Skip to main content

Preparing For Ransomware Attacks

State of Ransomware Attacks

Ransomware attacks are becoming more frequent and costly each year. Attackers target hospitals, technology firms, government agencies, schools, critical infrastructure, and even the National Basketball Association (NBA). However, we are no longer in a state where the effects of ransomware attacks are limited to large companies. Ransomware attacks are so prevalent that it is more common for the average person to be affected as a byproduct. 

Take the following ransomware attacks that occurred just within May 2021:

  • Colonial Pipeline: Six-day shutdown of pipeline operations, leading to a national gasoline shortage
  • City of Tulsa: Impacted online billing for residents
  • Waikato District Health Board: Surgeries and medical appointments were cancelled
  • Azusa Police Department:  Sensitive data was compromised possibly including Social Security Numbers, medical information, criminal contacts, crime scene photos, and other records
  • JBS Foods: Multi-day shutdown of food production facilities and other aspects of the supply chain at multiple sites throughout the US, Canada, and Australia

Understanding ransomware attacks, their repercussions, and how to prepare for them is critical to keeping your organization and others safe. 

Tip Of The Iceberg

A ransomware attack is not an isolated incident. There is more to the attack than just the encryption or blackmail of data. It is a sign of a greater compromise of your internal network. 

The ransomware itself is a standalone tool that encrypts data, hopefully, decrypts data, and sometimes leaves a “ransom note.” 

Ransomware is typically part of a greater toolset used by the attacker and in most cases, it cannot copy itself onto other computers without assistance from a different tool and/or a human operator.

To deploy enough ransomware that will affect business operations, an attacker will need to go through the required steps of the cyber kill chain to compromise your environment. 

The general steps an attacker will take are:

  • Gaining initial access to the environment
  • Bypassing security controls
  • Installing command and control
  • Escalating privileges
  • Performing discovery efforts
  • Laterally moving throughout the environment

It is important to note that the attack does not stop at the ransom note. It is likely that the attacker still has an active presence in your environment, has found methods to regain access through harvested credentials and persistence mechanisms, and has stolen sensitive data. 

Being a victim means that you are not only faced with figuring out how to resume business operations, but you have the additional worry of future attacks and unknown repercussions. 

No Guarantees

Victims have roughly three options of how to respond to ransomware attacks:

  1. Pay the ransom amount and attempt to recover
  2. Attempt to recover from backups without paying the ransom
  3. Start from scratch

While all of these are horrible options, there is an argument to make that paying the ransom should be a last resort.

Ransom payment does not guarantee data recovery. 

Sophos reported based on surveys that only “8% of organizations managed to get back all of their data after paying a ransom, with 29% getting back no more than half of their data.” As an example, Bloomberg reported that the decryption tool provided to Colonial Pipeline by the attackers after paying the ransom “was so slow that the company continued using its own backups to help restore the system.”

Ransom payments are expensive. 

Analysis of ransomware attacks by Palo Alto Networks and Crowdstrike found that the average paid ransom in 2020 was between $312,493 and $1.1 million USD, with outliers such as ExaGrid paying $2.6 million USD and Colonial Pipeline paying $4.4 million USD. 

Ransom payments are not the only cost incurred. 

On top of the ransom payment, the ransomware attack is already costing your organization hundreds of thousands of dollars for downtime, people time, incident response and forensic investigations, missed opportunity costs, etc.

Ransom payments encourage further ransomware attacks. 

Ransomware attacks for attackers are a high reward, moderate effort, and relatively low risk. Catching an attacker is challenging as it often requires a coordinated global effort between internal law enforcement agencies to perform an intensive forensic investigation. Attackers are further motivated by the fact that organizations keep paying ransoms regardless of the historical evidence that they will likely not be able to recover their data. Attackers almost have nothing to lose other than time spent (and the chance of prison).

Prepare For The Worst, Hope For The Best

The best course of action is to prepare and prevent. There is no guarantee a ransomware attack can fully be prevented, but there are ways to reduce the impact when the attack occurs. One approach is to break the concept of ransomware attacks into multiple parts and then address each part separately: 

Compromise of your environment. 

Assume that your environment can and will be compromised. Prepare your organization by removing attack vectors, improving monitoring and detection, and decreasing incident response times. All of that is obviously easier said than done, but you can work towards these goals by conducting regularly occurring Threat Emulation Exercises to identify and understand your security gaps, then using this knowledge to hopefully prevent or hinder future attacks.

Encryption of data. 

Assume that an attacker who gains access to your environment can affect business-critical data. Prepare your organization by having a rock-solid data recovery program through well-defined data recovery procedures, regular backups of data and systems critical to business operations, and properly trained staff to implement the defined data recovery procedures. Then verify each aspect of your data recovery program by conducting regularly occurring Ransomware Simulation Exercises to ensure that you are able to quickly restore business operations if needed.

The money and time invested into preparation efforts will likely cost less than the average $1.1 million USD ransom payment and additional damages. Preparation efforts will also increase the odds that your organization can recover and resume business operations in a timely manner.


White Oak Security is a highly skilled and knowledgeable cyber security testing company that works hard to get into the minds of opponents to help protect those we serve from malicious threats through expertise, integrity, and passion. 

Read more from White Oak Security’s pentesting team.