Ransomware: Current state or already too late?

Patrik Honegger has worked in the IT sector since the 1990’s and has specialized in the IT security field since 2000. He joined Check Point in 2001. Since joining Check Point, he has been involved with the full array of company solutions and customer sectors and maintains a deep technological understanding of products and customers’ needs. Patrik has successfully fulfilled roles as Security Engineer, Lead Consultant and Head of Security & Systems Engineering for Alps. He is serving as Customer Advocacy Manager for Central Europe, Member of the Office of the CTO and holds various technical certifications.

In this interview, Patrik Honegger, a Customer Advocacy Manager for Check Point, deep dives into the state of ransomware and recent trends. Discover practical steps for upgrading your ransomware prevention and defense programs to protect against serious and ever-evolving threats. Access expert knowledge and enhance your organization’s security measures.

Overall, security companies are continually evolving their ransomware prevention tools to keep pace with the changing threat landscape. As a result, organizations can benefit from working with their trusted security vendor to stay ahead of the latest threats and to protect their systems from ransomware attacks.

Would you please share a bit about the current state of ransomware?

The current state of ransomware is a very serious threat to individuals, businesses, and critical infrastructures. It is essential to take steps to protect against ransomware, such as the ones that we will discuss a bit later in this article.

Some recent dynamic trends include:

• Triple-extortion attacks: This is where attackers not only encrypt the victim’s files, but also threaten to release sensitive information, including sensitive data that might negatively impact third parties, unless the ransom is paid. This tactic has been particularly effective in targeting businesses and organizations with valuable or sensitive data.
• Ransomware-as-a-service (RaaS): This is where attackers rent out their ransomware tools to other cyber criminals, who then use them to launch attacks. This has lowered the barrier to entry for ransomware attacks, making it easier for less experienced hackers to get involved.
• Targeted attacks: Attackers are increasingly targeting specific organizations or industries with well-planned and executed attacks using multiple techniques that can bypass existing defenses.

Just to name a few.

How can organizations get more security out of the tools that they already have, if at all?

The best approach will be further optimizing and integrating existing security tools into a comprehensive security strategy. They should focus on consolidation security efforts to better protect against ransomware attacks.

• Ensure that your existing security tools are being used to their fullest potential by following best practices and guidelines provided by your trusted vendor.
• Integrate your existing security tools and automate their functions to reduce manual intervention and improve overall efficiency.
• Many security tools offer API’s that can be used to automate and orchestrate security workflows across different products. By using API’s, you can integrate existing security tools with other security tools or, even better, feed your existing SIEM system.
• Conduct regular assessments of your existing security products to ensure they are meeting your organization’s security needs. Identify any gaps or inefficiencies that need to be addressed. Check if the prevention aspect is fully covered or still only relying on detection only. Focus on prevention technologies.
• Consider working with a managed security service provider to optimize and manage your existing security tools. An MSSP can provide expert guidance and support, ensure tools are being used to their fullest potential, and assist in identifying and addressing any security gaps in real time.
• Provide professional services training to your security teams to ensure they are familiar with their existing tools, up-to-date versions and know how to use them effectively.

Where should CISOs start in upgrading ransomware prevention and defense programs?

As a CISO, you could initially start upgrading your ransomware prevention and defense programs by:

• Conducting a detailed risk assessment: This will help you to identify the assets that are most critical to your organization and the potential impact of a ransomware attack on those assets. This will help you prioritize your efforts and allocate resources effectively.
• Ensure that your organization has a robust backup strategy in place that includes regular backups of critical data, offline backups, and regular live testing of the recovery process to ensure its effectiveness and that it is working as expected. Some organizations might separate their admin user credentials to a different domain to ensure that, if the main organization is compromised, the backups are still intact.
• Develop and implement a security awareness training program: Educate your employees on the importance of strong passwords, safe browsing practices, and the dangers of phishing attacks. Ensure that they are aware of the latest ransomware threats and understand how to report suspicious activity themselves.
• Implement a layered security approach: Implement multiple layers of security controls such as firewalls, AV/anti-malware software, intrusion prevention systems etc., and use proper network segmentation. This will help to mitigate the impact of a ransomware attack and prevent lateral movement.
• Monitor for suspicious activity: Implement monitoring and alerting mechanisms to detect suspicious activity, such as unusual file access patterns or attempts to disable security controls.
• Ensure that your systems and software are up-to-date with the latest security patches and updates. Vulnerabilities in software can be exploited by ransomware attackers to gain access to your systems.
• Develop a plan that outlines the steps to be taken in the event of a ransomware attack, including who to contact and how to isolate infected systems. Ensure that the plan is regularly tested and updated. In a robust Incident Response plan, it is crucial to validate its effectiveness, and exercise it with different internal parties, such as IT and security teams, executive management and even applications teams, to adapt it to each department’s  business culture.
• Ensure a strong end point security posture, including end points, servers, and other organizational entry points. You not only need to focus on Microsoft Operating Systems alone, it is also important to cover macOS and Linux.
• Finally, compliance is key: Achieving 100% compliance is tricky. A good method can be using conditional access. If end points or users are not compliant or on a high risk state, then there is no further access to internal assets (like domain, databases, data centers etc.).

