Ransomware Defense Strategy

Three Keys to a Reliable Ransomware Defense Strategy

As we noted in a previous blog post, ransomware attacks are becoming more frequent and more costly. Reports reveal that there were 304 million ransomware attacks in 2020 – 62% more than the total number of ransomware attacks for 2019. The estimated cost of those incidents increased from $11.5 billion to $20 billion during that same time period. The average ransom cost rose from $5,900 up to $8,100 over the same period. Additionally, downtime losses increased from $141,000 to $283,000.

These trends show that organizations must not only respond to ransomware attacks but also ensure they are ready to stop them from becoming successful. To that end, we suggest that organizations follow the three tips below to create a ransomware prevention strategy.


There are two types of ransomware, crypto-malware and lockers. The first uses a screen locking technique that prevents victims from accessing their data and/or using their computers. The latter uses encryption to make a user’s data unaccessible without decryption keys.
Both ransomware types have different motivations, but they both aim to prevent users from accessing their data until they pay. Organizations need to be able to retrieve their data in case of ransomware infections. Data backups are a way for organizations to restore information on a computer that has been infected with ransomware, or on a new replacement device. All this without the need to pay the ransom.

Users and organizations might want to follow the 3-2-1 rule when backing up data. As noted by Network World, this involves maintaining at least three different versions or copies of their data on at least two different media (hard drive and online). This includes keeping a backup copy or copy off-site to allow users and organizations to recover their data in the event of a physical disaster such as a fire.

Data backup strategies are not something that happens at the end. It is an ongoing process. Users and organizations need to make sure that their backups are working so they don’t lose any information due to ransomware attacks or other similar incidents. It is important to regularly test backups.

But organizations cannot simply rely on data backups alone, as ransomware operators are increasingly using “double extortion” schemes to ensure payment. Double extortion refers to a ransomware technique that first steals information from a victim’s computer before initiating the encryption routine.

Ransomware encrypts the victim’s data and asks for payment in return for a decryptor. The threat actor demands that victims pay extra to stop attackers from publishing their data online.

Ransomware attackers may use double extortion to force organizations to pay, even if they can recover their data using backups. Organizations should still focus on preventing ransomware infections in the first place.


While data backups are vital for recovering from ransomware attacks, they will not help you to prevent them. This is especially true given the rise of double extortion. This tactic allows you to shift the conversation from detecting ransomware attacks to preventing them from ever happening.

Organizations can protect themselves from ransomware attacks by informing their employees about the most popular ransomware delivery vectors. Email is the most common delivery method. For example, one report notes that 54% of managed service providers (MSPs) reported that phishing scams were the most common cause of ransomware infections.

To help their employees become more familiar with phishing attacks, organizations can use phishing simulations. They can also use threat information to inform their employees about the latest phishing attacks discovered by security researchers.

It is also important to have a strong prevention solution for all endpoints. The solution must include threat intelligence-based, behavioral analysis, machine learning algorithms, and deception techniques to convict known and unknown malware.

It should be able to detect malicious executables dynamically and statically. This multi-layered prevention approach is essential to prevent ransomware attacks from causing damage to or disruption to critical business operations.


It is not possible to detect every ransomware or phishing attack. This can be a problem for organizations. Organizations won’t be able to implement security measures if they don’t have Indicators Of Compromise (IOCs), or other threat intelligence.

Organizations need to be able to spot any attack in progress, regardless of previous detections. They can do this by investing in endpoint detection and response (EDR) solutions that are not wholly dependent on IOCs alone, but also leverage detections based on the more subtle Indicators of Behavior (IOBs).

A reliable EDR solution that uses IOBs can quickly identify threats with high accuracy. It leverages behavioral analysis to leverage cross-machine correlations, enriched data from all endpoints in real-time and correlating threats to instantly deliver a complete story about an attack.


Cybereason provides fearless ransomware protection. Cybereason uses multi-layered detection, prevention, and response to protect against ransomware infections. Data exfiltration can also be a risk for organizations.

* Endpoint Controls: Cybereason protects endpoints from attacks by managing security policies and maintaining device controls. They also implement personal firewalls and enforce whole-disk encryption across a variety of device types, both mobile and fixed.

* Intelligence Based-Antivirus: Cybereason blocks known ransomware variations by leveraging an ever-growing pool of threat intelligence based upon previously detected attacks.

* NGAV: Cybereason’s NGAV uses machine learning to recognize malicious code and block ransomware variants before execution.

* Fileless Ransomware ProtectionCybereason uses fileless and MBR ransomware to disrupt attacks that traditional antivirus software misses.

* Behavioral document protection: Cybereason blocks ransomware in most business document formats. This includes those that use malicious macros or other stealthy attack vectors.

* Anti-Ransomware and Deception: Cybereason employs a combination of behavioral detections and deception techniques to uncover the most sophisticated ransomware threats. The attack is stopped before any critical data can become encrypted.

Cybereason works with defenders to stop cyberattacks at all levels, from the endpoint to the enterprise to anywhere. Get more information about ransomware protection here. Or schedule a demo to see how your company can benefit from an operations-centric approach to security.