How to Add a New Superpower to Your Ransomware Defenses 

It’s time again to talk about ransomware. We know it’s still happening, but as hard as we try, we can’t seem to stop it.

Here are just a few recent stats:

• Ransomware is the top concern of 62% of C-suite executives surveyed, up 44% from 2022
• Over one third (37%) of global organizations were victimized by ransomware in the last year, with 54% of those experiencing data encryption
• The healthcare sector saw a 123% increase in ransomware attacks in 2023

Perhaps even more concerning, the FBI recently revealed that only about 20% of ransomware incidents are actually reported.

This means ransomware is probably much more prevalent than we know.

And when you think about it, ransomware is a particularly heartless endeavor: criminals have targeted schools, vital infrastructure, hospitals, and even patient records at a psychiatric treatment facility. The US Department of Homeland Security still recognizes it as a top threat, and security professionals always put defensive ransomware strategies at the top of their to-do list. As it is for every other cybersecurity initiative, defense-in-depth is crucial for effective ransomware protection.

There’s a defense strategy we need to talk about that’s very much under the radar: building content awareness, which is a simple and accessible way to add another layer to your anti-ransomware strategies.

What is content awareness and how can it be your superpower?

In the context of data security, content awareness is about the ability to understand and manage the data within an organization by categorizing it, identifying its sensitivity, and monitoring how it is accessed and shared. Typically, it involves using advanced technologies like AI and natural language processing to scan documents, emails, and other data sources to gain insights into the content’s nature and relevance.

By knowing what type of data you have, where it’s located, and who has access to it, you can implement more effective security measures. For example, sensitive data can be more tightly controlled and monitored for unusual activity, making it harder for ransomware to encrypt or exfiltrate critical information.

Content awareness helps create a detailed map of your organization’s data landscape, allowing for better risk management and quicker responses to potential threats.

In other words, content awareness builds ransomware resiliency.

How content awareness boosts ransomware defenses

For the best ransomware defenses, it’s helpful to put yourself in the shoes (or behind the keyboard) of your opponent and think about how they plan, execute, and monetize the attack.

Armed with an understanding of the attack process and empowered with insights into your content, you’ll have what you need to minimize damage before, during, and after ransomware incidents.

Minimizing footholds 

Let’s start where the attackers start: establishing a foothold. Attackers use encryption to make valuable data inaccessible. To do that, they need to take control of accounts. Ideally, from their perspective, compromised accounts will have access to a wide array of business-critical data. In reality, it’s a roll of the dice: the attacker’s social engineering and malicious email campaigns (which are only improving with the use of AI tools like ChatGPT) entrap random targets.

It’s like Forrest Gump’s box of chocolates. Once an account is compromised, the box is open, and you never know what you’re gonna get. Sometimes the account is full of goodies, with access a wide range of files and data. Other accounts are nearly empty boxes, with far more limited access. If you’re on defense, your goal is to keep the box closed. And, just in case the attacker manages to pry it open, it’d be great if it didn’t have too many goodies inside.

Limiting exposure with least-privilege access

Attackers use encryption to make valuable data inaccessible. To do that, they need to take control of accounts. Most of today’s ransomware mitigation strategies focus on keeping the box closed, which makes sense. There’s been less attention paid to managing the chocolates in the box. Least-privileges data access models, aimed at granting accounts access to only the data they need, are a great way to limit exposure in the likely event of an account compromise. Least privileges isn’t a preventative strategy. It’s a damage-limitation strategy that assumes – as you should – that an attacker will eventually gain control of one or more of your accounts.

Which raises the question: if least-privileges works, why isn’t the practice more pervasive? A typical organization manages north of 10 million files, ranging from picnic invitations to private financial documents. About a third of these documents are business-critical (therefore of interest to a ransomware perpetrator). That’s a daunting number of files — with an array of content that might be hard for even a skilled IT professional to evaluate, understand, and protect.

Improving detection and response

Content awareness also helps when it comes to detecting attacks in progress.

Ransomware exploits differ from other cybercrime in one critical way: the criminals don’t need to take possession of data. Because the data doesn’t move, security measures at the perimeter aren’t in a great position to spot or stop in-progress attacks. That changes the detection picture: instead of a few perimeter control points, security professionals need to keep tabs on a staggering number of files located across the organization.

Consequently, ransomware attack detection strategies seek to monitor encryption activity and encryption artifacts at the file level. By establishing a baseline before the attack, differentiating between routine and nefarious activities is far more straightforward. And if the baseline includes insights into the business criticality of that content, you can both detect unwanted encryption and evaluate the threat to make more effective mitigation decisions.

Getting the upper hand with content awareness

Should you find yourself confronted with a ransom demand, content awareness is invaluable, and you’ll be glad you have a clear understanding of what data is at risk.

Deciding whether to pay to recover your data is a difficult decision under any circumstances. But making that decision with a complete understanding of precisely what data is at risk of loss is far better than having to make it not knowing what’s at stake. Your attacker often doesn’t know if what they have is critical or trivial.

Ransomware is, without a doubt, an escalation in the cybercrime arms race. Content awareness can give you the upper hand in the battle against it. By augmenting your anti-malware and anti-phishing efforts with least-privileges access control, you can minimize the damage should an attack occur. Content and activity awareness establishes a baseline that makes unwanted encryption easier to spot and mitigation activities faster and more effective.

Modern AI-based technologies autonomously scan all your content – whether it’s structured or unstructured, in the cloud or on-premises – so you can benefit from content awareness without adding staff or complicating your users’ workflow.

Content awareness adds depth to your existing defenses against account capture and unwanted encryption, helping you prepare for and respond to ransomware attacks.

Content awareness deserves a place in your anti-ransomware strategies.