GUEST ESSAY: The drivers behind persistent ransomware — and defense tactics to deploy

By Eric George

The internet has drawn comparisons to the Wild West, making ransomware the digital incarnation of a hold-up.

Related: It’s all about ‘attack surface management

However, today’s perpetrator isn’t standing in front of you brandishing a weapon. They could be on the other side of the globe, part of a cybercrime regime that will never be discovered, much less brought to justice.

But the situation isn’t hopeless. The technology industry has met the dramatic rise in ransomware and other cyber attacks with an impressive set of tools to help companies mitigate the risks. From sharing emerging threat intelligence to developing new solutions and best practices to prevent and overcome attacks, it’s possible to reduce the impact of ransomware when it happens.


The FBI’s Internet Crime Complaint Center (IC3) received 3,729 ransomware complaints in 2021, representing $49.2 million in adjusted losses. Healthcare and public health, financial services, and IT organizations are frequent targets, although businesses of all sizes can fall victim to these schemes.

The increase in remote workforces and difficulty enforcing security controls with expanding perimeters has played a role in the rise of ransomware. Likewise, lookalike and spoofed web domains and well-crafted phishing emails now easily trick employees into thinking they’re dealing with trustworthy sources.

A typical attack

Ransomware usually starts with a phishing email. An unsuspecting employee will open a legitimate-looking message and click a link or download a file that releases embedded malware onto their machine or the broader company network.

This gives the perpetrator the access needed to launch the ransomware and lock the company out of its own infrastructure or encrypt files until the ransom is paid in cryptocurrency.

Victims have two equally unattractive choices to resolve the situation. They can refuse to pay the ransom and have criminals release sensitive data. Or they can pay it—and often see the information released anyway. Not surprisingly, cyber criminals don’t always stick to their word.

High-stakes threat actors

Who are these masterminds? These threat actors aren’t playful hackers just testing their abilities. They’re often state-sponsored entities, foreign governments, or actual businesses. In fact, ransomware-as-a-service is alive and well, educating would-be offenders on how to undertake an attack and even offering customer support.

You may remember ransomware incidents that made the news in recent years, such as the Colonial Pipeline attack in 2021 that crippled national infrastructure or WannaCry in 2017 that exploited a Windows vulnerability. Sometimes ransom payments are recovered, but not always.

The impact of ransomware

The price tag of the ransom is just one of the many costs of these attacks, and remediation can often exceed this fee many times over. The inability to run the business effectively or access crucial data for days, weeks, or even months can result in lost revenue, customers, and opportunity.

Data, even when returned, can be damaged or useless, delaying ongoing projects. Altogether, the situation can cause the business reputational harm and losses spanning long periods.

Preventing ransomware

Like all cyberthreats, ransomware is constantly evolving as attackers become more sophisticated and bolder in their attempts. Building security with a layered approach is the most effective strategy as you work to move from passive to active defense.

These are just a few of the tactics you can take:

•Understand where sensitive data resides, how it’s protected, and why it’s valuable to outsiders

•Keep up on the latest cyber threats and monitor for lookalike/spoofed domains and registrations

•Educate employees on how to spot and respond to suspicious emails that bypass filters

•Bolster your monitoring and email authentication capabilities

Incident response

Early detection is critical, and ransomware attacks evolve. This means the response you’re likely to take can shift as you learn more along the way. Have a response plan that details the steps you can take across all departments.

Even after you’ve determined whether to pay the ransom, you’ll need ongoing monitoring for stolen data and compromised domains on the dark web and social media sites. Your experience will also inform employee education practices and the types of safeguards you put in place going forward.

Go in depth on ransomware and learn how to protect your business in this report from PhishLabs by HelpSystems: Ransomware Playbook: Defense in Depth Strategies to Minimize Impact.

About the essayist: Eric George is the Director of Solution Engineering at PhishLabs by HelpSystems. He  has held over 10 industry certifications including CISSP and serves as a Technical Malware Co-Chair for the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG).

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone