May 12, 2021
Defending Against Ransomware Attacks: Best Practices for Success

If your organization hasn’t experienced ransomware yet, it is probably just a matter of time. Attacks jumped 485% in 2020 as we expanded connectivity during the pandemic. Ransomware gangs are brazenly breaching networks, stealing sensitive data, and ramping up extortion efforts with jaw-dropping demands.

No organization is immune. Schools, hospitals, city governments, law enforcement agencies, manufacturers, retailers, beermakers, insurance providers and sports leagues are among a long list of recent victims. Today, Colonial Pipeline—a company that operates one of the largest fuel pipelines in the U.S.—remains largely paralyzed after an attack perpetrated by a relatively new ransomware group known as DarkSide forced the shutdown of its operations. It is the worst attack on critical U.S. infrastructure to date, prompting the Biden administration to call for an “all-hands-on-deck” effort to avoid disruptions in the fuel supply.

Ransomware Stats
Sophos State of Ransomware 2021

Ransomware has evolved from lone cybercriminals blasting out indiscriminate emails, to gangs with specialized skill sets collaborating on elaborate attack campaigns. They publish press releases, provide chat support, and offer discounts for timely payments as they encrypt their victim’s data and lock them out.

Many of these groups are shifting from automated efforts to targeted attacks that include hands-on-keyboard hacking, sensitive data exfiltration and the threat of exposure, increasing the potential for damage. Making matters worse, they are gathering detailed intelligence about potential targets. Victims often find the attacker knows they have cyber insurance; sometimes they even know the policy limit for ransom reimbursement.

There are numerous sophisticated attackers, and—with the rise of ransomware as a service (RaaS)—even low-skilled cybercriminals can get in on the action with a pre-packaged ransomware subscription. RaaS kits are easy to find on the dark web, where they are advertised in the same way that goods are promoted on legitimate parts of the internet.

As the number of ransom payments continues to rise, attackers are reinvesting the money they extort from victims to advance their capabilities and hunt lucrative targets, with little fear of repercussions.

What You Can Do

Because ransomware perpetrators generally operate outside of Western law enforcement’s reach in Russia and other safe havens, the most important tools for combating ransomware are strong cybersecurity measures.

Here are 11 best practices that can help protect your organization.

  1. Assume you are a target. No matter your size or industry, you are likely to be viewed as either a potential victim or a stepping stone to a larger organization.
  2. Enhance lateral movement and privilege escalation detection. Very rarely does an attacker go from zero (no access) to hero (domain admin) without having to move laterally and escalate privileges. The ability to identify this type of activity is instrumental to reducing the likelihood and impact of successful attacks. Focus on leveraging advanced endpoint security technologies and building key alerts and notifications. Security information and event management (SIEM) platforms and/or managed security service (MSS) providers can optimize the detection of lateral movement and privilege escalation attacks. And penetration testing and purple teaming are fantastic mechanisms for advancing your capabilities.
  3. Take data backups seriously. Thoroughly test your ability to recover systems and data in the event of an attack. Use a multi-tiered approach to data protection that includes offline cold storage. Your backups are less vulnerable to attack if they are not connected to the network.
  4. Strengthen patch management. Consistently monitor for vulnerabilities. Regularly update systems with the appropriate security patches to ensure cybercriminals can’t take advantage of known flaws. Run vulnerability scans to verify successful patching, and evaluate technologies that can make patching processes more effective, leveraging automation whenever possible.
  5. Adopt multi-factor authentication. Most ransomware gains access through the hijacking of static passwords. Enabling multi-factor authentication on accounts across the network can help you thwart attackers by requiring additional information. A phishing attack may net them a user’s credentials, but it cannot provide biometric data or the answer to a personal security question.
  6. Implement least privilege. Reduce the risk of attackers gaining access to critical systems or sensitive data by giving users only the bare minimum privileges needed to do their jobs. Identity and access management (IAM) controls can help you grant least privilege access based on who is requesting it, the context of the request, and the risk of the access environment.
  7. Advance endpoint security. Visibility is vital to ransomware defense. Endpoint detection and response (EDR) tools combine real-time continuous monitoring and collection of endpoint data with automated response and analysis. Emerging extended detection and response (XDR) solutions extend these capabilities to email, servers, cloud workloads, and networks to provide analysts with greater context.
  8. Ensure awareness. Users should receive continuous security awareness training that details the threat of ransomware and the ways it can be delivered. Take baseline measurements related to current phishing susceptibility and cybersecurity knowledge levels, and track progress over time with simulated phishing attacks.
  9. Consider a Data Risk Assessment. Performing an assessment will help you locate all of your sensitive data, identify who has access to it, determine how much of it is stale/aged and whether or not it should be archived and purged. This effectively reduces your data footprint, and the risk associated with potential breaches and incidents that target data.
  10. Maintain incident response readiness. Prepare for the inevitable by specifically addressing the threat of ransomware in your IR program, policies, and procedures. Organizations without the in-house resources to optimize their maturity should leverage IR retainers to help them quickly recover, restore critical services, and minimize financial losses in the event of a compromise.
  11. Check your insurance. Confirm cyber extortion coverage that entitles you to incident response assistance and reimburses you for any ransom payments. Keep in mind that underwriters are scrutinizing security practices carefully, and they can — and will — refuse to cover incidents if effective controls were not in place to protect systems and data.

