Ransomware — Still a Major Threat

The take-down of British retail giant Marks & Spencer’s online operations at the end of April by cyber-hackers was a reminder that ransomware has not disappeared. That same month, the FBI reported that fraudsters cost U.S. companies and citizens $16.6 billion last year. They also noted that ransomware continues to pose the biggest threat to critical infrastructure organizations.

It’s clear that ransomware continues to be a problem. It can cripple businesses, governments, medical networks, and more. Law-enforcement agencies have made progress in helping stricken organizations recover their data, but the onus remains on vulnerable organizations to beef-up their cyber defenses.

Who can stop ransomware hackers?

Agencies like the FBI have had some success trying to help companies fight back.

Since 2022, federal law enforcement in the U.S. has reportedly seized thousands of decryption keys, making them available to ransomware victims. According to The Register, $68 million of ransom payments have been avoided in this way. It includes a decryption tool for the ransomware used by the notorious organization BlackCat /AlphV.

In 2024, the police identified the leader of the Lockbit ransomware ring as Russia’s Dmitry Yuryevich Khoroshev, after confiscating his website. While charges and sanctions were issued, they don’t mean much, given that Khoroshev lives in Russia. According to The Register, “Britain's cops as well as the Feds in the US described Khoroshev as an administrator, creator, and developer of the ransomware, which has hit thousands of targets and raked in more than $100 million in ransoms.”

How are the hackers getting in?

For all its recent success, ransomware isn’t really developing new, innovative ways to infiltrate companies’ systems. Phishing attacks (otherwise known as 'social engineering') remain the most common way for hackers to gain access. All you need is for one employee to be tricked into clicking on a link to create a major vulnerability, which is why deploying advanced email filtering to prevent suspicious messages getting through is an important first step.

It’s also important to provide regular security awareness education for employees. Similarly, using web filtering tools and user education are integral to preventing problems caused by employees surfing malicious websites.

Where are the weak points?

Remote desktop protocol (RDP) vulnerabilities, out-of-date software, and malicious websites all factor into the problem, as TechTarget's anti-ransomeware guide makes clear. For instance, using strong, unique passwords for RDP sessions, as well as multifactor authentication, can help reduce your risk. In addition, consider enabling network-level authentication (NLA) to pre-authenticate users, and limit RDP connectivity to only those users using a virtual private network (VPN). Implementing, and possibly automating, a patch management program can keep your software up-to-date and make it less vulnerable to potential attacks.

Keeping it clean

The list of things you can do to prevent an attack doesn’t stop there. Limiting access and regularly cleaning up orphaned accounts, guest access, or other potentially vulnerable access points is integral. Employing malware protection can also help, as this is an ongoing and multi-pronged approach.

Backups are key

In the event that there is a problem, it’s critical to ensure that you have a backup and data recovery plan in place. That’s as simple as engaging in regular backups and using off-site storage to keep your data safe. A response team that establishes procedures to protect and recover your data is equally valuable. Updating your cybersecurity plan at least every six months and after any incidents is also essential to ensure you and your team are ready for the latest threats.

Is ransomware insurance the answer?

The ransomware problem is so widespread that there is now insurance to address it. It covers everything from paying the ransom to the cost of cyber forensics and business losses. Of course, the more lucrative payoffs become, the more incentive bad actors have to continue taking organizations’ digital operations hostage.

For many companies, insurance is not just a remedial measure, but can also serve as an incentive to get their digital security in order. As TechTarget suggests, “Expect an insurance provider to intensely scrutinize your security controls and capabilities. Document your program thoroughly, ideally following some type of framework, such as one from ISO or NIST. Also document any updates and items of note in your program over the past 12-18 months.”

The specter of having a claim denied may be just the threat your organization needs to take cybersecurity seriously. Just like you might need a physical before getting life insurance, your company’s digital security will need a check-up before insurers are willing to risk their bottom line on covering you. It’s a good first step in the right direction.