Ransomware

Readiness
Assessment
Guide
Is your organization doing everything
it should to protect against ransomware?
Most security practitioners are all too familiar with ransomware. Ransomware protection is more than detection, more than
data backup and recovery, and more than phishing protection.
What you may not realize is that the vast majority of ransomware
attacks (82%) are focused on small businesses. This should So, how can you tell if your organization is ready for a
come as no surprise given that small to mid-sized businesses ransomware attack?
can't afford the same technologies, cybersecurity expertise,
and staff training as larger enterprises. This makes smaller This guide will help you see if your organization is taking all the
businesses easier targets because cybercriminals know they will appropriate steps to not only prevent ransomware, but also
have a higher chance of success. respond to a ransomware incident.

Fortunately, smaller businesses can readily bolster their The assessment follows the NIST CSF Framework to gauge
protections without breaking the bank. your organization’s readiness to Identify, Protect, Detect,
Respond, and Recover from ransomware attacks. We’ll walk
Newer cybersecurity technologies and industry frameworks you through each framework function so that you can assess
provide a means for even the smallest organization to strengthen your security gaps and provide insights for bolstering your
protections and reduce their risk of a successful ransomware ransomware security posture.
attack.

Ransomware Readiness Assessment Guide 2

Identify

Ransomware Readiness Assessment Guide 3

My organization manages its critical
hardware, software, and data assets.
Asset management is the process of ensuring you know what all your Organizations need to manage who has access – and what kind of access –
organization's critical assets are, where they’re located, who owns them, to data. They need to retain that data for a defined period. Storing data that
who takes care of them, and who has access to them. is not actively being used (in case it may be of use some day) is a common
corporate problem that exposes an organization to an increased risk from
Often people make the mistake of accepting accounting’s definition of data theft.
assets, and count things like laptops, desktops, and servers as assets. The
most important asset is the company’s data. Laptops, desktops, and servers Data needs to be classified so that access may be governed, and the company
are important only as locations for data. benefits from ensuring the integrity of the data, as well as its availability.
An organization only needs to protect the confidentiality of some of its data
Ransomware succeeds because it denies access to your data and the systems based on its classification.
that use it by taking control of your data and systems using encryption.
Many organizations are willing to pay a lot of money to get access to their The modern economy is data driven. The analysis of data has a real and
data and the systems that use it restored. Strengthening data protections tangible value to an organization's ability to grow and enter new markets.
can help prevent ransomware from getting the access it needs to hold your Controls that ensure the utility and authenticity of data bring an organization
organization hostage. real value.

Ransomware Readiness Assessment Guide 4

Protect

Ransomware Readiness Assessment Guide 5

My organization manages the
entire identity lifecycle.
An identity is a form of data – one that defines the relationship between a
person and an organization.
Authentication systems
query the use of the identity
Within many organizations, an individual could have many identities which
provide a means to control access to different kinds of data. Some of those to ensure that the person is
identities include a record in your organization's payroll system, Human
Resource system, email system, and an electronic badge. Each of these are
authorized to access the data.
assigned to a person and have different data about the person.
The more factors the authentication system uses to validate the authenticity
of the identity and the validity of the control of that identity, the stronger the
Because organizations use certain forms of identity to regulate the access to
authentication system.
data, identity has become a valuable corporate asset. This form of identity –
called a credential – has multiple attributes, often considered factors.

One of the most common ways that security events become incidents is
through compromised credentials. This allows the criminal to install their
ransomware onto your computers. Strengthening both the credentials and
the systems that use them will go a long way to preventing ransomware
success.

Ransomware Readiness Assessment Guide 6

Authentication systems query the use of the identity to Because identity defines a relationship between a
ensure that the person attempting to use the identity person and a process within an organization, identities
for access to data is authorized. The more factors the have a life cycle. They are created at the establishment
authentication system uses to validate the authenticity of that relationship and must be renewed throughout
of the identity and the validity of the control of that the relationship through the rotation of factors such
identity, the stronger the authentication system. as a password, encryption key, or one time password.
Identities must also be disabled as required by policy –
Authorization systems pick up where authentication often with their factors removed or irrevocably altered
systems end and validate that the identity that has so they can’t be used, and may be destroyed, like any
been validated is permitted access to the specific data other form of data, after they’re no longer of utility.
on the systems in use from where they are located. The
more factors that are used to validate the authorization
of the identity to access and manipulate data, the It’s also important
stronger the authorization system.
to have a required
policy for disabling
identities.