Overall, ransomware prevention and defense require a multi-layered and comprehensive approach that involves people, processes, and finally technology. As a CISO, it is essential to stay informed about the latest threats and trends in ransomware attacks and to take proactive measures to protect your organization.

What are cyber security companies, like Check Point, doing to improve ransomware prevention tools?

We are continually working to improve our prevention tools to stay ahead of the latest threats. Going into details would extend this interview by a lot, but we concentrate on various angles like:

• Threat intelligence
• Machine learning and AI
• Behavior analysis
• Automated responses
• Cloud security
• Threat hunting and of course focusing on pure research aspects

What are the biggest organizational blind spots when it comes to ransomware?

• Lack of employee awareness and training: Employees are often the weakest link in preventing ransomware attacks. Many organizations do not provide adequate training to their employees on how to spot, prevent or report ransomware attacks.
• Poor cyber security hygiene: Organizations often fail to implement basic cyber security measures, such as regular software updates, strong passwords, and multi-factor authentication to name a few, thus leaving their systems vulnerable to ransomware attacks.
• Over-reliance on legacy systems: Many organizations continue to rely on outdated technology and legacy systems that are more vulnerable to ransomware attacks; especially without implementing proper security measures to protect them.
• Inadequate data backup and recovery systems: Organizations often fail to regularly back up their data or test their backup and recovery systems, making it difficult to fully recover from a ransomware attack or at all.
• Failure to conduct regular risk assessments: It is important to conduct regular risk assessments to identify vulnerabilities and prioritize cyber security measures and to be prepared for a ransomware attack.
• Insufficient incident response plans: Organizations often do not have a clear plan in place for responding to a ransomware attack, which can result in a slower and less effective response.
• Lack of collaboration and communication: Departments within an organization often still work in their own silos, which can result in a lack of collaboration and communication, making it difficult to effectively prevent and respond to ransomware attacks.

Communication is also key here. It is important to address these blind spots by implementing comprehensive cyber security policies, regularly training employees on security best practices, assessing and updating security measures, and developing clear incident response plans.

What kinds of questions are customers asking about ransomware right now?

The questions usually vary a bit depending on the industry, size of the organization and on their level of cyber security know-how in general. Questions I usually get include:

• What is ransomware, and how does it work?
• What are the signs that my organization may be infected with ransomware?
• What are the typical ransomware infection chains?
• How can I prevent and not just detect ransomware attacks in real-time?
• How can I protect my organization from a ransomware attack?

It’s crucial for organizations to stay up-to-date on the latest ransomware threats and trends from a technology and informational perspective and to have a proactive approach to preventing and responding to attacks.

Is there anything else that you would like to share with the CyberTalk.org audience?

First, many thanks for again giving me the opportunity sharing my thoughts with you. Cyber security, especially the field of ransomware, is a constant challenge. Personally, I’ve now been part of the Check Point cyber security prevention journey for 22 years. If you’re interested in this specific sector, I highly suggest visiting Check Point’s specialized ransomware information page: https://www.checkpoint.com/ransomware-hub/

Furthermore, as I mentioned in the past in other articles, information security is an endless journey. Your starting point might be well defined, but your arrival is delayed, meaning you need to constantly reevaluate and enhance your security measures, and this is especially true when it comes to ransomware countermeasures.

For more outstanding insights from Patrik Honegger, please see CyberTalk.org’s past coverage. Want to stay up-to-date with trends in technology? Check out the CyberTalk.org newsletter. Sign up today to receive top-notch news articles, best practices and expert analyses; delivered straight to your inbox.