Ransomware: The Number One Cyber Threat to Enterprises

By Jonas Walker and Daniel Kwong | January 20, 2023

Ransomware continues to be one of the most damaging and disruptive cyberattacks, while for cybercriminals, encrypting networks and demanding an exchange for the decryption key is the easiest way to quickly make a large amount of money. Cybersecurity is no longer just an IT problem, but also a business problem and organizations are realizing this the hard way. With one wrong click, users can provide complete access to their organization’s confidential files, giving attackers the opportunity to use ransomware to halt operations and disrupt production. Jonas Walker, Security Strategist at FortiGuard Labs, and Daniel Kwong, Fortinet Field CISO, provide insight into today’s current ransomware trends, the ways in which they are impacting businesses, and how enterprises can get ahead of the risk with a comprehensive cybersecurity strategy. 

What is enterprise ransomware?

Jonas: Ransomware is a subset of malware. It is mainly used by financially motivated threat actors. Unfortunately it is used for more than just enterprises, any organization is a target today for ransomware attacks. The purpose of ransomware is to encrypt the target’s data while holding the data hostage in exchange for a ransom settlement or payment. Ransomware has evolved dramatically, and today ransom threatens to publish, block, corrupt, or even wipe data—while simultaneously preventing the target from working on or accessing their computer unless they comply with the attacker’s demands. Ransomware is usually deployed at the later stage of a cyberattack. Initially, most ransomware attacks start through phishing emails that include malicious attachments that can infect a user’s computer if opened, or through drive-by downloading or exploit kits. Social engineering is also often involved in ransomware attacks to gain access to the target’s environment initially. One common social engineering tactic is to send emails or text messages to scare the target into sharing sensitive information, opening a malicious file, or clicking on a malicious link.

Why is ransomware now the biggest cybersecurity concern for businesses?

Daniel: It all comes down to risk. Cyber risk is increasing today for enterprises which can present many ransom opportunities for hackers who, again, are financially motivated. For example, CIO and CISO teams are being tasked with secure business-critical initiatives such as work-from-anywhere and ongoing digital acceleration which greatly expands the threat landscape. Meanwhile, many organizations have new sustainability goals that also factor into security. They must do this while managing a global skills shortage.

Ransomware Risks and Concerns for CIOs and CISOs:

    Lack of an effective incident response plan
  • Unrecoverable data due to ransomware encryption or data destruction
  • Limited network segmentation according to the importance of data
  • Inability to do threat intelligence sharing with different point cybersecurity products
  • Lack of security awareness around whose devices are infected with ransomware
  • Ransomware combined with an info stealer trojan leading to a leak of company data into the dark web

Jonas: Attackers continue to introduce new strains of ransomware while also updating, improving, and reusing existing ones, all while making them more sophisticated and aggressive to challenge security layers at corporate networks. Our FortiGuard Labs team found 10,666 ransomware variants in the first six months of this year; the previous period saw just 5,400.

What are some of the best ransomware protections for enterprises?

Daniel: Ransomware is one of the most serious threats facing enterprises today. In order to protect your business, you need to have a comprehensive ransomware protection strategy in place.

One of the best ways to protect against ransomware is to focus on endpoint detection and response (EDR). Most ransomware deployment tactics are based on phishing or vulnerable endpoints. That said, endpoint security technology incorporated with artificial intelligence (AI) and machine learning (ML) technologies can help you identify and block ransomware attacks before they can do any damage since most of these attacks are based on polymorphic malware.

SOC-as-a-service (Security Operations Centers as a Service) can also be helpful in alerting and responding against ransomware attacks by detecting deeper lateral movement of ransomware that attempt to collect intelligence and attack other high-value targets. Finally, reducing your attack surface that is being exposed externally by using Digital Risk Protection Service (DRPS) is an important step to continuously monitor your business with vulnerabilities that may attract ransomware.

By taking these steps, you can help to ensure your business is protected from this increasingly common and dangerous threat.

Jonas: Ransomware needs to be treated like any other malware. The goal is to keep the attackers outside of your network. In order to do that, it’s important to follow security best practices. Additionally, to protect environments effectively, organizations must first realize that cybersecurity should be a key priority. A robust cybersecurity strategy is critical to surviving in the long term. It's perfectly fine to realize that help is needed and to bring outside help to tackle the challenges. Penetration testing is very effective, and if done correctly, shows exactly how attackers would exploit vulnerabilities in corporate environments. From a technical point of view, it's important to keep track of administrative accounts and passwords in general. In my opinion, every employee should use multi-factor authentication wherever possible as well as a password manager. Last but not least, invest in your endpoint users as much as possible. Awareness training and explaining why rules exist can make a big difference.

Where do business continuity or mitigation plans fit in a ransomware attack?

Jonas: A successful ransomware attack will freeze a business completely from operating. That said, it is important to prepare in advance with, for example, tabletop exercises, business continuity, and disaster recovery plans. A comprehensive security policy that covers things like remote access protocols and managing user-owned devices on the networks are also key. Additionally, it is important that IT teams are able to ensure that all devices connected to the corporate network meet network security standards before they are allowed to connect. On top of that, organizations must confirm they are keeping pace with patch management and maintaining a comprehensive security posture.

How does Endpoint Detection and Response (EDR) protect against ransomware?

Daniel: Endpoints are the primary target for ransomware. EDR helps protect endpoint systems from malware and other threats and provides real-time visibility into activity on a system while also quickly identifying and responding to suspicious activity using advanced AI technology. This helps to protect against ransomware and other threats that can disable a system or encrypt its data.

EDR software works by constantly monitoring activity on an endpoint system. When suspicious activity is detected, the software can take action to remediate the threat before it becomes a threat. This may include isolating the system from the network and quarantining files. A good EDR software can also provide information that can help to identify the source of the threat and generate threat intelligence that integrates with other protection services such as next-generation firewalls in the cyber kill-chain to prevent it from entering your network again. EDR is one of the most important parts of a comprehensive security strategy, and will provide organizations with knowledge of adversary tactics, techniques, and procedures for ransomware activities.

Cybersecurity Is a Priority, Not an Afterthought

Currently positioned as one of the most serious threats facing enterprises today, ransomware shows no sign of slowing. That said, organizations must get ahead of the threat, rather than wait for it, because it’s not a matter of “if” but “when” it will happen. To do this, organizations must realize that cybersecurity should not be an afterthought, but rather a priority, and implement the proper tools to build an effective security strategy.