Navigating Ransomware: Key Tactics for Enterprise Resilience

In today's digital era, no organization is safe from the ever-present danger of ransomware attacks. The harsh truth is that ransomware attacks are rising in frequency and complexity. A recent report revealed that 59% of global organizations fell victim to ransomware in the past year alone.¹

This statistic implies that nearly 6 in 10 organizations, regardless of size or industry, were compromised, causing significant disruptions and financial losses. In a record-breaking year, Chainalysis, a blockchain analysis company, reported that ransomware payments in 2023 exceeded a mind-boggling US$1 billion.² These figures, paint a stark picture: ransomware is a grave threat with a mounting impact on organizations of all sizes.

Ransomware attacks are rising in frequency and complexity. A recent report revealed that 59% of global organizations fell victim to ransomware in the past year alone.

However, there is a silver lining to this dark cloud. The increasing prevalence of ransomware attacks offers a unique learning opportunity. The experiences of diverse organizations across various sectors with a previous ransomware attack can provide practical lessons and invaluable insights for any enterprise to harness, empowering it to be better prepared and more resilient to ransomware attacks. This knowledge fosters hope and empowerment, knowing organizations can learn and adapt to evolving threats.

It is worth exploring various tactics that have proven successful in managing ransomware attacks, from effective communication strategies to leveraging expertise from law enforcement. There are real-world examples that demonstrate the tangible benefits of clear communication during a crisis. There has also been an encouraging rise in law enforcement actions successfully being taken against ransomware operators—and there are lessons to be gleaned from these victories. Additionally, there are security controls that have proven effective in protecting against, detecting, responding to, and recovering from ransomware attacks.

By understanding these strategies organizations can strengthen their defenses and emerge more resilient in the face of ransomware threats.

Key Tactics for Organizational Resilience 

Despite the growing frequency and severity of ransomware attacks, it is evident from the significant disruptions and financial losses that many organizations still do not have a battle-ready strategy to mitigate and recover from ransomware attacks effectively. In addition to implementing security controls, including staff awareness and training, and tested incident response plans, the lack of other controls, specialized ransomware communication, cybersecurity insurance, and a cybersecurity strategy that declines to pay ransom contributes to organizations’ vulnerability to ransomware attacks, highlighting the urgent need for these proactive measures to enhance organizational resilience.

• Communication must be transparent, swift, and continuous. It is not just a buzzword, but a practical and effective strategy for managing an organization's reputation during a ransomware attack. Real-world examples include Maersk's immediate and transparent communication following the NotPetya attack,³ which helped maintain customer trust and stabilize their share price. Alternatively, Equifax's delayed response to its 2017 data breach⁴ led to significant reputational damage and a sharp decline in share price. Similarly, Travelex's poor communication during its 2020 ransomware attack resulted in customer frustration and financial loss.⁵ These examples underscore the importance of proactive, regular, and transparent communication in mitigating reputational damage during ransomware cyberattacks.
• Cybersecurity insurance is not merely a precaution, but a strategic move to mitigate ransomware attacks' financial and operational impacts. Coverage includes ransom payments, legal fees, and business interruptions, potentially saving organizations from significant financial losses. For instance, Mondelez International utilized cyberinsurance to recover part of the US$100 million loss from the 2017 NotPetya attack.⁶ Additionally, insurance providers offer access to cybersecurity experts and incident response teams, as demonstrated when the city of Baltimore (Maryland, USA) utilized cyberinsurance in its 2019 ransomware recovery.⁷ Legal and regulatory support is another benefit of cyberinsurance, offering organizations guidance in navigating these threats. Furthermore, insurance requirements often drive enterprises to adopt best practices and regular security assessments, enhancing overall cybersecurity. Last, a structured incident response facilitated by insurance can minimize downtime and damage.
• Ransom payment refusal is a valid response strategy during ransomware attacks, offering multiple benefits and crucial lessons. However, this strategy is only plausible if data backups are available. Alternatively, the money not used to pay ransoms can be used to drive long-term security improvements and the implementation of robust backup systems for digital services and data recovery. For example, the city of Baltimore refused to pay ransom during the 2019 attack,⁸ and the money saved by not paying the ransom led to significant cybersecurity enhancements. Similarly, Norsk Hydro did not pay the ransom in 2019 when it was attacked by LockerGoga, maintaining its corporate integrity by not supporting illegal activities.⁹ Maersk demonstrated the effectiveness of comprehensive backup strategies by recovering operations after the NotPetya attack in 2017 without paying the ransom.¹⁰ Additionally, refusing to pay ransom is not only a strategic move but a crucial one that helps avoid potential legal repercussions. Paying might violate laws in some regions, as seen in the University of Utah's 2020 case.¹¹ Furthermore, paying ransom does not guarantee data recovery or prevent further demands, as illustrated by the 2016 Kansas Heart Hospital attack.¹² In that case, payment led to additional demands without data restoration, highlighting the potential risk when refusing to pay ransom. Refusing to pay prevents further exploitation and encourages the adoption of more robust cybersecurity measures,¹³ as organizations must enhance their security controls to thwart ransomware attacks effectively.

Help Is Arriving

Successful law enforcement actions against ransomware operators provide valuable lessons for enterprises facing such threats, highlighting the importance of collaboration, timely reporting, and leveraging insights to enhance security measures.

