Best-in-class data backup and disaster recovery protocols are great, but once unencrypted sensitive data is stolen, extortion vulnerability remains.

A recent report on ransomware trends had shown that manufacturing and production firms were the least likely (19%) to submit to a ransom demand to have encrypted files restored. This group was also found to be most likely (68%) to be able to restore data from backups and so avoid ransom payment.

The practice of backing up data could be a reason why this sector was also the most affected by extortion-based ransomware attacks, a pressure technique where attackers do not encrypt files, but rather, threaten to leak stolen information online if a ransom demand is not paid.

According to principal research scientist Chester Wisniewski of Sophos, which released the survey results of 438 IT decision makers in the sector in Jan/Feb 2021: “The sector’s high ability to restore data from backups enables many companies to refuse attacker demands for payment in the case of traditional, encryption-based ransomware attacks. However, it also means that adversaries are forced to find other approaches to make money from victims, such as stealing data and threatening to leak company information if their financial demands aren’t met.”

Going beyond backup defense

According to Sophos, backups are vital, but they cannot protect against extortion risk. Organizations can extend their anti-ransomware defenses by combining disaster recovery technology with human-led threat hunting.

Once air-gapped disaster recovery backup and restore practices are in place, the following holistic ransomware-defense best practices need to be practiced:

  1. Always assume the organization will be hit, and prioritize cyber defense strategies accordingly. No sector, country, or organisation size is immune from the risk. It is better to be prepared and not be hit than the other way round.
  2. Deploy layered protection to block attackers at as many points as possible across an entire estate.
  3. Strong encryption and tight key protection protocols can ensure that even if sensitive data is stolen, cybercriminals will not be able to find easy ways to obtain the keys for decrypting the data to use as extortion threats.
  4. Combine human experts and anti-ransomware technology. The key to stopping ransomware is a defense-in-depth approach combining dedicated anti-ransomware technology and human-led threat hunting. The technology aspect provides the defensive scale and automation, while the human aspect ropes-in experts who are best able to detect the tell-tale tactics, techniques and procedures of break-in attempts. Engaging Security Operations Centers is now a realistic option for organizations of all sizes.
  5. Do not pay the ransom. Independent of any ethical considerations, paying the ransom is an ineffective way to get data back. Sophos research shows that after a ransom is paid adversaries will restore, on average, only two-thirds of the encrypted files.

Finally, organizations should always have an updated cyberattack recovery plan for smooth incidence response to reduce other risks such as regulatory penalties, brand damage and errors arising during the response and post-breach phases.