encrypted your data, it’s essential to have a plan to restore data from backups safely. The longer you wait, the larger the impact will be on operations. Back up data frequently and test restoration procedures often.

Step Two: Assume Data Theft and Data Leakage

Ransomware attacks used to be fairly simple. The attacker rendered your data useless through encryption, then promised to hand over a decryption key if you paid up. Today’s attackers aim to improve their payout amounts by threatening to leak stolen data, such as:

  • Sensitive material that business rivals can use
  • Confidential messages that can embarrass executives or tarnish the company’s good name
  • Protected data, such as customers’ credit card information, which could result in legal liability or regulatory fines if leaked.

“Ransomware attackers have found that this kind of ‘double extortion’ tactic is extraordinarily effective, and we see it in almost every attack now,” said Camille Singleton, manager of the X-Force Cyber Range Tech Team.

The problem can worsen if your company holds data that belongs to someone else, like a business partner.

“Attackers know that if they steal data that belongs to a different organization than the one they’re attacking, that gives them added leverage,” said Singleton. Pressure from the victim’s partners and the threat of breaching a contract raises the stakes.

Step Three: Prepare for Cloud-Related Attacks

Knowing that enterprises rely more and more on cloud environments, attackers develop specific tools that are purpose-built to exploit common cloud-based operating systems and application programming interfaces. Nearly a quarter of security incidents stem from threat actors pivoting into the cloud from on-premises networks, according to the Threat Intelligence Index.

In fact, attackers today are focusing their attacks on cloud environments with new versions of Linux-based ransomware. About 14% of Linux ransomware in 2021 comprised new code, according to an analysis by X-Force Threat Intelligence partner Intezer.

Enterprises need to strengthen cloud-based systems and ensure passwords comply with policies. A zero trust approach — which assumes a breach has happened and uses network verification measures to thwart attackers’ internal movements — makes it more difficult for cloud attackers to gain a foothold.

Step Four: Stay Updated on Best Backup Practices

Traditional backups to old-school tape drives, a possible line of defense against ransomware, can be very slow due to their mechanical nature. Tapes also wear out, which can increase the risk of data loss.

Gorecki recommends rethinking how to approach cyber recovery. Disaster recovery (DR) strategies are not effective in ransomware recovery. Instead, consider creating logically air-gapped snapshots of primary storage, providing immutable, incorruptible data copies. Modern, effective cyber vault solutions offer validation and verification of data. This new backup approach lets victims recover more quickly from ransomware attacks.

Step Five: Decide Whether to Pay a Ransom

It’s commonly said — and law enforcement agrees — that organizations should never pay a ransom. Yet, some victims do pay, especially if lives are at risk, such as in a hospital setting, or if extensive system downtime threatens the viability of the business. Every organization should run through practice drills to consider what they’d do in tough scenarios.

Businesses need to weigh the following elements before paying a ransom:

  • The value of the data lost
  • The potential fallout from a data leak
  • The quality of backups
  • The expediency of restoring backups.

Paying a ransom doesn’t guarantee you’ll get your data back or that encrypted data can be restored without corruption. Even if things go according to plan, decryption can be a lengthy process. One company that paid millions of dollars in ransom to attackers in 2021 reportedly decided to restore its data from its own backups anyway. The attackers’ decryption tool was too slow.

“Whether or not you pay is ultimately a business decision,” Gorecki said. “Will paying prevent damage to your brand or help you recover more quickly? If you can quantify the potential damage in financial terms, you can compare that to the price of the ransom.”

A final note: protecting yourself from ransomware is a long game that requires constant attention to both your infrastructure and industry trends. Attackers’ tools and tactics will keep evolving, and companies need to meet the challenge. Regardless of whether ransomware attacks pick up, as they have in recent years, now is always the right time to plan ahead.

More from Cloud Security

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Why Are Cloud Misconfigurations Still a Major Issue?

Cloud misconfigurations are by far the biggest threat to cloud security, according to the National Security Agency (NSA). The 2022 IBM Security X-Force Cloud Threat Landscape Report found that cloud vulnerabilities have grown a whopping 28% since last year, with a 200% increase in cloud accounts offered on the dark web in the same timeframe. With vulnerabilities on the rise, the catastrophic impact of cloud breaches has made it clear that proper cloud security is of the utmost importance. And…

Charles Henderson’s Cybersecurity Awareness Month Content Roundup

In some parts of the world during October, we have Halloween, which conjures the specter of imagined monsters lurking in the dark. Simultaneously, October is Cybersecurity Awareness Month, which evokes the specter of threats lurking behind our screens. Bombarded with horror stories about data breaches, ransomware, and malware, everyone’s suddenly in the latest cybersecurity trends and data, and the intricacies of their organization’s incident response plan. What does all this fear and uncertainty stem from? It’s the unknowns. Who might…

How an Attacker Can Achieve Persistence in Google Cloud Platform (GCP) with Cloud Shell

IBM Security X-Force Red took a deeper look at the Google Cloud Platform (GCP) and found a potential method an attacker could use to persist in GCP via the Google Cloud Shell. Google Cloud Shell is a service that provides a web-based shell where GCP administrative activities can be performed. A web-based shell is a nice feature because it allows developers and administrators to manage GCP resources without having to install or keep any software locally on their system. From…