Get Instant Access
to This Blueprint

Security icon

Build Resilience Against Ransomware Attacks

Prevent ransomware incursions and defend against ransomware attacks.

  • Sophisticated ransomware attacks are on the rise and evolving quickly.
  • Executives want reassurance but are not ready to write a blank check. We need to provide targeted and justified improvements.
  • Emerging strains can exfiltrate sensitive data, encrypt systems, and destroy backups in hours, which makes recovery a grueling challenge.

Our Advice

Critical Insight

  • Malicious agents design progressive, disruptive attacks to pressure organizations to pay a ransom.
  • Organizations misunderstand ransomware risk scenarios, which obscures the likelihood and impact of an attack.
  • Conventional approaches focus on response and recovery, which do nothing to prevent an attack and are often ineffective against sophisticated attacks.

Impact and Result

  • Conduct a thorough assessment of your current state; identify potential gaps and assess the possible outcomes of an attack.
  • Analyze attack vectors and prioritize controls that prevent ransomware attacks, and implement ransomware protections and detection to reduce your attack surface.
  • Visualize, plan, and practice your response and recovery to reduce the potential impact of an attack.

Build Resilience Against Ransomware Attacks Research & Tools

1. Build Resilience Against Ransomware Attacks

Use this step-by-step guide to assess your ransomware readiness and implement controls that will improve your ability to prevent incursions and defend against attacks.

2. Ransomware Resilience Assessment – Complete the ransomware resilience assessment and establish metrics.

Use these assessment tools to assess existing protection, detection, response, and recovery capabilities and identify potential improvements.

3. Threat Preparedness Workbook – Improve protection and detection capabilities.

Use this threat preparedness workbook to evaluate the threats and tactics in the ransomware kill chain using the MITRE framework and device appropriate countermeasures.

4. Tabletop Planning Exercise and Example Results – Improve response and recovery capabilities with a tabletop exercise for your internal IT team.

Adapt this tabletop planning session template to plan and practice the response of your internal IT team to a ransomware scenario.

5. Ransomware Response Runbook and Workflow – Document ransomware response steps and key stakeholders.

Adapt these workflow and runbook templates to coordinate the actions of different stakeholders through each stage of the ransomware incident response process.

6. Extended Tabletop Exercise and Leadership Guide – Run a tabletop test to plan and practice the response of your leadership team.

Adapt this tabletop planning session template to plan leadership contributions to the ransomware response workflow. This second tabletop planning session will focus on communication strategy, business continuity plan, and deciding whether the organization should pay a ransom.

7. Ransomware Resilience Summary Presentation – Summarize status and next steps in an executive presentation.

Summarize your current state and present a prioritized project roadmap to improve ransomware resilience over time.


Member Testimonials

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.

9.5/10


Overall Impact

$68,228


Average $ Saved

24


Average Days Saved

Client

Experience

Impact

$ Saved

Days Saved

Columbia Mutual Insurance Company

Guided Implementation

10/10

$2,339

2

Toronto Community Housing Corporation

Guided Implementation

9/10

$23,500

9

AC Ocean Walk, LLC dba Ocean Casino Resort

Workshop

9/10

N/A

N/A

The only negative that comes to mind is I feel like going over the MITRE items could've been a bit more streamlined, but it's a small complaint, it... Read More

JSJ Corporation

Guided Implementation

10/10

$32,499

120

The best part is the expert guidance and support that goes along with the tools Infotech supplies. It has saved JSJ IT staff countless hours and h... Read More

The Goodyear Tire & Rubber Company

Guided Implementation

8/10

$129K

9

Good knowledge.

Arizona Department of Revenue

Workshop

10/10

$7,799

47

The best parts of our experience were the time spent with team members and Andy gathering the tasks and items we need to do/prioritize/implement fo... Read More

Wonder Brands Inc.

Guided Implementation

10/10

$10,000

20

Lee County Clerk of Courts

Workshop

9/10

N/A

105

Michel was a fantastic facilitator. He was able to keep everyone calm, while discussing sensitive issues. He was also able to lend his expertise an... Read More

Goodville Mutual

Guided Implementation

7/10

$11,699

10

Children's Hospital Colorado

Guided Implementation

10/10

$64,999

20

Halifax Port Authority

Guided Implementation

10/10

$47,500

50

Michel is a valued cybersecurity advisor for Board/Executive level and IT strategic and tactical operations. We very much appreciate Michel making ... Read More

Goodwill Industries of South Florida

Guided Implementation

10/10

$2,209

2

Celeros Flow Technology, LLC

Guided Implementation

9/10

$12,999

20

The templates and advice was easy to follow and complete. Good feedback on its use.

