Ransomware attacks have increased in number and financial impact significantly. According to the FBI, the cost of ransomware attacks in the past few years has reached into billions of dollars, with the total impact doubling each year. Ransomware attacks can be the result of widespread malicious software, like the high-profile "WannaCry" attacks, or the end-goal of very targeted attacks launched against your organization by threat actors that have compromised your servers or users' workstations.
Ransomware attacks have become so common, in fact, that the media and the public have started to show "fatigue" for news coverage of these attacks. Years ago, the mere concept of an attack that extorts $300 from a home user for their photos was a new and exciting thing, worth writing about. Now, a ransomware attack that would have been interesting to read about two years ago, such as a clinic or a police department, may not even warrant an article. Having your data held for ransom is very nearly "the new normal".
Reviewing the current news cycle, entire city governments are being hit, alongside very large companies such as Boeing and critical infrastructure, such as Baltimore's 911 emergency services. In every case, media commentary and social media chatter are quick to blame the victims. When your organization faces a ransomware attack, if it manages to succeed, your clients, customers, and business partners will all turn that blame upon you. They've been conditioned by media coverage to blame you for a lack of preparation and response, regardless of the circumstances.
How do you prepare and respond? Good security hygiene of patching and user education will only take you so far, if the entry point to your organization for the ransomware is a new vulnerability, or the result of a user being tricked (which will happen, no matter how many awareness programs you force them to sit or click through). A network architecture that uses segmentation to protect critical information from being exposed is key. If a system or user does not require the ability to read or modify a set of data, they should be restricted from doing so. You may trust your users, but a "default deny" policy can keep a compromise from spreading in the event that a user's account or workstation has been hijacked.
In the event of a successful ransomware attack, quick response is key. You need to establish whether your backups are impacted. You need to determine the exposure of sensitive data outside of the organization. Many organizations do not have enough trained IT staff to quickly and decisively act and investigate an incident impacting a large percentage of the organization. For most businesses, IT directors or the C-suite need to consider building a relationship with a security firm ahead of time to develop a plan and staffing that can be enacted quickly in the event of an emergency.
I often see advice that encourages business to acquire and hold cryptocurrency as a form of insurance against a ransomware attack. This advice is becoming more and more outdated every day with current trends. The volatility of cryptocurrency value can make the management of that investment a nightmare. Some ransomware campaigns are becoming victims of their own success, with so many victims that the operators are unable to process payments and decrypt victim data. The funding allocated for cryptocurrency "insurance" is better spent on services that will help you identify your exposure, such as penetration tests and security monitoring.
Do not allow yourself to bend to fatigue when dealing with ransomware preparation, attacks, and response. The growing number and impact of ransomware attacks will result in a loss of reputation, in addition to financial impact, when those that depend on your business blame you for a lack of due diligence in preparation and defense.