A successful ransomware attack on your organization is a matter of when, not if. Skeptical? The numbers warn otherwise. Ransomware breaches grew 13 percent between 2021 and 2022, according to the Verizon Business 2022 Data Breach Investigations Report. That’s a bigger jump than the previous five years combined.
This trend highlights why it’s more important than ever to implement policies and best practices to thwart ransomware, such as training every employee how to identify the social engineering scams that frequently lead to infected downloads. But, it’s even more important to implement technologies that can quickly minimize ransomware’s spread and impact once it’s inevitably in.
When assessing those technologies, focus on ones that feature artificial intelligence (AI) and machine learning (ML), which are far faster than humans — including IT staff — when it comes to recognizing that ransomware is active inside your organization. Speed is critical for limiting ransomware’s spread and, thus, the amount of encrypted data. The less data that’s encrypted, the less time and effort required to recover the data.
That saves a lot of money. The average downtime cost of a single ransomware attack totaled $4.62 million, including cost of the remediation process (~$1.85 million). In ITIC’s 2021 Hourly Cost of Downtime Survey, 44% of companies cited hourly downtime costs ranging from $1 million to $5 million, plus any legal fees, fines or penalties. Ninety-one percent said a single hour of downtime costs over $300,000 on average.
Timing is Everything
An AI-powered anti-ransomware strategy is most effective when it’s paired with an immutable data architecture that resides in the cloud. This means mission-critical and other data is compressed and backed up to the cloud so frequently that when ransomware strikes, only a tiny portion is encrypted. For most organizations, that loss is too small to justify paying the ransom.
A global file system is another must-have safeguard. Even when ransomware manages to spread across all of your infrastructure in all of the cities and countries where you operate, the AI/ML can detect the initial activity and instantly begin containing it — before it spreads even further. Here are a few examples:
- ML can learn what good data looks like. Traditional antivirus technologies simply look for tags in a file that suggest it’s been altered by ransomware. ML is much more nuanced because it learns what normal activity looks like for that particular file type. So, if a single user suddenly starts writing a lot of files in very fast succession, odds are high that something anomalous is going on. Then the AI can go back to the cloud storage to start checking whether those files are still readable or have been encrypted.
- ML can learn that encryption is a process that file systems should conduct. If users suddenly start encrypting data, it’s a sign that ransomware has taken root.
- ML can learn when an organization alters its data. For example, ransomware often will sit quietly, undetected, until a slow time for most organizations, such as Friday at 10 p.m. Then, it springs into action and begins encrypting. By the time IT staff notice what’s going on, hours have passed, and gigabytes or terabytes of data have been locked up. But, AI is always watching, 24/7/365, and is ready to spring into action as soon as the ML warrants.
These are just few examples of how AI/ML is superior to humans when it comes to identifying anomalous behavior on network file systems and then determining whether that activity is malicious. At this point, the AI can alert IT staff so they can begin containing the ransomware manually. In the future, the AI could be part of a closed-loop process that instantly begins containment on its own, thus saving even more precious time — and data.
The bottom line is that timing is everything when it comes to mitigating the business and financial impact of ransomware. By leveraging AI/ML and architectures such as global file systems, enterprises, government agencies, schools and other organizations can stop ransomware before it escalates into a problem they have to pay to reverse.
About the author: Katie McCullough is Chief Information Security Officer at Panzura, a multi-cloud data management leader. She is responsible for security and compliance for the company and customers alike. Katie has more than 25 years of experience executing and leading security operations, compliance, managed services, and cloud solutions. During her time working for industry-leading companies OneNeck IT Solutions and CDW/Berbee, Katie has time and again proven her strategic leadership creating secure IT environments that enable businesses to run, grow, and transform.
Edited by Erik Linask