Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingCybersecurity News

Four steps to deliver a deadly counterpunch to ransomware attacks

By Sally Eaves, Mathew Newfield
ransomware
June 1, 2021

With phishing sites growing 640% in 2019, 65% of ransomware delivered via phishing and 90% of corporate data breaches caused by human error, the ransomware threat hangs over every IT professional. The average cost of a breach ranges from $5.11 million for large organizations to $2.65 million for smaller ones. The 2020 global cost to victims of ransomware was estimated at $20 billion.

Ransomware is a specific type of malware designed to encrypt a computer’s content until the user pays to get the recovery key. This effectively halts productivity, impacting business revenue. However, IT professionals can take decisive action to minimize both the threat and the impact of ransomware.

Here are steps you can take to protect your enterprise against ransomware, limit the impact of a breach, understand where an attack can be stopped, and act fast if a hacker succeeds in gaining access.

Step 1: Protect the Enterprise

Develop a ransomware plan so you will be prepared to respond rapidly. Follow best practices such as strong vulnerability management and patching policies, regular system backups, multifactor authentication (MFA), restrictions of local administrator rights and privileges. Encourage, train, and periodically retrain users to never click on links or open attachments in unsolicited emails; back up data on a regular basis, keep it on a separate device and store it offline; and follow safe practices when browsing the internet, including Good Security Habits.

It is also important to employ security tools that provide link filtering, domain name system (DNS) blocking/filtering, malware detection, and intrusion detection and prevention. Adopt zero trust/least privilege to restrict users’ ability to install and run software, and apply the principle of least privilege to all systems and services. Update software and operating systems with the latest patches. Outdated applications and operating systems are the target of most attacks.

Lastly, arrange for rapid access to new servers or endpoints in case the ransomware infects the BIOS of your current systems. And consider anti-encryption technologies such as endpoint detection and response (EDR) solutions that restrict a system’s ability to encrypt locally.

Step 2: Minimize the Impact

Take action to minimize the impact of a breach. This is critical since all systems are capable of being breached if bad actors have sufficient time and resources to carry out their objectives. This includes, but is not limited to, backing up and restoring files, or conducting periodic exercises to recover and restore files.  

Security leaders should also establish a solid incident response (IR) program, and practice it periodically. Review your IR policies, engage in tabletop exercises, and use operational benchmarking to improve your ability to respond.

Lastly, implement microsegmentation and dynamic isolation, the former of which partitions networks to prevent attacks from spreading via east-west proliferation, significantly reducing the damage that can be done to your environment. Conversely, dynamic isoliation allows you to isolate a device or user at the first sign of compromise. For example, if a system begins scanning an environment, the device can be isolated immediately until the situation can be reviewed.

Step 3: Break the Cyber Kill Chain

To better understand how to protect your enterprise, consider the Cyber Kill Chain, which outlines the steps a threat actor will take to infect a host and spread malware.

Attackers usually start with reconnaissance. Based on that information, they select the appropriate vehicle to weaponize with malware. Reconnaissance can also involve an attacker with access to the environment who is running network scanning and other tools to build an asset/vulnerability inventory. With this inventory, it is much easier to launch a pre-configured exploit against known vulnerabilities.

The attacker then decides how to distribute the payload. This is often done through phishing, spear phishing, or whaling emails because people are susceptible to deception. The attacker will send a user a cleverly crafted email with a link to click or a weaponized document to open.

You can break the Cyber Kill Chain with:

  • Link filtering
  • DNS blocking/filtering
  • Malware detection
  • Monitoring malicious behavior to block known malicious email addresses

Once attackers penetrate the target, they don’t necessarily release the malware promptly. Instead, they dwell there to maximize their impact, roaming the network undetected, corrupting additional devices and discovering and perhaps exfiltrating data.

You can break the Cyber Kill Chain at this point by:

  • Educating users about phishing and other forms of social engineering
  • Providing a simple and effective process for employees to report suspicious emails
  • Using intrusion detection systems (IDS) and intrusion prevention systems (IPS), including EDR and anti-ransomware solutions

Once the user downloads the malicious file and it is executed, the attacker gains control and takes action to achieve their objectives.

You can break the Cyber Kill Chain in these cases by isolating the machine through:

  • Sandboxing
  • Network-based isolation/microsegmentation
  • Host-based isolation, e.g., EDR
  • Physically unplugging affected devices

Step 4: Respond to an Attack

Hackers are increasingly sophisticated, so it is likely that a ransomware attack will breach your system(s) at some point. When that occurs, do the following  to minimize the impact and recover your data. 

Execute your ransomware plan. This will expedite your recovery from an attack, minimizing downtime. This plan should determine your company’s policy on paying a ransom. Experts recommend against paying ransom because there is no guarantee that you will get your data back after paying; you might be in violation of a recent warning from the U.S. Treasury’s Organization of Foreign Assets Control and subject to severe penalties; and paying only encourages more ransomware payment demands.

Identify the nature of the attack. By spending a few minutes figuring out what has happened, you can learn important information such as what variant of ransomware infected your network, what files it normally encrypts, and what options you have for decryption.

Then, isolate infected devices. Ensure that the infected devices are removed from the network. If they have a physical network connection, unplug it. If they are on a wireless network, turn off the wireless hub/router. Unplug any directly attached storage to try to save the data on those devices.

Now, recover and restore. In general, the easiest and safest method of recovery is to wipe the infected systems and rebuild them from a known good backup. Once rebuilt, ensure that no traces remain of the ransomware that led to the encryption. Determine if the ransomware has affected the BIOS on your current systems; if so, deploy your plan for accessing new servers or endpoints. Immediately ensure that any users impacted update their credentials. Finally, once ransomware has been remediated, restore the last known good backup files. 

Once you recover from the ransomware, review any gaps or inefficiencies encountered and develop a plan to ameliorate them. After your environment is rebuilt, the real work begins. Do a full environmental review to determine how the infection began and what steps you need to take to reduce the potential of another breach.

KEYWORDS: cyber security enterprise security phishing ransomware risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Sally eaves

Sally Eaves is a senior policy advisor for Cyber Studies and Research, an independent, non-profit and non-partisan think tank that engages with global cybersecurity experts.

 

Mat newfield headshot

Mathew Newfield is senior vice president and Chief Security and Infrastructure Officer (CSIO) of Unisys. The CSIO organization comprises the former Unisys Information Technology (UIT) and Chief Information Security Office (CISO) organizations. It is responsible for delivering secure solutions that enable the company to serve its clients more effectively and for providing internal IT and security services across the enterprise.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Leadership and Management
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cyber Tactics Column
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Technologies & Solutions
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security’s 2025 Women in Security

Security’s 2025 Women in Security

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

blurry multicolored text on black screen

PowerSchool Education Technology Company Announces Data Breach

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

What do zebras, school groups and high-tech surveillance have in common? They're all part of a day’s work for the security team at the Toledo Zoo.

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • ransomware cyber

    Ransomware: The ROI of being prepared

    See More
  • convergence freepik

    4 steps to prepare for a ransomware attack: A C-suite guide

    See More
  • hiring_recruiting-freepik1170.jpg

    Four steps to build and retain a solid cybersecurity team during a labor shortage

    See More

Related Products

See More Products
  • physical security.webp

    Physical Security Assessment Handbook An Insider’s Guide to Securing a Business

  • security culture.webp

    Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

  • school security.jpg

    School Security: How to Build and Strengthen a School Safety Program

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing