Security Magazine logo
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • NEWS
  • MANAGEMENT
  • PHYSICAL
  • CYBER
  • BLOG
  • COLUMNS
  • EXCLUSIVES
  • SECTORS
  • EVENTS
  • MEDIA
  • MORE
  • EMAG
  • SIGN UP!
cart
facebook twitter linkedin youtube
  • NEWS
  • Security Newswire
  • Technologies & Solutions
  • MANAGEMENT
  • Leadership Management
  • Enterprise Services
  • Security Education & Training
  • Logical Security
  • Security & Business Resilience
  • Profiles in Excellence
  • PHYSICAL
  • Access Management
  • Fire & Life Safety
  • Identity Management
  • Physical Security
  • Video Surveillance
  • Case Studies (Physical)
  • CYBER
  • Cybersecurity News
  • More
  • COLUMNS
  • Cyber Tactics
  • Leadership & Management
  • Security Talk
  • Career Intelligence
  • Leader to Leader
  • Cybersecurity Education & Training
  • EXCLUSIVES
  • Annual Guarding Report
  • Most Influential People in Security
  • The Security Benchmark Report
  • Top Guard and Security Officer Companies
  • Top Cybersecurity Leaders
  • Women in Security
  • SECTORS
  • Arenas / Stadiums / Leagues / Entertainment
  • Banking/Finance/Insurance
  • Construction, Real Estate, Property Management
  • Education: K-12
  • Education: University
  • Government: Federal, State and Local
  • Hospitality & Casinos
  • Hospitals & Medical Centers
  • Infrastructure:Electric,Gas & Water
  • Ports: Sea, Land, & Air
  • Retail/Restaurants/Convenience
  • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
  • Industry Events
  • Webinars
  • Solutions by Sector
  • Security 500 Conference
  • MEDIA
  • Videos
  • Podcasts
  • Polls
  • Photo Galleries
  • Videos
  • Cybersecurity & Geopolitical Discussion
  • Ask Me Anything (AMA) Series
  • MORE
  • Call for Entries
  • Classifieds & Job Listings
  • Continuing Education
  • Newsletter
  • Sponsor Insights
  • Store
  • White Papers
  • EMAG
  • eMagazine
  • This Month's Content
  • Advertise
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity Leadership and ManagementLogical SecuritySecurity & Business Resilience

Ransomware has hit epidemic levels — does your organization have a cyberattack response plan?

By Adam Belsher
Ransomware on a laptop
November 3, 2021

If the Colonial Pipeline, Accenture and JBS attacks didn’t convince you of the severity of ransomware, perhaps the grim words of FBI Director Christopher Wray will. In an interview with the Wall Street Journal, Wray recently went as far as comparing the challenges posed by ransomware to 9/11, revealing the FBI is investigating 100 different ransomware variants.

As their ambitions grow, cybercriminals are becoming increasingly dangerous. In 2020, a new organization became a victim of ransomware every 10 seconds, according to Check Point. It’s never been easier to carry out a ransomware attack, especially when the Ransomware as a Service model opens the door for criminals without the technical knowledge to develop their own variants. Emsisoft recently estimated that the global damages in ransom costs alone have surpassed $18 billion, with $920 million of that sum attributed to the United States. By all accounts, those numbers are only projected to worsen.

In the face of this rising threat, it is crucial for organizations to plan for what may very well be inevitable. Leadership teams can no longer afford to deploy short-sighted cybersecurity strategies that focus on preventative measures. If ransomware breaches their first line of defense, it is essential for organizations to have a post-incident strategy in place that includes plans, procedures and responsibilities to mitigate the damage. Part of this strategy must leverage digital forensics to investigate the initial threat vector, assess the damage and ensure repeat attacks cannot occur.

Digital forensics may not have had a consistent role in some legacy cybersecurity suites, but it was being used for post-incident analysis as early as 2001. The National Institute of Standards and Technology (NIST) cybersecurity framework has also validated the role of digital forensics in cybersecurity strategies by identifying it as a key action that takes place during the “respond” phase. Over time, organizations have increasingly begun to seek out digital forensics technology to play a key role in how they handle a new generation of threats.

The organizations that have successfully implemented digital forensics will either keep digital forensic specialists on staff to lead investigations or have them pre-identified, or even on retainer, from a third party. In a ransomware attack, these forensic analysts will be alerted to a potential threat by their security teams and immediately begin to validate the initial threat vector and identify the first system that was corrupted. This is possible with the remote acquisition technology incorporated into digital forensic tools that enable analysts to remotely connect to employee devices, image entire disk drives on Windows or Mac and recover data from cloud-based sources such as Microsoft Office 365, Slack or Amazon Web Services. 

The most common ransomware attacks begin with an employee or contractor accidentally clicking on a malicious link. Many of those links are socially engineered to lure the employee in. In this case, performing remote data acquisitions would allow an analyst to quickly cycle through every employee’s email inbox, narrow their focus down to emails that were only recently opened and confirm one of them contained malicious content to identify their “patient zero.” Time is of the essence and analysts cannot afford to wait for an employee to admit to their mistake, if they’re even aware of it, when it takes ransomware an average of three seconds to begin file encryption. 

By the time the initial threat vector has been identified, cybercriminals will have already wreaked havoc on the system and sent a ransom note. It now becomes the job of the analyst to use digital forensics to trace the attacker’s movements and try to contain the damage and prevent further spread across other network segments.