Ransomware Readiness Assessment Guide 7

My organization performs security
awareness training.
Information security professionals know how to recognize most attempts Effective security awareness and training can help an employee recognize
to circumvent the controls an organization maintains, but this awareness when a criminal is attempting to trick them so they don’t open the attachment
didn’t come without a significant amount of training. Most people in or click on the link.
your organization simply don’t have the time to learn everything that an
information security professional knows. Some training approaches use simulations to teach. These simulations
behave like real attacks but are instead sponsored by the organization. When
The goal of awareness and training is to provide people with enough done well, these can be quite effective. But if they’re done poorly, these
information so that they can make an informed decision on which emails to trainings can erode the trust between an organization and its employees
interact with, which phone calls to engage with, and how to spot attempts to without teaching anything. Better solutions reward employees for making
defraud them and their organization. correct decisions instead of penalizing them for making mistakes.

Ransomware often succeeds because the criminals can trick an employee into A certain form of simulation, often called breach simulation or a cyber range,
downloading and opening software either through a corrupted attachment is used to educate executives and corporate boards on what an attack looks
in an email or through a link on a website. Employees easily mistake these like.
links and attachments as having a legitimate business purpose, and the
criminal preys on the employee’s desire to be effective in their jobs.

Ransomware Readiness Assessment Guide 8

My organization controls access to all of its
data and the entire data life cycle.
Data is one of your organization's most important assets. Even money is
stored as data in financial and banking systems.
Good data security can
both protect your data from
Ensuring the authorized access and use of this data is among the most
important things an information security professional must do, especially ransomware and allow you to
when that data becomes enriched by context to become information. While
data in context is information, data about data is called meta data. Meta
recover from ransomware.
data, data, and information have tremendous value to all organizations.
One means to protect data is encryption. It uses a particular kind of data
called an encryption key to alter the data as it is stored or transmitted across
Some data is owned by the organization. In other cases, the data is held by
the network. This prevents it from being viewed by anyone who doesn’t
third parties. Regardless, it all needs to be protected, which is the charter of
have access to the means to decrypt the data.
the information security department.

Ransomware Readiness Assessment Guide 9

While encryption is a powerful tool to restrict access and
protect both data confidentiality and the privacy of its use,
Data classification
encryption is not the only tool needed to protect and manage can facilitate
data. Access control systems that authorize and validate an
identity’s requests to view and use data are crucial tools the governance of
because they permit unencrypted access.
both access to data
As with identity, which is a specialized kind of data, data as well as the
has a life cycle which needs to be managed. Not only is data
created and destroyed, it can also be archived. A special administration
form of data archive called a backup is useful to recover from
certain kinds of disasters.
of the data life cycle.

Ransomware Readiness Assessment Guide 10

My organization actively patches applications
and operating systems.
Patching is a technique used to update software either to fix a problem or to Patching a system with solid data protections and restrictions either through
introduce new functionality. rights or approved software lists can prevent ransomware intended to exploit
vulnerabilities that bypass these controls from installing and executing. This
While some of those problems may be software vulnerabilities, one of the won’t succeed without the presence of other controls, but it helps ensure
ironies of software management is that patching may introduce as many or those controls are truly effective.
even more vulnerabilities than the patch resolved. Patching is a necessary
process, but when used for changing applications, patches can introduce Patches used to remediate vulnerabilities can be prioritized using a
instability. combination of the severity of the exploit’s impact and the likelihood of
that vulnerability being exploited. This is called risk-based patching and is
The application of patches should be a tightly controlled process which at the root of a new vulnerability management standard called the Exploit
involves testing to ensure that the patch does not destabilize the system. For Predictive Scoring System. Cowritten by FIRST and other industry experts, it
internally developed software, many organizations have turned to deploying helps organizations prioritize patching the vulnerabilities that truly matter.
small patches that address a single function using automated processes that
can be automatically rolled back in the event of a problem. Every item of But, unfortunately, not all vulnerabilities can be patched.
code is designed to do one thing well, as is each patch.