Utah Transit Authority

Workshop

10/10

$64,999

29

The Cyber Resiliency Workshop allowed us to measure our controls' maturity at this point and confirmed that the systems and processes we have been ... Read More

American University in Cairo

Guided Implementation

9/10

$123K

5

Michel has excellent knowledge of the requested topic and provided me with great and valuable information to fill the gaps AUC Have

ISCO

Workshop

10/10

N/A

35

Our advisor was well-versed and very polished in sharing his experience with us. While the blueprint alone was a good tool to give us direction, hi... Read More

Goodwill Industries of South Florida

Guided Implementation

10/10

$2,519

2

Continental Automotive Systems

Guided Implementation

10/10

$25,829

23

My estimates are a guess today.

AgHeritage Farm Credit Services d/b/a Insight Technology Unit (ITU)

Workshop

9/10

$10,000

10

Extremely beneficial

County of Placer

Guided Implementation

10/10

$55,249

20

The analyst, Michel Hebert, has tremendous experience in the subject area (ransomware readiness/ransomware response playbook.) Working with him cat... Read More

Government of Nunavut

Guided Implementation

10/10

$1M

50

Luck of planning

Northern Ontario School of Medicine

Guided Implementation

10/10

$2,000

5

Eswatini Railway

Guided Implementation

9/10

$8,752

20

The SME is knowledgeable on the subject and was able to guide us on the maturity assessment and putting plans to close the gaps. We also reviewed... Read More

Guide Dogs for the Blind Inc.

Workshop

10/10

$20,159

10

Effective way to cover the topic in a concise amount of time, with clear and actionable follow up plans. It is hard to schedule for four consecutiv... Read More

Public Utilities Commission of Ohio

Guided Implementation

9/10

$34,649

10

The tools that InfoTech provided for creating a ransomware incident response plan were awesome. Getting John Annand to assist us with the tools an... Read More

Jamaica Civil Aviation Authority

Guided Implementation

10/10

$31,499

20

This process has managed to bring our small team closer together and helped to reduced the Voodoo fog associated with a structured Team response to... Read More

Aldridge Electric

Workshop

10/10

$62,999

20

Armed Forces Benefit Association

Workshop

10/10

$40,949

32

The process was streamlined and efficient. We liked the visual aspect of the process, the graphical representation of information. Inclusive of ... Read More

Unity Health Care

Guided Implementation

10/10

$62,999

10

No bad parts. Best parts were the fact that we were able to have a facilitate discussion with our MSP about security and create a much needed tool ... Read More

California Dental Association

Guided Implementation

10/10

$12,599

5


Workshop: Build Resilience Against Ransomware Attacks

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Assess Ransomware Resilience

The Purpose

  • Set workshop goals, review ransomware trends and risk scenarios, and assess the organization’s resilience to ransomware attacks.

Key Benefits Achieved

  • Develop a solid understanding of the likelihood and impact of a ransomware attack on your organization.
  • Complete a current state assessment of key security controls in a ransomware context.

Activities

Outputs

1.1

Review incidents, challenges, and project drivers.

  • Workshop goals
1.2

Diagram critical systems and dependencies and build risk scenario.

  • Ransomware Risk Scenario
1.3

Assess ransomware resilience.

  • Ransomware Resilience Assessment

Module 2: Protect and Detect

The Purpose

  • Improve your capacity to protect your organization from ransomware and detect attacks along common vectors.

Key Benefits Achieved

  • Identify targeted countermeasures that improve protection and detection capabilities.

Activities

Outputs

2.1

Assess ransomware threat preparedness.

  • Targeted ransomware countermeasures to improve protection and detection capabilities.
2.2

Determine the impact of ransomware techniques on your environment.

  • Targeted ransomware countermeasures to improve protection and detection capabilities.
2.3

Identify countermeasures to improve protection and detection capabilities.

  • Targeted ransomware countermeasures to improve protection and detection capabilities.

Module 3: Respond and Recover

The Purpose

  • · Improve your organization’s capacity to respond to ransomware attacks and recover effectively.