The arrest of REvil ransomware gang members, who targeted companies such as JBS Foods and Kaseya, highlights the power of collective efforts.¹⁴ The takedown of the DarkSide group after the Colonial Pipeline attack underscored the critical role of prompt reporting and information sharing.¹⁵ These successes were achieved through the collective efforts of enterprises, law enforcement, and cybersecurity professionals. They demonstrate that we are not alone in the fight against ransomware. Thanks to law enforcement, the disruption of the Emotet botnet in early 2021¹⁶ provided insights that demonstrated how to strengthen defenses against future threats. The arrest of Egregor ransomware affiliates in 2021¹⁷ served as a clear deterrent for future attacks, showing that cybercriminals are not beyond the reach of the law. These successes, although drops in the ocean, reinforce the united front against ransomware, further underscoring the importance of collaboration, timely reporting, leveraging law enforcement insights, deterring future attacks, and restoring trust.

Integrate Ransomware Defense Controls

It is crucial to learn from other enterprises how their security controls have performed against ransomware attacks and which controls have given them the best value for their money. Several controls are useful in protecting, detecting, responding, and recovering from ransomware attack scenarios:

• Immutable backups are isolated and unalterable, offering a fast recovery route.
• Network segmentation limits ransomware spread by reducing the blast zone and hindering lateral movement within the system.
• Endpoint detection and response (EDR) detects and isolates suspicious activity on devices before data encryption.
• Cybersecurity awareness training empowers employees to identify phishing attacks, a common ransomware entry point.
• Incident response plans (IRP) minimize downtime and damage through a coordinated response.

While there is no silver bullet in cybersecurity, organizations should implement the above security controls supplemented with additional controls to ensure defense in depth. The threat landscape is continually changing, and defenses must adapt accordingly. By implementing controls and remaining vigilant regarding emerging threats, cyberprofessionals can greatly enhance organizational protection against ransomware. Staying informed is not just a suggestion—it is a necessity in today's digital landscape. It is the key to staying one step ahead of cybercriminals and protecting organizations from potential threats.

Conclusion

While the end of the fight against ransomware remains a distant possibility, several effective strategies are available to combat it. The rise in ransomware attacks, which affected 59% of global organizations in 2023 serves as both a stark warning and a valuable learning opportunity. When navigating the evolving threat landscape, practical lessons from past incidents highlight the importance of transparent communication, strategic investments in cybersecurity insurance, and the benefits of declining ransom payments. Law enforcement successes against ransomware operators, such as the takedown of the REvil gang and the DarkSide group, underscore the power of collaboration and timely reporting. These successes reinforce the united front against ransomware. This united front, built on shared knowledge and collective action, is the cybercommunity’s strongest defense. Continued vigilance and enhanced collaboration within the cybersecurity community are essential to fortify defenses and mitigate the impact of pervasive ransomware threats.

Endnotes

¹ SOPHOS, The State of Ransomware 2024, 2024
² Chainalysis, The Chainalysis 2024 Crypto Crime Report, 2024
³ Swinhoe, D.; “Rebuilding After Notpetya: How Maersk Moved Forward,” CSO, 9 October 2019  
⁴ Financial Conduct Authority, “Financial Watchdog Fines Equifax Ltd £11 Million for Role in One of the Largest Cyber Security Breaches in History,” 13 October 2023
⁵ Tidy, J.; “Travelex: Banks Halt Currency Service After Cyber-attack,” BBC News, 8 January 2020
⁶ Martin, A.; “Mondelez and Zurich Reach Settlement in Notpetya Cyberattack Insurance Suit,” The Record, 30 October 2022
⁷ Insurance Newsnet, “Baltimore to Purchase $20M in Cyber Insurance as it Pays off Contractors Who Helped City Recover From Ransomware,” 16 October 2019
⁸ Insurance Newsnet, “Baltimore to Purchase $20M”
⁹  Briggs, B.; “Hackers hit Norsk Hydro with Ransomware. The Company Responded With Transparency,” 16 December 2019
¹⁰ Swinhoe, “Rebuilding After Notpetya: How Maersk Moved Forward” https://www.csoonline.com/article/567845/rebuilding-after-notpetya-how-maersk-moved-forward.html
¹¹ Pierce, S.D.; “University of Utah Pays $450K to Stop Cyberattack on Servers,” The Associated Press, 22 August 2020
¹² Trend Micro, “Kansas Hospital Hit by Ransomware, Extorted Twice,” 23 May 2016
¹³ Siwicki, B.; “Ransomware Attackers Collect Ransom from Kansas Hospital, Don’t Unlock all the Data, Then Demand More Money,” Healthcare IT News, 23 May 2016
¹⁴ Collier, K.; “Russia Arrests Ransomware Gang Responsible for High-Profile Cyberattacks,” NBC News, 14 January 2022
¹⁵ SOC Radar, “Pipeline to Peril: Unpacking the ALPHV Attack on Trans-Northern,” 14 February 2024  
¹⁶ Europol, “World’s Most Dangerous Malware EMOTET Disrupted Through Global Action,” 27 January 2021
¹⁷ Ducklin, P.; “Egregor Ransomware Criminals Allegedly Busted in Ukraine,” Sophos, 15 February 2021

Olu Adekoya

Is a seasoned cybersecurity leader and strategist with a wealth of experience spanning over 15 years across government, financial services, telecommunications, and consultancy. As founder of Cyber Pinnacle, he delivers tailored cybersecurity solutions to protect digital assets. Olu has led major initiatives, driving security governance across UK government departments and enhancing security at Nationwide Building Society and Vodafone.

Specializing in information security governance, threat assessment, risk management, and secure systems implementation, Olu is deeply committed to ensuring that security aligns with business objectives. His active participation in the information security community, including published articles and mentoring, is a testament to his passion and dedication to the field. Olu holds an MBA and certifications such as CITP, CRISC, CISM, and cloud certifications from AWS and Azure.