Ransomware Readiness Assessment Guide 11

My organization restricts the use
of elevated privileges.
All computers have multiple levels of privilege, as do many applications. It's impossible
to install software without a certain level of privilege so restricting the use of that level
Malicious software can
can stop the accidental installation of ransomware by an individual without the right also exploit vulnerabilities
privilege.
to elevate its permission
The trouble with restricting employees to lower levels of privilege is that too many
applications also require elevated privilege to operate properly on the computer. An
temporarily and install itself
organization must always provide the required level of access, or the employee won’t be regardless of the use of this
able to do their job properly.
control, meaning that this
If you can’t install software, you can’t install ransomware unless that ransomware
successfully exploits existing vulnerabilities which permit an elevation of privilege.
control can't exclusively be
Controlling privileges can readily prevent ransomware. relied on.
The other problem with using this control is it forces all application software and patches
to be installed by the IT organization. While this is easy to do, coordinating installation
with users and ensuring that patching never happens at critical moments is time
consuming. But it’s essential.

Ransomware Readiness Assessment Guide 12

 My organization restricts software
installation.
***** This control ensures that the organization retains control of all software Much like restricting the use of elevated privileges, this control can prevent
***** installed on a computer. Much like restricting the use of elevated privileges, the installation of ransomware, which is, by definition, unauthorized software.
this can easily prevent ransomware.
There are a number of techniques that can be used to enforce this, like
restricting installation to that signed by known and approved certificate
To succeed, the organization authorities, or only allowing software that is on an allow list. Unfortunately,
needs to have the resources both of these techniques can be subverted.

to centrally install all software The criminal can sign their code using an approved signing authority and
name their software to match the names of software which will be on most
onto each computer in the organization's allow lists. While this control can be effective, it should be
organization. implemented with other controls and not relied upon exclusively.

This is a resource intense control and requires sufficient staff to evaluate,

approve, create remote installation packages, and deploy to only authorized
endpoints.

Ransomware Readiness Assessment Guide 13

My organization employs URL filtering.

URL filtering is a technology that examines the entire URL. It ensures that the The use of URL filtering can prevent the download and installation of
URL is safe to visit and meets the organization's policy requirements before ransomware onto a computer even if the employee falls for a criminal scam
the system allows the computer to open the page. and clicks on the link. It helps your organization ensure that it won’t become
a victim of your employees’ mistakes.
URL filtering often not only prevents access to the destination address
without review, but also prevents the viewing of the target URL by hiding URL filtering that is informed by threat intelligence, not only ensure that a
the true destination through one of several techniques. This may include URL is not trying to steal credentials, steal data, or install software such as
masking the URL with one that does not show the destination, or simply ransomware, but also that the destination host is credible and won’t try to
rewriting the URL with a URL that will forward the browser first to a safe site steal credentials, data, or install software once the employee starts using it.
which will evaluate the final destination and then either send the traffic onto
that destination, or a page that explains why access is denied.

Ransomware Readiness Assessment Guide 14

My organization filters email.

This control prevents emails sent by criminals designed to steal credentials, SPAM filtering can prevent emails that trick the trusting employee into
data, money, and/or install malware including ransomware from being opening an attachment or clicking on a URL – the most common means that
delivered. Better SPAM filtering applications use artificial intelligence to ransomware is distributed.
analyze both the email and the reputation of the sender. It can then prevent
the delivery of the message. It can also prevent more sophisticated attempts to steal from your
organization, called spear phishing and whaling. These are well-constructed
targeted attacks against specific persons, often the senior leadership of your
Good SPAM filtering will organization and board of directors.
filter the URLs in all emails
But remember – SPAM filters aren’t the only solution to preventing
that are delivered, and good ransomware attacks. Ransomware can also be delivered through SMS
messaging, which can’t be filtered through SPAM filtering tools.
SPAM filtering will evaluate all
attachments to ensure they
don’t contain malware.