Key Benefits Achieved

  • Build response and recovery capabilities that reduce the potential business disruption of successful ransomware attacks.

Activities

Outputs

3.1

Review the workflow and runbook templates.

  • Security Incident Response Plan Assessment.
3.2

Update/define your threat escalation protocol.

3.3

Define scenarios for a range of incidents.

3.4

Run a tabletop planning exercise (IT).

  • Tabletop Planning Session (IT)
3.5

Update your ransomware response runbook.

  • Ransomware Workflow and Runbook.

Module 4: Improve Ransomware Resilience.

The Purpose

Identify prioritized initiatives to improve ransomware resilience.

Key Benefits Achieved

  • Identify the role of leadership in ransomware response and recovery.
  • Communicate workshop outcomes and recommend initiatives to improve ransomware resilience.

Activities

Outputs

4.1

Run a tabletop planning exercise (Leadership).

  • Tabletop Planning Session (Leadership)
4.2

Identify initiatives to close gaps and improve resilience.

4.3

Review broader strategies to improve your overall security program.

4.4

Prioritize initiatives based on factors such as effort, cost, and risk.

4.5

Review the dashboard to fine tune your roadmap.

  • Ransomware Resilience Roadmap and Metrics
4.6

Summarize status and next steps in an executive presentation.

  • Ransomware Workflow and Runbook

Build Ransomware Resilience

Prevent ransomware incursions and defend against ransomware attacks

EXECUTIVE BRIEF

Executive Summary

Your Challenge

Ransomware is a high-profile threat that demands immediate attention:

  • Sophisticated ransomware attacks are on the rise and evolving quickly.
  • Emerging strains can exfiltrate sensitive data, encrypt systems, and destroy backups in only a few hours, which makes recovery a grueling challenge.
  • Executives want reassurance but aren't ready to write a blank check. Improvements must be targeted and justified.

Common Obstacles

Ransomware is more complex than other security threats:

  • Malicious agents design progressive, disruptive attacks to pressure organizations to pay a ransom.
  • Organizations misunderstand ransomware risk scenarios, which obscures the likelihood and impact of an attack.
  • Conventional approaches focus on response and recovery, which do nothing to prevent an attack and are often ineffective against sophisticated attacks.

Info-Tech's Approach

To prevent a ransomware attack:

  • Conduct a through assessment of your current state, identify potential gaps, and assess the possible outcomes of an attack.
  • Analyze attack vectors and prioritize controls that prevent ransomware attacks, and implement ransomware protection and detection to reduce your attack surface.
  • Visualize, plan, and practice your response and recovery to reduce the potential impact of an attack.

Info-Tech Insight

Resilience is not a trampoline, where you're down one moment and up the next. It's more like climbing a mountain. It takes time, planning, and help from people around you to work through challenges. Focus on what is in your organization's control, and cultivate strengths that allow you to protect assets, detect incursions, respond effectively, and recovery quickly.

Analyst Perspective

Ransomware is an opportunity and a challenge.

As I write, the frequency and impact of ransomware attacks continue to increase, with no end in sight. Most organizations will experience ransomware in the next 24 months, some more than once, and business leaders know it. You will never have a better chance to implement best practice security controls as you do now.

The opportunity comes with important challenges. Hackers need to spend less time in discovery before they deploy an attack, which have become much more effective. You can't afford to rely solely on your ability to respond and recover. You need to build a resilient organization that can withstand a ransomware event and recover quickly.

Resilient organizations are not impervious to attack, but they have tools to protect assets, detect incursions, and respond effectively. Resilience is not a trampoline, where you're down one moment and up the next. It's more like climbing a mountain. It takes time, planning, and help from people around you to overcome challenges and work through problems. But eventually you reach the top and look back at how far you've come.

This is an image of Michael Hébert

Michel Hébert
Research Director, Security and Privacy
Info-Tech Research Group

Ransomware attacks are on the rise and evolving quickly.

Three factors contribute to the threat:

  • The rise of ransomware-as-a-service, which facilitates attacks.
  • The rise of crypto-currency, which facilitates anonymous payment.
  • State sponsorship of cybercrime.

Elementus maps ransomware payments made through bitcoin. Since 2019, victims made at least $2B in payments.

