Ransomware attacks continue to plague organizations, and they’re getting ever more sophisticated via tactics such as double- and multi-extortion and the use of artificial intelligence to create more refined attacks, and the growth of the ransomware-as-a-service model.
CISOs and CSOs need to make it a priority to create a playbook for their organizations to better defend against such attacks.
It’s clear that ransomware remains a big cybersecurity threat. Security firm CrowdStrike, in its new State of Ransomware Survey, notes that ransomware readiness is lagging as cyber criminals “use AI across the attack chain to accelerate intrusion, encryption, and extortion.”
The report, based on a global survey of 1,100 IT and cybersecurity decision-makers, shows that 76% of organizations are struggling to match the speed and sophistication of AI-assisted attacks. About half of the respondents cite AI-enabled attack chains as today’s greatest ransomware threat, and 85% say traditional detection is becoming obsolete against AI-enhanced attacks.
“When it comes to ransomware, most companies are still treating it like a distant threat until it hits. Then it’s chaos,” says Trevor Horwitz, CISO at security company TrustNet. “A good ransomware playbook isn’t just documentation. It’s muscle memory. You have to train like you fight.”
Here are some key elements to consider for an effective ransomware approach.
Planning and tabletops: Preparedness begins with practice
Any organization that doesn’t have a cohesive plan in place for how to handle ransomware threats is asking for trouble. Planning an overall strategy — encompassing tools, processes, and people — is vital for maintaining business continuity and minimizing financial losses.
Without a plan in place, enterprises risk launching a disorganized and ineffective response to attacks, which can result in lost data, significant systems downtime, compliance issues, and damaged brand or reputation.
A key component of the planning process is to conduct cybersecurity tabletop exercises to simulate how teams would conduct themselves during an actual ransomware attack. This enables organizations to test and improve their incident response plan in a no-risk environment, with a focus on decision-making, communication, and establishing clear-cut roles.
“Tabletop exercises are where everything starts,” Horwitz says. “If your executive team hasn’t sat in a room and worked through a simulated ransomware attack, start there. You don’t want to be figuring out who has the authority to pay a ransom or issue a public statement in the middle of an actual breach. You want to know how fast legal, IT, and [communications] can work together. The pressure is intense, and the decisions come fast. So the playbook should guide those decisions, not just sit on a shelf.”
These exercises enable enterprises to “create and maintain a ransomware-specific incident response playbook that defines roles, containment processes, forensic collection procedures, and communications templates,” says John Otte, senior security consultant at technology consulting firm Resultant.
“Perform realistic tabletop exercises with legal, communications, IT, and executive stakeholders, at a minimum annually, to test decision-making,” Otte says.
Tabletop exercises need to simulate real business disruption scenarios, not just technical failures, says George Gerchow, CSO at security firm Bedrock and faculty member at IANS Research, a research and advisory firm. “Effective ransomware preparedness begins with practice, not panic,” he says. “The most valuable sessions include leaders from operations, legal, finance, HR, and communications, because these teams face the toughest decisions under pressure.”
Staffing, skills, and training
Many organizations continue to find that cybersecurity experts are in short supply, so staffing up teams is a challenge. That can be problematic for a ransomware strategy. Companies need to have a variety of skills in place, including expertise in incident detection and prevention, incident response, firewall configuration, and other areas.
They also need to be equipped to train all employees in how to help prevent ransomware attacks. This includes teaching them how to recognize, deal with, and report threats such as phishing emails, suspicious links, and questionable attachments.
“On the staffing side, you need people who know what they’re doing,” Horwitz says. “Not just cybersecurity folks, but people across legal, PR, and leadership. And not just headcount. You need readiness. A named incident commander. Someone with forensic skills. Someone who understands business risk and knows when to escalate.”
Organizations often invest in tools before investing in people, and that’s backwards, Gerchow says. “Resilience relies on cross-functional preparedness, where employees understand not just what to do but why it matters,” he says.
Enterprises need to hold role-appropriate security training for users, including business leaders, IT teams, finance, etc., on realistic threats such as social engineering and malicious attachments.
Business leaders should encourage ongoing training that connects cybersecurity risk to business continuity and reputation, Gerchow says. “It’s about building a culture where everyone, from the help desk to the boardroom, understands their role in maintaining operational integrity,” he says. “Regular awareness programs, role-specific response drills, and executive briefings help translate technical risks into business terms.”
