Building ransomware resilience to avoid paying out

Features
By published

Amid an impending ransom payment ban, businesses should work to improve their incident response strategies and knowledge of prominent threat groups

An abstract CGI image of a large green cuboid being broken in half with yellow, orange, and red cubes to represent ransomware resilience and data encryption.
(Image credit: Getty Images)

In January, the UK government proposed a ban on ransomware payments amid increasingly devastating attacks on organizations over the last few years.

Impacting the public sector and those operating critical national infrastructure (CNI), the proposed ransom payment ban aims to disrupt criminal operating models to help solve the growing problem of ransomware. The measures and penalties will be decided following a government consultation, which runs until April 2025.

Ransom payment bans aren’t a new concept. The latest proposals follow a global crackdown in 2023 after a coalition of 40 nations signed an agreement designed to stop digital extortionists.

While bans are a good idea in theory, experts have pointed out multiple issues with them in practice. Among the issues, banning payments can lead companies to cover up attacks. Others could be forced to halt services – which is simply not an option for key organizations such as hospitals and energy firms.

So, whatever the outcome of the consultation, it makes sense to minimize the impact in case you are attacked by ransomware. How can organizations build the resilience to be able to do this?

Proactive resilience

Resilience can help avoid a situation where there is no choice other than to pay the ransom. The proposed payment ban therefore places “an urgent responsibility” on businesses to “build resilience proactively”, says Axel Maisonneuve, technical education contributor at BSV Association. “The reality is clear: If paying is no longer an option, the only way to recover is through robust cybersecurity and backup strategies.”

At the same time, focusing on resilience is “essential” because it “directly undermines the business model of ransomware attackers”, says Sajeeb Lohani, senior director of cybersecurity at Bugcrowd. “By ensuring that organizations can withstand and quickly recover from an attack, the incentive for criminals to demand ransoms is significantly reduced.”

But firms should take into account that resiliency to a ransomware attack is more than just being able to recover effectively, says Emran Ali, associate director of cyber security at Bridewell. He emphasizes the importance of having the capabilities to prevent and detect problems in the first place.

“Investment in technology, employee awareness and best practices to ensure ransomware preparedness is critical. Organizations need to understand their capabilities when it comes to prevention, detection, response and recovery.”

As part of this, identifying and containing the spread of a potential attack is “critical” to reduce the impact of ransomware, says Ali. “Implementing network segmentation, deploying endpoint detection technologies and monitoring for anomalous activity allows you to detect and block ransomware before it can begin encrypting files.”

Assume a breach

It might not be possible to avoid ransomware hitting your organization, so a good principle to follow is to “assume a breach,” says Jeff Watkins, chief technology officer at CreateFuture. “Having appropriate cyber insurance is brilliant, but you should also have enough operational and financial resilience, with a war chest tucked away to cope with the expense of recovering from an attack.”

One key ingredient is regular and well-tested backups, Watkins says. “These should be executed in such a way that a ransomware attack could not overwrite them, which requires a mature approach to layered security and network design.”

When building resilience, firms also need to know about concerning ransomware groups and understand the attack lifecycle of ransomware, says Ali. He advises using threat intelligence and resources such as the Mitre Attack Framework. “This will help you to understand the adversaries, specific threat models and attack vectors to know how they can be targeted and what relevant controls can be implemented.”

Cybersecurity policies are “a good starting point” for building ransomware resilience, says Daniel Milnes, a partner at Forbes Solicitors. “The creation of a policy encourages scenario planning and due diligence that can pinpoint weak spots. Strategies and plans can then be put in place to reduce risks and the points of manipulation that cyber criminals and ransomware attacks prey on.”

The foundation of any decent cyber threat defense is an effective incident response strategy, adds Sarah Pearce, partner at global law firm Hunton. This should aim to identify incidents “at the earliest stage” and manage the effects to “limit or lessen operational and financial impact”, she says.

The guidelines should allow a business to recognize and respond to an incident, she says. “They should outline how to inform relevant stakeholders within the business and comply with legal notification requirements including to regulators, as well as how to identify remediation requirements.”

Preventing and mitigating attacks

Overall, preventing and mitigating the effect of ransomware attacks requires considering the basics of cybersecurity and data management, to be followed “consistently and thoroughly”, says Milnes. “Most attacks are through users clicking links or attachments, which can be addressed through perimeter email security and training.”

It’s also key to ensure access controls are “applied rigorously”, he adds. For example, not using two-factor authentication can leave firms wide open to attacks. “Policies must, at the very minimum, cover these basics and include processes for regularly testing defenses,” Milnes says.

This could include having a provision for simulating ransomware attacks, Milnes suggests. “This allows organizations to determine how effective their mitigation measures are, instead of waiting for a real attack to test their ransomware resilience.”

Whatever the consultation decides, a ransom payment ban could be coming to the UK – and other countries across the globe. As the data locking malware continues to proliferate, ensuring you have the right tools and policies in place can help build resilience to mitigate the risks.

This is especially important for the public sector, which holds vast amounts of information and records, making it a prime target for ransomware attacks, Milnes warns. “If you have procedures in place for regularly backing-up data, and secure options to safeguard the continued access and recovery of information and systems, it can lessen the threat of ransomware demands.”

Kate O'Flaherty
Kate O'Flaherty

Kate O'Flaherty is a freelance journalist with well over a decade's experience covering cyber security and privacy for publications including Wired, Forbes, the Guardian, the Observer, Infosecurity Magazine and the Times. Within cyber security and privacy, her specialist areas include critical national infrastructure security, cyber warfare, application security and regulation in the UK and the US amid increasing data collection by big tech firms such as Facebook and Google. You can follow Kate on Twitter.

More about ransomware
A hand on a keyboard in a dark room

Alleged LockBit developer extradited to the US
Ransomware concept image showing digitized padlock pictured on a laptop screen on red background

February was the worst month on record for ransomware attacks – and one threat group had a field day
Microsoft 365 logo pictured on a smartphone with Microsoft logo pictured in background.

Microsoft justifies 365 price increases after MP concerns
See more latest