Ransomware Readiness Assessment Guide 15

 My organization manages and
enforces security policies.
*****
This control allows an organization to enforce their policies regardless of
where their employees are working, ensuring that a coffee shop network is
Policy enforcement software
as safe as the back-end network of a data center. can reduce the number of staff
Centralized policy enforcement can prevent ransomware by ensuring that all needed to implement controls
the other controls designed to prevent ransomware are installed, properly
configured, and always operational. It can also ensure that the employee
like restricting use to and
can only use authorized software, go to authorized systems, save data on installation of only authorized
authorized locations, share data with only authorized persons, and that the
system is vulnerability free and running all security tools. software or restricting use of
elevated privileges.

Ransomware Readiness Assessment Guide 16

Detect

Ransomware Readiness Assessment Guide 17

My organization uses machine learning
and/or user behavior analytics.
Machine learning, more commonly known by the misleading label of artificial
intelligence, and user behavior analytics are means to automate the analysis Machine learning is a great
of events and systems to detect behavior that is not known or deemed to be
risky.
enhancement to human
investigation but should be
Ransomware is easily detected by good machine learning or user behavior
analytics because it does things that no good software does. That said, considered a complement
this technology can only detect ransomware – it can't prevent it nor stop
it. Prevention requires other software, like phishing prevention, Security
(not a replacement) for human
Continuous Monitoring, and EDR/XDR/MDR. learning and analysis.

Ransomware Readiness Assessment Guide 18

My organization is centrally monitoring
all logs for security events.

This technology is often called Security Information and Event Management evidence of a security incident. Alerts can then be sent to appropriate staff so
(SIEM) system. When configured properly, all software should create an that an appropriate response may be coordinated.
electronic ledger of the actions taken in the interaction with the software. This
ledger is called a log and will track who did what, when, and with what result. It can also detect and alert on ransomware being downloaded and installed
Well done logs will be very explicit of the event, so that a clear record is created before it executes and starts encrypting the system. It can also alert when files
that can be played back by either human or software to recreate exactly what are being modified in bulk, allowing a fast response to ransomware that’s
was done. active on a system.

Centralized log management (CLM) is the combination of process and As the volume of logs and network flows is too much for humans to continuously
technology to collect logs from all the software run in an organization and place monitor, both machine learning and user behavior analytics are often used to
them into a single place where events across multiple systems can be tracked. analyze events for anomalous behavior.
Log management software will provide the means to query the logs regarding
specific and related events, tracking them forward and backwards in time. These centralized log management systems also are used to provide evidence
of a crime. They're commonly integrated with other defensive technologies
Logs are another kind of data and will need to be managed as data. Both like ticketing systems, Intrusion Prevention Systems, Data Leakage Prevention
the archiving and deletion of logs is an essential component of a good log Systems, Security Orchestration, and Response to ensure effective incident
management system. management.

Continuous monitoring looks at events across multiple platforms, in logs

and in network flows, for evidence that an event is malicious in nature and
Ransomware Readiness Assessment Guide 19
My organization uses threat intelligence.

While most information security controls focus on the organization, threat Threat intelligence uses specialized technologies to communicate results like
intelligence involves looking outside of the organization at the entirety of STYX and TAXII. Contributors to threat intelligence systems will use the traffic
the internet. light protocol to indicate the specifics of how data may be shared across
threat intelligence platforms. Threat intelligence may provide signatures
There are places on the internet not found using normal search engines, of malware, actual IP addresses and email addresses of known malicious
some of which require authentication to access, while others simply hide. actors, along with indicators of compromise (IOCs).
This part of the internet is called the dark web. Threat intelligence aims
to provide a view into what is happening on the Darknet, revealing places Threat intelligence makes other tools more effective.
where stolen data is offered for sale and where stolen credentials are made
available to help attack organizations.

Ransomware is often created by an organization that hosts their operations

on the Darknet. Threat intelligence can find them and offer insight into
how they operate. Threat intelligence will also provide information to
help organizations analyze malware, including ransomware. Systems that
consume threat intelligence, like a SIEM, SPAM Filtering, EDR/XDR/MDR, and
other defensive technologies, can readily recognize the malware, generate
an alert, and initiate a response.