A handful of criminal organizations, many of whom operate out of cybercrime hotbeds in Russia, are responsible for most of the damage. The numbers capture only the ransom paid, not the clean-up cost and economic fallout over attacks during this period.

Total ransom money collected (2015 – 2021): USD 2,592,889,121

This image contains a bubble plot graph showing the total ransom money collected between the years 2015 - 2021.

The frequency and impact of ransomware attacks are increasing

Emerging strains can exfiltrate sensitive data, encrypt systems and destroy backups in only a few hours, which makes recovery a grueling challenge.

Sophos commissioned a vendor agnostic study of the real-world experience of 5,600 IT professionals in mid-sized organizations across 31 countries and 15 industries.

The survey was conducted in Jan – Feb 2022 and asked about the experience of respondents over the previous year.

66%
Hit by ransomware in 2021
(up from 37% in 2020)

90%
Ransomware attack affected their ability to operate

$812,360 USD
Average ransom payment

$4.54M
Average remediation cost (not including ransom)

ONE MONTH
Average recovery time

Meanwhile, organizations continue to put their faith in ineffective ransomware defenses.

Of the respondents whose organizations weren't hit by ransomware in 2021 and don't expect to be hit in the future, 72% cited either backups or cyberinsurance as reasons why they anticipated an attack.

While these elements can help recover from an attack, they don't prevent it in the first place.

Source: Sophos, State of Ransomware (2022)
IBM, Cost of A Data Breach (2022)

The 3-step ransomware attack playbook

  • Get in
  • Spread
  • Profit

At each point of the playbook, malicious agents need to achieve something before they can move to the next step.

Resilient organizations look for opportunities to:

  • Learn from incursions
  • Disrupt the playbook
  • Measure effectiveness

Initial access

Execution

Privilege Escalation

Credential Access

Lateral Movement

Collection

Data Exfiltration

Data encryption

Deliver phishing email designed to avoid spam filter.

Launch malware undetected.

Identify user accounts.

Target an admin account.

Use brute force tactics to crack it.

Move through the network and collect data.

Infect as many critical systems and backups as possible to limit recovery options.

Exfiltrate data to gain leverage.

Encrypt data, which triggers alert.

Deliver ransom note.

Ransomware is more complex than other security threats

Ransomware groups thrive through extortion tactics.

  • Traditionally, ransomware attacks focused on encrypting files as an incentive for organizations to pay up.
  • As organizations improved backup and recovery strategies, gangs began targeting, encrypting, and destroying back ups.
  • Since 2019, gangs have focused on a double-extortion strategy: exfiltrate sensitive or protected data before encrypting systems and threaten to publish them.

Organizations misunderstand ransomware risk scenarios, which obscures the potential impact of an attack.

Ransom is only a small part of the equation. Four process-related activities drive ransomware recovery costs:

  • Detection and Response – Activities that enable detection, containment, eradication and recovery.
  • Notification – Activities that enable reporting to data subjects, regulators, law enforcement, and third parties.
  • Lost Business – Activities that attempt to minimize the loss of customers, business disruption, and revenue.
  • Post Breach Response – Redress activities to victims and regulators, and the implementation of additional controls.

Source: IBM, Cost of a Data Breach (2022)

Disrupt the attack each stage of the attack workflow.

An effective response with strong, available backups will reduce the operational impact of an attack, but it won't spare you from its reputational and regulatory impact.

Put controls in place to disrupt each stage of the attack workflow to protect the organization from intrusion, enhance detection, respond quickly, and recover effectively.

Shortening dwell time requires better protection and detection

Ransomware dwell times and average encryption rates are improving dramatically.

Hackers spend less time in your network before they attack, and their attacks are much more effective.

Avg dwell time
3-5 Days

Avg encryption rate
70 GB/h

Avg detection time
11 Days

What is dwell time and why does it matter?

Dwell time is the time between when a malicious agent gains access to your environment and when they are detected. In a ransomware attack, most organizations don't detect malicious agents until they deploy ransomware, encrypt their files, and lock them out until they pay the ransom.

Effective time is a measure of the effectiveness of the encryption algorithm. Encryption rates vary by ransomware family. Lockbit has the fastest encryption rate, clocking in at 628 GB/h.

Dwell times are dropping, and encryption rates are increasing.

It's more critical than ever to build ransomware resilience. Most organizations do not detect ransomware incursions in time to prevent serious business disruption.