Analysts can build timelines of events using timestamps, event logs and other data that give them a step-by-step breakdown of what a cybercriminal did after gaining access to the system. Criminals deploying ransomware will often seek to transfer important documents onto their own devices, plant back doors, begin encrypting valuable data and find a jumping-off point to another system that may bring them one step closer to achieving domain access or entering the C-suite. If the attacker does successfully gain access to another system, an analyst can connect to that new endpoint and repeat their work.

This process isn’t just critical while a criminal is in the midst of encrypting files, it directly influences how well an organization can recover from an attack. In their digital forensic analysis, analysts can seek to identify whether volume shadow copies, backups that are periodically made on Windows files, have also been tampered with. In some cases, attackers will look to delete shadow copies in advance of encrypting an organization’s files so that victims feel they have no recourse but to pay a ransom. Working to recover deleted files is a much better scenario for analysts than the encryption alternative because digital forensic tools have the ability to retrieve them. In fact, it’s one of the technology’s main uses for police agencies investigating cybercrime and cyber-enabled crime, such as terrorism and human trafficking. With volume shadow copies recovered, organizations can feel secure that they have enough data to fast-track recovery and potentially avoid paying a ransom.

Regardless of whether an organization chooses to pay a ransom or move on without their encrypted files, they’ll need to begin to build up their defenses once more in preparation for the next attack.  A digital forensic analysis will allow organizations to learn from their mistakes and have a full understanding of how a phishing email, remote desktop protocol hack or more sophisticated method opened the door for cybercriminals. With this information in hand, organizations can patch their defences and ensure a second breach does not occur through the same weakness. 

Unfortunately, repeat attacks are common with ransomware. A 2021 Cybereason report found that 80 percent of organizations that pay ransoms were exposed to a repeat attack and, in 46 percent of the cases, the attack was carried out by the same culprit. These criminals are known to leave back doors in the systems they’ve breached so they can attack a second time or sell the access to another criminal. Shipping and technology company Pitney Bowes suffered two attacks within a single year, while Toll Group, an Australian logistics company, was attacked twice in the span of three months. A digital forensic analyst can identify any back doors or remnants of ransomware on an organization’s systems before they’re brought back online. 

The final goal of digital forensic analysis is to identify the attacker and bring them to justice. The chances of doing so in an external ransomware attack are limited because criminals are often protected by geographic and political barriers. However, the same cannot be said about insiders that unleash ransomware on their own systems. Cybercriminals are reaching out to employees and offering a cut of the rewards if they unleash ransomware on their own employers. Some groups, like LockBit, even leave a solicitation for employees as part of their ransomware notes. 

Analysts can determine if a ransomware attack originated from inside their organizations by building out the timeline of events that occurred before an attack. They may find a USB drive was connected to the system where the attack originated and that the files that were opened from it were malicious. This data will serve as critical digital evidence in both civil and criminal proceedings. Prosecutors can rest assured that the tools used to recover it have been deemed reliable multiple times in state and federal courts because they’re forensically sound and uphold the chain of custody. 

Leadership teams can no longer afford to underestimate ransomware. Cybercriminals have more than proven that they are able to crack the defenses of some of the world’s largest organizations. With each passing day, they’re growing in number, experience and sophistication. It may be uncomfortable, but organizations have to plan for the day that their systems are breached, their files are encrypted and criminals extort them for millions of dollars. Within a diversified cybersecurity strategy, digital forensics can ensure, on that day, organizations have the means to react and, more importantly, recover. 

KEYWORDS: cyber attack cyber criminal cyber security leadership data breach costs employee training hacking news ransomware

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Adam Belsher is CEO of Magnet Forensics, a developer of digital investigation solutions. After thirteen years in leadership roles at BlackBerry, Adam helped found Magnet Forensics in 2010. The company's tools have helped police and national security organizations recover, analyze and report on critical digital evidence related to cyber-enabled and cybercrime, while helping enterprises investigate data breaches, fraud, IP theft and human resources complaints.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Enterprise Services
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Logical Security
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Logical Security
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

Security’s Top 5 – 2024 Year in Review

Security’s Top 5 – 2024 Year in Review

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security’s 2025 Women in Security

Security’s 2025 Women in Security

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

blurry multicolored text on black screen

PowerSchool Education Technology Company Announces Data Breach

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

What do zebras, school groups and high-tech surveillance have in common? They're all part of a day’s work for the security team at the Toledo Zoo.

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • someone in headphones working at computer

    36% of government IT does not have a documented disaster recovery plan

    See More
  • ransomware

    How to Protect Your Organization from Ransomware

    See More
  • Gloved hands typing on a lapop

    Unveiling common ransomware attack methods to secure your organization

    See More

Related Products

See More Products
  • security culture.webp

    Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

  • 1119490936.jpg

    Solving Cyber Risk: Protecting Your Company and Society

  • physical security.webp

    Physical Security Assessment Handbook An Insider’s Guide to Securing a Business

See More Products

Events

View AllSubmit An Event
  • November 20, 2024

    Digital Forensics in Your Incident Response Plan

    ON DEMAND: Organizations face increasingly sophisticated threats that can compromise data and disrupt business operations. This presentation will explore the role that digital forensics plays in an effective incident response plan using NIST and CISA playbooks as guides.
View AllSubmit An Event
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing

Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!