Ransomware Readiness Assessment Guide 20

My organization uses EDR/XDR/MDR.

The acronyms stand for endpoint detection and response, extended behavior analytics mistakenly categorized unusual activities as malicious.
detection and response, and managed detection and response.
EDR/XDR/MDR systems are the most effective defense against ransomware
Essentially these technologies are the modern replacement for anti- because they act across all phases of the cyber security framework – acting
malware, using either machine learning or user behavior analytics to detect to identify the malware, detect it, protect against it, respond to it, and
when malware is downloaded, installed, or activated. automate the recovery from it.

The EDR/XDR/MDR software does more than just alert on an incident in EDR/XDR/MDR systems will write logs of its actions and interactions into
progress, it will sometimes initiate an automated response. This will work a centralized logging and alerting system like a CLM or SIEM. This way an
to shut down the malware, isolate it so that it can't execute again, roll back independent record can be maintained of the systems’ activities can be
anything that was changed by the malware, and eliminate it from other retained and archived as per the organization's data retention policy.
machines where it may or may not have started to activate.

MDR has the added benefit of humans monitoring the system for malware
that the automated response fails either partially or fully. The human agents
can then step in and complete the response. These human agents can also
roll back the activities of the MDR system if the machine learning or user

Ransomware Readiness Assessment Guide 21

Respond

Ransomware Readiness Assessment Guide 22

My organization has a security incident response plan.
Regardless of how good the organization's controls and tools may be,
there will always be something that requires a human response. Having
If you choose not to fund the
a prewritten plan for how to respond that is drilled by the response team criminal’s activities, you’ll want
allows your organization to effectively respond to any event that becomes
an incident. to invest in ensuring the ability
A security incident response (IR) plan is essential if ransomware bypasses
to recover from the most severe
your controls and becomes active in your environment. It will guide your staff ransomware incidents.
on the steps to take to isolate the ransomware, reverse it, and communicate
with appropriate internal stakeholders about the incident. It will guide A good IR plan will have guidance on how to triage an event to determine
difficult decisions made prior to the ransomware incident about whether to if it’s an incident, how to analyze an event to determine what happened
pay or not. This decision should be made in advance of the incident, because when and how, provide a mechanism for fast response to a variety of event
if you wish to pay, you will want to have the funds readily available. types, and include pre-written communication templates to ensure fast and
effective communication.

The plan should have a framework for post event analysis of the response so
that you can capture lessons learned and make improvements.

Ransomware Readiness Assessment Guide 23

My organization's IR plan has predeveloped
communications templates.

Regardless of the nature of the incident or disaster, few can communicate As part of an IR plan, predeveloped communications provide a means to inform
complex issues effectively during the stress of the investigation. senior management, customers, and staff regarding the events your organization
is managing and how you're coordinating the response.

Creating communication You should also have prewritten communication to the press in case you need
templates ensures that the team to respond to public disclosure of a data breach or ransomware attack.

knows what to communicate,

how to communicate, and to
whom.

Ransomware Readiness Assessment Guide 24

My organization security IR plan
mandates event analysis.

While speed of response is a common success metric of an IR capability, the It’s essential to know how ransomware got into your environment. While an EDR/
ability to effectively analyze an event is a crucial capacity. XDR/MDR system can show how the ransomware got onto a system, it may not
be able to demonstrate the root cause of the incident. In-depth analysis of the
Both machine learning and User Behavior Analytics are ways to automate incident to uncover the root cause is necessary to ensure that an organization
parts of the analysis of an incident, but neither has the capacity to collect knows what to fix to be resilient to future incidents and won’t suffer a second
and review all relevant details of every kind of event. Being able to coordinate ransomware attack after the first one is resolved.
that the denial-of-service attack seen from a particular set of IP addresses
was a smoke screen to hide data exfiltration to a different set of IP addresses
is the kind of analysis that, for the moment, only humans can accomplish.

Ransomware Readiness Assessment Guide 25

My organization automates an orchestrated
response across disparate systems.