References: Bleeping Computers (2022), VentureBeat, Dark Reading, ZDNet.

Resilience depends in part on response and recovery capabilities

This blueprint will focus on improving your ransomware resilience to:

  • Protect against ransomware.
  • Detect incursions.
  • Respond and recovery effectively.

Response

Recovery

This image depicts the pathway for response and recovery from a ransomware event.

For in-depth assistance with disaster recovery planning, refer to Info-Tech's Create a Right-Sized Disaster Recovery.

Info-Tech's ransomware resilience framework

Disrupt the playbooks of ransomware gangs. Put controls in place to protect, detect, respond and recover effectively.

Prioritize protection

Put controls in place to harden your environment, train savvy end users, and prevent incursions.

Support recovery

Build and test a backup strategy that meets business requirements to accelerate recovery and minimize disruption.

Protect Detect Respond

Recover

Threat preparedness

Review ransomware threat techniques and prioritize detective and mitigation measures for initial and credential access, privilege escalation, and data exfiltration.

Awareness and training

Develop security awareness content and provide cybersecurity and resilience training to employees, contractors and third parties.

Perimeter security

Identify and implement network security solutions including analytics, network and email traffic monitoring, and intrusion detection and prevention.

Respond and recover

Identify disruption scenarios and develop incident response, business continuity, and disaster recovery strategies.

Access management

Review the user access management program, policies and procedures to ensure they are ransomware-ready.

Vulnerability management

Develop proactive vulnerability and patch management programs that mitigate ransomware techniques and tactics.

Prevent ransomware incursions and defend against ransomware attacks.

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

MEMBER RATING

9.5/10
Overall Impact

$68,228
Average $ Saved

24
Average Days Saved

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.

Read what our members are saying

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Need Extra Help?
Speak With An Analyst

Get the help you need in this 5-phase advisory process. You'll receive 8 touchpoints with our researchers, all included in your membership.

Guided Implementation 1: Schedule a Scoping Call
  • Call 1: Discuss context, identify challenges, and scope project requirements. Identify ransomware resilience metrics.

Guided Implementation 2: Assess Ransomware Resilience
  • Call 1: Build ransomware risk scenario.
  • Call 2: Assess ransomware resilience.

Guided Implementation 3: Improve Protection and Detection Capabilities
  • Call 1: Review common ransomware attack vectors. Identify and assess mitigation controls.

Guided Implementation 4: Improve Response and Recovery Capabilities
  • Call 1: Document ransomware workflow and runbook.
  • Call 2: Run tabletop test with IT.

Guided Implementation 5: Improve Ransomware Resilience
  • Call 1: Run tabletop test with leadership.
  • Call 2: Build ransomware roadmap. Measure ransomware resilience metrics.

Author

Michel Hebert

Contributors

  • Ali Dehghantanha, Canada Research Chair in Cybersecurity and Threat Intelligence, University of Guelph
  • Arturo Montalvo, CISO, Texas General Land Office and Veterans Land Board
  • Brian Murphy, IT Manager, Placer County
  • Dan Reisig, Vice President of Technology, UV&S
  • Deborah Curtis, CISO, Placer County
  • Derrick Whalen, Director, IT Services, Halifax Port Authority
  • Deuce Sapp, VP of IT, ISCO Industries
  • Douglas Williamson, Director of IT, Jamaica Civil Aviation Authority
  • Gary Rietz, CIO, Blommer Chocolate Company
  • Jacopo Fumagalli, CISO, Omya
  • Jimmy Tom, AVP of Information Technology and Infrastructure, Financial Horizon
  • Josh Lazar, CIO, 18th Circuit Florida Courts
  • Linda Barratt, Director of Enterprise Architecture, IT Security, Data & Analytics, Toronto Community Housing Corporation
  • Mark Roman, CIO, Simon Fraser University
  • Matthew Parker, Information Security Manager, Utah Transit Authority
  • Mduduzi Dlamini, IT Systems Manager, Eswatini Railway
  • Mike Hare, System Administrator, 18th Circuit Florida Courts
  • Samuel Sutton, Computer Scientist, FBI
  • Stuart Gaslonde, Director of IT & Digital Services, Falmouth Exeter Plus
  • Trevor Ward, IT Manager, Falmouth Exeter Plus
Visit our IT Cost Optimization Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019