Stop following the herd to start fighting ransomware

Circuit board and shield icon. Hardware security, computer data protection and electronic technology concept,
(Image credit: Shutterstock / Blue Andy)

While a surge in ransomware and data breaches is doing nothing for the confidence in security technologies, the harsh reality today is that organizations cannot rely on isolated data resiliency and disaster recovery strategies to keep out the criminals.

Ransomware and extortion incidents grew by 67% last year, according to NTT Security Holdings’ 2024 Global Threat Intelligence Report. These are record times for security software companies and yet the threats do not go away. Unsurprisingly, research from Evanta shows that CIO priorities are still dominated by cybersecurity, despite considerable investment in cyber security strategies and technologies.

Most enterprises have a data resiliency strategy. Traditionally this takes the form of Business Continuity (BC) and Disaster Recovery (DR). However the technology and processes designed for data resiliency do not provide the capability needed to achieve cyber resiliency in the age of destructive cyber attacks, like wipers and ransomware. Clearly. Something is not working and organizations need a shift in tactics to protect their data and infrastructure.

Almost all of the latest cybersecurity frameworks and regulations, such as NIST Cybersecurity Framework 2.0, and regulations such as EU Network and Information Security (NIS2) Directive 2.0 or EU Digital Operational Resiliency Act (DORA), are focused on building resilience: not just the ability to prevent and detect, but also to withstand cyberattacks through response and recovery, two functions that have been traditionally seen underinvestment.

The average enterprise has over 130 different cybersecurity tools installed, according to Deloitte, the vast majority of which have failed to be integrated and operationalized enough to prevent organizations from becoming victims of a cyberattack. Any continued investment in prevention and detection is only likely to produce a fractional decrease in residual cyber risk, while creating more friction with users, less agility for the organization, more alert fatigue, higher licensing costs, and even more security infrastructure to manage.

James Blake

Global Head of Cyber Resiliency Strategy at Cohesity.

Cyber resiliency and stopping ‘double-tap’ attacks

Spending on response and recovery (in contrast to detection and prevention) delivers the cyber resiliency that these latest frameworks and regulations require to withstand modern cyberattacks with minimal impact. The challenge is how to achieve cyber resiliency in a world where so much has already been invested in cybersecurity tools?

To move to a posture of cyber resiliency, two things must be established as a foundation. Firstly, the ability to recover must be put beyond the reach of adversaries. Secondly, response planning must have provisions for the rapid recovery of not just production systems but also the security, authentication and communications platforms needed to effectively and efficiently respond to the incident.

This is a key difference between the more traditional approach of data resiliency to that of cyber resiliency. Where data resiliency focuses on a small number of root causes that have formed the basis of business continuity and disaster recovery scenarios for decades, including flood, fire, power loss, equipment failure and misconfiguration; to achieve cyber resiliency we need to deal with an adversary who is actively trying to disrupt our response and recovery efforts, and continually adapts their behavior.

It’s important to recognize here that the response needs of the security operations team are as important as the recovery needs of the IT operations team in reducing the impact of an attack. Approaches that rush to recovering systems without understanding the nature of the attack will not remove the gaps in controls that didn’t prevent or detect the attack.

Ongoing attacks will therefore reinfect recovered systems within minutes. Ransomware gangs are increasing their use of ‘double-tap’ attacks, where they circle back and reattack organizations they previously hit but that refused to pay a ransom. These attackers will take advantage of the same vulnerabilities they used to gain access the first time, if they’re not closed. Organizations can also be attacked by other gangs using the same Ransomware-as-a-Service platform.

Cyber resiliency is key

This is why the cyber resiliency approach is so key. As destructive cyber-attacks target an organization's ability to respond and recover, it makes sense to give organizations the ability to do this safely and quickly. That means recognizing how an attack can hurt existing systems and even security functionality. Traditional security tools that are located on end-points struggle to function when an organization has isolated systems in response to ransomware and wipers. Recovery, without closing these vulnerabilities and bolstering gaps in controls will leave an organization exposed to exactly the same attack again in the future. And over relying on security tools that may not actually work or can be trusted, even if they do, only exacerbates the problem.

In short, there are some key reasons why most organizations fail on this front. The first is that disaster recovery and business continuity approaches tend not to be appropriate for dealing with cyberattacks. Organizations that incur the highest costs of a destructive cyberattack are those where the backups have been rendered unusable by the adversary or where attacked systems are recovered without the appropriate remedial steps to remove the threats and vulnerabilities.

The second is that IT and security operations teams do not tend to collaborate. Investigating an attack does not inform mitigation, which means that security teams often find they do not know the best steps to take to prevent reinfection. A third reason is that security controls may not be available following an attack. 

BC/DR priorities often focus on critical business applications first because they’ve been drawn up by the IT Operations team working with the business units in isolation of security. But it’s critical to recover a trusted Minimum Viable Response Capability (MiViRC), so IT and security operations can work collaboratively with their internal and external stakeholders, using trusted tooling where an adversary cannot observe to disrupt response and recovery operations, to manage the incident.

While many data management vendors tend to offer isolated environments focused on the recovery needs of the IT Operations team, they often forget the intrinsic relationship between response and recovery, which is needed to deliver cyber resilience. That should be a major focus, if we are to compete with the growing threat of ransomware. Organizations need to rethink security strategies, not follow the herd but look towards a more collaborative, platform approach to resiliency. It really is the only way to stop ransomware from winning.

We list the best cloud antivirus.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

James Blake

James Blake is Global Head of Cyber Resiliency Strategy at Cohesity.

Read more
A computer being guarded by cybersecurity.
The impact of the cyber insurance industry in resilience against ransomware
Hack The Box crisis simulation event
“Everyone will experience a hack” - how incident response can protect your organization
Abstract image of cyber security in action.
It’s time to catch up with cyber attackers
An image of network security icons for a network encircling a digital blue earth.
Why effective cybersecurity is a team effort
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Don’t let holidays be your cybersecurity downfall
A digital representation of a lock
Exploits on the rise: How defenders can combat sophisticated threat actors
Latest in Pro
Epson EcoTank ET-4850 next to a TechRadar badge that reads Big Savings
I found the best printer deal you won't see in the Amazon Spring Sale and it's got a massive $150 saving
NVIDIA RTX PRO 6000 Blackwell Server Edition
Nvidia's most expensive Blackwell card gets massive price cut but it is not the RTX 5090
Microsoft Copiot Studio deep reasoning and agent flows
Microsoft reveals OpenAI-powered Copilot AI agents to bosot your work research and data analysis
Group of people meeting
Inflexible work policies are pushing tech workers to quit
Data leak
Top home hardware firm data leak could see millions of customers affected
Representational image depecting cybersecurity protection
Third-party security issues could be the biggest threat facing your business
Latest in News
Hisense U8 series TV on wall in living room
Hisense announces 2025 mini-LED TV lineup, with screen sizes up to 100 inches – and a surprising smart TV switch
Nintendo Music teaser art
Nintendo Music expands its library with songs from Kirby and the Forgotten Land and Tetris
Opera AI Tabs
Opera's new AI feature brings order to your browser tab chaos
An image of Pro-Ject's Flatten it closed and opened
Pro-Ject’s new vinyl flattener will fix any warped LPs you inadvertently buy on Record Store Day
The iPhone 16 Pro on a grey background
iPhone 17 Pro tipped to get 8K video recording – but I want these 3 video features instead
EA Sports F1 25 promotional image featuring drivers Oscar Piastri, Carlos Sainz and Oliver Bearman.
F1 25 has been officially announced, with this year's entry marking a return for Braking Point and a 'significant overhaul' for My Team mode