Security Orchestration, Automation, and Response (SOAR) is a technology SOAR systems usually have complex workflows to automate parts of the incident
that coordinates activities across disparate systems, ensuring changes on response plan using inputs from both the EDR/XDR/MDR and the CLM/SIEM.
servers, networks, firewalls, applications, web application firewalls – all
resulting from a single event.

Ransomware often gets onto multiple systems before it is caught and

eliminated, using a variety of techniques to spread. SOAR can ensure that
the root cause of the incident, and the method used to spread the problem
are dealt with in a fast, systematic and comprehensive way across disparate
systems.

Ransomware Readiness Assessment Guide 26

Recover

Ransomware Readiness Assessment Guide 27

My organization leverages unattached
data storage.

Unattached data storage devices are devices like tape backup systems from before the incident began to ensure that you’re not restoring files that are
or other removable storage where the connection to the data source is already in the process of being encrypted or able to re-infect your environment
temporary and not periodic. A different tape is used every day to ensure that with the malicious software.
the contents of the data on a particular tape are available for restoration
upon need. It's common to take multiple kinds of backups, referred to as incremental and
full. An incremental backup only backs up what changed since the last backup.
Ransomware works by preventing access to data. If that data can be restored A full backup backs up the entirety of the system. To get the most complete
from a device not infected by the ransomware, then the path to recovery can recovery, you may have to restore from multiple tapes.
be swift and relatively cost free. You will want to choose a point of restoration

Ransomware Readiness Assessment Guide 28

My organization uses cloud hosted data storage.

Cloud hosted data storage is essentially an external storage device hosted by Be aware, however, that cloud hosted data storage can also be the mechanism
a third party to which data can be written to and read from at the same speed through which ransomware is spread from system to system and organization
and with the same flexibility as local drives. These systems are amazingly to organization.
powerful, allowing for lots of storage and the ability to share data across
organizational boundaries. Cloud hosted storage can be both the means to recover swiftly from ransomware
and the root cause of the infection. As a data repository, it needs proper
A key component of cloud hosted data storage is that it has the capability to management.
roll back changes.

Cloud hosted data storage can detect the pattern of the sudden bulk change
of files being encrypted by ransomware, alert you to the problem, and
facilitate roll back to a known good state.

Ransomware Readiness Assessment Guide 29

My organization has a recovery plan.

Ransomware can both shutdown an organization as well as be the root Recovery plans should be drilled by your organization in the event that all its
cause of a data breach. Your organization's IR plan will allow you to stop the controls fail to stop a successful ransomware attack, it can return to normal as
attack, identify root cause, and take steps to prevent recurrence. swiftly and smoothly as possible.

Recovery from the consequences of the attack is a separate and complex

process involving technical and managerial actions with coordinated
decision making.

A recovery plan for ransomware must include the means to recover data
that is encrypted by keys you don’t control, how to reestablish operational
systems, and how to restore customer trust in the event of a data breach.

Ransomware Readiness Assessment Guide 30

My organization has an incident communications plan.

You don’t want to figure out what to say to your management team, fellow
employees, board of directors, customers, the press, law enforcement,
Good communications plans are
government regulators, or even your staff in the heat of an ongoing incident. honest and transparent.
Having a good communications plan that defines who says what to who They reveal a blameless root cause of the problem, and layout what has been
under what circumstances using what mechanism is essential both to the done to stop the event, as well as prevent future occurrence.
smooth operations of both incident and recovery plans. A well developed
and executed communications plan is essential to restore trust regardless of Organizations that fail to do this suffered from bad press. Organizations that do
the nature of the incident. it well often have less customer flight.

Ransomware Readiness Assessment Guide 31

Want a personalized
assessment?
Our MDR team – CyOps – monitors our client environments for critical events and
incidents so that your security team can always have someone on-guard. The team
can also provide threat analysis and remediation guidance so that responders
instantly know what’s going on and what to do.

If you’re interested in learning how Cynet can help

you protect your organization from ransomware,
we’ll give you a personalized assessment when you
sign up for a free trial.
Stay safe!

Ransomware Readiness Assessment Guide 32