What is Ransomware?

Ransomware is a type of malware that uses encryption to block access to an individual’s or an organization’s computer systems. When a system is infected with ransomware, users cannot access their files, databases, or applications. Ransomware can infect a single device, or an entire network of servers.

Ransomware can be introduced to a network or device when a user downloads an attachment containing the malware. However, more complex attacks exploit vulnerabilities in internet-facing services or remote desktop logins to access the organizations’ networks.

Why is Ransomware Spreading?

In recent years, ransomware attacks have grown in sophistication and volume. Between 2019 and 2020, ransomware attacks rose by 62% globally, and by 158% in North America alone. In 2021, 80% of organizations were hit by ransomware attacks.

Why are ransomware attacks growing so rapidly? First, it’s because they work. According to one recent study, 83% of ransomware victims choose to pay up. Cybercriminals can be reasonably sure that so long as they set a realistic ransom, organizations will pay up. Meanwhile, the boom in cryptocurrency platforms, which anonymize payments, provide the perfect channel through which criminals can access their ill-gotten gains.

Second, it has become much easier to launch ransomware attacks. Malware is now shared in underground marketplaces or stolen from one criminal by another. Some criminals even offer ransomware-as-a-service, opening the market to would-be attackers who do not have the skills to develop their own malware. One study estimates that two-thirds of ransomware attacks in 2020 utilized the ransomware-as-a-service model.

Additionally, some nations ignore criminal groups or even give them tacit approval to strike at their geopolitical adversaries. Attackers in such states, which often do not have extradition treaties in place with the U.S., can therefore operate with impunity.

Should organizations pay ransomware demands?

While it is understandable that organizations will wish to regain full access to their systems sooner rather than later, paying up for ransomware is not the right choice. For one, paying ransomware demands means that businesses risk falling foul of global anti-money laundering (AML) and terrorism financing rules. It is not specifically illegal to pay ransomware demands — indeed many cyber-insurance policies cover such costs — but if that money is used to fund a terror attack, companies could find themselves liable.

Second, paying ransomware demands does not necessarily work. Globally, even among organizations that paid a ransom, only 60% regained access to data after the first payment. Perhaps that’s why several studies have found victim companies’ stock price generally falls in the range of 1-5% in the immediate aftermath of a ransomware attack.

Firms should therefore focus on effective cybersecurity controls to protect the organization against ransomware and robust action plans to return to business-as-usual in the event their systems are compromised.

What Can Security Teams do to Protect Against Ransomware?

There are three steps that all Chief Information Security Officers (CISOs) and their teams should take to defend the enterprise against ransomware:

  1. Assume that the infrastructure will be breached and plan to come up against the highest risk known threats. Defenses should be tested using the MITRE ATT&CK® framework in combination with breach and attack simulation (BAS).
  2. Review, rationalize, and invest in security controls to defend data and applications, and to optimize processes.
  3. Validate the effectiveness of cyberdefenses by testing them continuously against real-world threats using an automated platform (versus manual testing that is infrequent and expensive).

Preparation is the best form of defense. Best practice is to build a security roadmap that reflects the organization’s unique assets and priorities and to routinely validate that security controls are fit for purpose.

How Can the MITRE ATT&CK® Framework Protect Organizations Against Ransomware?

Developed by the nonprofit MITRE Corporation, the MITRE ATT&CK framework is a knowledge base of adversary tactics, techniques, and procedures (TTPs) that security professionals have observed in cyberattacks worldwide. For each listed TTP, the framework provides a description, an explanation of sub-techniques, and a list of threat actors known to use the approach. The ATT&CK framework also maps each threat to the specific security controls that organizations typically use to thwart it.

MITRE ATT&CK includes a broad assortment of TTPs relevant to ransomware, and this information can be used to create a threat-informed defensive posture.

How Can a Threat-Informed Defense Protect Against Ransomware?

Before security teams use the MITRE ATT&CK framework, they must first audit their data and assets to identify what is most important to their organization. These high-value assets will be of most interest to cybercriminals.

Next, organizations can use the MITRE framework to identify both the threats they are most likely to face, and the appropriate controls needed to mitigate these threats. By comparing the list of necessary controls to their existing systems, security teams can see where they need to focus investments.

Once the controls are in place, security teams should develop a strategy for control validation. The only way to be sure controls are working as intended is to run regular tests simulating real-world attacks and gauge the response of the organization’s people, processes, and technologies. The ATT&CK framework can be used to prioritize testing of the controls that are most important to the organization (i.e., those that protect its most valuable assets). In addition, firms should consider:

  • Automation: Automated security control validation ensures the organization’s most crucial controls can be tested continuously. Ongoing validation means changes in configurations or staffing that may introduce control gaps are detected — and can be mitigated — more quickly.
  • Streamlining: Selecting a breach and attack (BAS) solution that accelerates testing, to improve staff productivity. For instance, the AttackIQ Security Optimization Platform enables security teams to build attack graphs/ flows of a ransomware (or other) attack combining multiple scenarios across an array of TTPs. Through this chain of simulations, the Security Optimization Platform emulates complex intrusions that have been observed in the real world.

The MITRE ATT&CK framework provides a structure for focusing security teams (red, blue, and/or purple) on the defenses most critical for protecting high-priority assets. When assessed through automated adversary emulations, MITRE ATT&CK TTPs validate whether controls currently in place are effectively protecting an organization against the threat of ransomware. And if the answer is no, such an approach provides the opportunity to correct control errors and gaps, then retest to make sure any problems are solved.

Additional Resources

Countering Ransomware with MITRE ATT&CK 101
Countering Ransomware with MITRE ATT&CK

Developing a security program that revolves around threat-informed defense is a challenge that’s well worth the effort.
Ransomware Research

Get up-to-date hot takes on the state of ransomware today, from responses to US-CERT alerts, to using the MITRE ATT&CK framework.
Countering Ransomware with MITRE ATT&CK Course
Countering Ransomware

This 1.5-hour course discusses why ransomware has become the weapon of choice, some of the challenges ransomware poses, how your organization can prepare for ransomware, and how you can operationalize MITRE ATT&CK by leveraging your people, processes, and security technologies.
The trick to handling ransomware: prepare

Ransomware is a vexing challenge and attacks have doubled since 2020, but there is a path out of the problem.