Prevention steps
Enterprises can invest in a range of technology solutions for both protection against ransomware attacks and remediation following an incident. Ransomware prevention requires a layered approach that includes regular software updates and patching, effective data and systems backups, and other cybersecurity tools such as firewalls, multi-factor authentication (MFA), and antivirus software.
Patch management and vulnerability remediation are vitally important elements of ransomware defense, because ransomware attackers oftentimes exploit security flaws — increasingly in security devices themselves. By addressing both of these areas, companies can proactively defend against ransomware threats.
“Maintain a prioritized and trackable patching program that keeps exploitable exposure to a minimum,” Otte says. “Couple automated deployment of patches with human verification of high-risk systems, and regularly run scans to identify drift or skipped patches.”
Endpoint detection and response (EDR), antivirus (AV) software, email security and phishing defenses, and identity and access management/MFA are also important pieces of any ransomware strategy, Otte says. “Use a modern EDR that contains behavior-based detection, rollback, and isolation capabilities rather than relying solely on signature AV,” he advises.
One of the main ways ransomware attackers carry out their missions is via email. “From an IT security standpoint, the No. 1 attack vector is an email system,” says Russ Ernst, CTO at Blancco, a provider of data erasure and mobile lifecycle diagnostics products. “Email security best practices must be implemented across the entire organization.’
Email security can include advanced phishing filters to prevent common ransomware delivery mechanisms, Otte says. Sophisticated access management can help minimize threats.
“Implement MFA anywhere you can, particularly for privileged accounts and remote access, and implement least-privilege principles to restrict opportunities to move laterally by attackers,” Otte says. “Keep admin credentials secured within a centrally managed secrets store, regularly rotate them, and don’t have shared local admin accounts. Insist on MFA before any privilege elevation. Track anomalous credential usage and apply detection against brute-force or lateral movement that employs privileged credentials.
Recovery and remediation
If a company experiences a ransomware attack, it needs to go into recovery and remediation mode as quickly as possible to minimize the damage. This includes recovering systems and data as well as repairing any damage affecting employees, customers, and the corporate brand.
“Create comprehensive recovery playbooks with system restore sequence prioritized and public communications strategies that target customers, regulators, and law enforcement,” Otte says. “Engage legal counsel, cyber insurance points of contact, and forensic responders in advance to make informed, timely, and notification requirement-appropriate determinations.”
When a ransomware attack happens, “the remediation needs to be fast but precise,” Horwitz says. “You have to isolate systems immediately. Stop the spread. Kill off the malware’s communication paths. Bring in forensics to figure out how they got in. Because if you don’t understand the entry point, restoring from backup might just reintroduce the threat.”
Enterprises need to verify their backups before using them, Horwitz says. “I’ve seen companies restore clean-looking data only to discover the malware had been sitting dormant for weeks,” he says.
They also need to ensure regular backup processes are in place, Ernst says. “It is important to regularly back up data and also to test these backups regularly,” he says. “Data that is regularly backed up in an offline environment will not be affected by a direct ransomware attack.”
Access to this stored data should help minimize downtime, Ernst says. “Backups also help you rebuild infrastructure if you choose to pay the ransom and get encryption keys — only to find your data has been corrupted and made unusable. If the organization understands how long it takes to rebuild from a backup, then it can infer the estimated downtime from a ransomware attack,” he says.
Organizations that might consider negotiating with ransomware gangs on ransom payments should also keep on top of the latest advice and tactics.
The recovery process is not just technical, Horwitz says, but also reputational. “If customer trust is shaken, you have to rebuild that fast,” he says. “That means communicating clearly, owning what happened, and explaining what’s being done. Law enforcement has to be notified. Regulators too. And the lessons from that attack need to go right back into the playbook. What worked? What didn’t? Where did the team freeze up? That feedback loop is what strengthens your program.”
Having an effective internal and external ransomware communications plan is vital. “A ransomware attack communications strategy should be part of an organization’s general company playbook related to security breaches,” Ernst says. “It should spell out who must be informed — employees, customers, investors, other stakeholders — as well as how and when, what any communications will say, and who will do the communicating.”
No Responses