In an industry-first, Paris-based insurance giant AXA has announced its suspension of policies that reimburse ransom payments made by victims in an effort to cut off the flow of cash to cybercriminals. While this only applies to new policies in France, we could soon see insurers in other countries follow suit.

You Are Not Alone

A public-private task force that includes Amazon, FireEye, Palo Alto Networks, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Crime Agency (NCA) has released an action plan aimed at tackling ransomware. It details 48 recommendations ranging from providing support for victims to regulating Bitcoin and other cryptocurrencies used by attackers.

While minimizing the threat posed by ransomware actors will be an uphill battle, it is encouraging to see collaboration between cybersecurity firms, incident responders, nonprofits, government agencies, and academics.

Get Ransomware-Ready

Ransomware gangs raked in at least $350 million in ransom payments last year, and their threats to publish stolen data unless victims pay up are increasingly aggressive. Attacks will continue through 2021 and beyond as they continue to professionalize “big-game hunting” in pursuit of payouts.

Vendor-independent security assessments can kick-start your ransomware defense efforts by helping you identify weaknesses in your security program, and prioritize the actions you can take to better prevent, detect, contain, and remediate attacks.

For more information about evaluating the impact a ransomware attack could have on your organization and strengthening your defenses, visit our Incident Response and Ransomware Resource Center.

Incident Response & Ransomware Resource Center


  1. Bitdefender 2020 Consumer Threat Landscape Report
  2. Drivers Start Scrambling for gas as Pipeline Shutdown Continues
  3. The State of Ransomware 2021
  4. Ransomware as a Service Explained
  5. AXA Pledges To Stop Reimbursing Ransom Payments for French Ransomware Victims
  6. Chainalysis 2021 Crypto Crime Report


About the Authors
CBI - Shaun Bertrand
Shaun Bertrand
Chief Services Officer
Shaun Bertrand is the Chief Services Officer at CBI. Shaun brings over 20 years of experience in the information security field with a core focus of providing penetration testing and vulnerability assessment services to enterprise organizations. Shaun has been CISSP certified since 2004 and is proficient in several technical services including AV obfuscation, social engineering, exploit development, critical systems protection, endpoint security, event management, incident response, intrusion detection, ICS/SCADA, and malware prevention. Shaun has taught security classes at the University of Michigan and Eastern Michigan University and is a frequent speaker at security conferences and local hacking groups.
CBI Dan Gregory
Dan Gregory
VP | Systems Engineering
Dan has more than 15 years of field experience in performing regulatory compliance controls assessments and policy review. Dan has extensive experience in development and internal process audits with a focus on the financial, healthcare, manufacturing, and retail industries. Dan has performed countless controls assessments and efficiently deploys solution-based integrations designed to protect critical infrastructure, data, brand confidence, and reputation.
I Need To...