Blueprint for Ransomware

Defense

Information
Security
2 BLUEPRINT FOR RANSOMWARE DEFENSE

CONTENTS
4 Introduction

4 The Rise of Ransomware

6 / Ransomware Life Cycle
7 / Ransomware Incident Types
7 / Ransomware Threat Actors
7 / Current Observed Ransomware Trends

9 Preparedness and Readiness

9 / Governance
10 / Management
12 / Key Roles
12 / Processes and Objectives

15 Public Communication and Disclosure

17 Assurance
17 / Ransomware Readiness Assessment
18 / Ransomware Readiness Testing
19 / Ransomware Readiness Training

20 Conclusion

21 Acknowledgments

© 2023 ISACA. All Rights Reserved.

3 BLUEPRINT FOR RANSOMWARE DEFENSE

ABSTRACT
Ransomware attacks continue to increase in frequency, complexity and damaging
effects worldwide.1 Cybercriminals have operationalized ransomware into a
multibillion-dollar illegal enterprise with the capability to exploit and disrupt even the
largest and most sophisticated companies. However, both the probability and severity
of an attack can be mitigated when companies develop and maintain strategies
for both prevention and mitigation. This white paper offers insight into the current
ransomware landscape and outlines steps an organization can take to prepare for and
respond to ransomware attacks.

1 Dorfman, Max; “Cyberattacks Growing in Frequency, Severity, and Complexity,” The Triple-I Blog, Insurance Information Institute, 29 April 2022,
http://www.iii.org/insuranceindustryblog/cyberattacks-growingin-frequency-severity-and-complexity/

© 2023 ISACA. All Rights Reserved.

4 BLUEPRINT FOR RANSOMWARE DEFENSE

Introduction
Ransomware is malware that threatens to permanently Given the diverse and invasive nature of information
restrict access to a system or publish compromised data technology, the variety of controls that must be
if a ransom demand is not satisfied. Once a system is implemented, and the varied level of integration of those
compromised, data are then encrypted, and access is controls into operations, an effective defense in one
blocked until payment is received in exchange for the environment may not work in another. The control risk
promise of decryption keys. has a range of root causes, from the misinterpretation
of a new business control requirement and its intent to
Cybercriminals have operationalized ransomware into improperly trained staff. In addition, each attack is unique
a multibillion-dollar criminal pursuit, with the capability because motivations and objectives often require the
to exploit and disrupt even the largest and most adversary to remain nimble and adapt, unhindered by
sophisticated companies. A ransomware attack can, at enterprise defense.
best, temporarily impact revenue generation, or at worst,
cause a massive financial loss that triggers bankruptcy Enterprise culture is also one of the strongest influences
or liquidation. on its ability to prepare, defend and recover from an
attack. Depending on the enterprise maturity, this can
Anecdotal evidence suggests that far too many mean the difference between actual preparedness or a
organizations across both private and public false sense of security.
sectors lack basic cybersecurity practices therefore
keeping the cost of business affordable for bad actors. Enterprise culture is one of the strongest influences
on the enterprise’s ability to prepare, defend and
This in turn has resulted in varied degrees of governmental recover from an attack. Depending on the enterprise
response, often in the form of legislative action. maturity, this can mean the difference between actual
preparedness or a false sense of security.
Given the reach of governmental mandates, public entities
have less flexibility to address potential ransomware This white paper provides information about ransomware
threats and responses (at least for the foreseeable future), attacks and presents detailed guidance on how to prepare
while private enterprises still possess the ability to decide for and respond to them. Cybersecurity, while challenging,
whether to pay ransom. Whether to pay ransom is heavily is highly influenced by variables which include but are not
debated and outside the scope of this white paper. limited to business size, sector and industry.

The Rise of Ransomware

Although ransomware attacks have been interrupting “13% increase in ransomware breaches—more
business operations since 1989, the number of than in the last 5 years combined.”2 Figure 1
such attacks is rapidly increasing. The Verizon shows the worldwide rise of ransomware from 2017
2022 Data Breach Investigation Report reveals a to 2022.

2 Verizon Business Resources, “2022 Data Breach Investigations Report,” 2022, http://www.verizon.com/business/resources/reports/dbir/

© 2023 ISACA. All Rights Reserved.

5 BLUEPRINT FOR RANSOMWARE DEFENSE

Cybercriminal groups continue to evolve their operations ransomware campaign. The result shows the low barrier
and grow their marketspace. Figure 2 shows a to entry into ransomware.
cost-benefit analysis of running a simple commodity

FIGURE 1: Global Ransomware Volume by Year

Global ransomware volume by year

600M

400M

200M
183,600,000

206,400,000

187,909,053

304,638,987

623,254,877

493,327,151
0
2017 2018 2019 2020 2021 2022
Source: SonicWall, Inc., “2023 SonicWall Cyberthreat Report,” 2023, https://www.sonicwall.com/2023-cyber-threat-report/

FIGURE 2: Cost-Benefit Analysis of Ransomware Campaign

It’s simple math!

Cost to develop ransomware

Cost
• 160 hours at $200/hour
Developer $32,000

Cost of disposable infrastructure Infrastructure $500

• 10 servers at $500 ($50/server)
Launch attack $50

Cost of launching ransomware attack Help desk $36,000

• Push “button” to start
• Monitor for 10 days (240 hours at $150/hour) Investments $68,550

1% target market share $3,000,000

Attack 1,000,000 targets
Return on investment $2,931,450
• 1% pay the ransom at $300/system

Source: Hinsch, Nicholas; “Louisville Metro ISSA Louisville, KY 2019–Ransomware Recovery,” 18 November 2019, http://www.therubiconadvisorygroup.com/2019/11/18/louisville-metro-issa-2019/

© 2023 ISACA. All Rights Reserved.

6 BLUEPRINT FOR RANSOMWARE DEFENSE

Ransomware Life Cycle attack life cycle. For instance, one prominent financial
As cybersecurity practices evolve to keep up with entity published insights visualized in figure 3.
changing digital landscape, bad actors continue to
change and adapt to overcome those practices. A simple A more detailed life cycle from the New Zealand CERT is
web query will net countless variations of a ransomware shown in figure 4.

FIGURE 3: Five Stages of a Ransomware Attack

Command Credential
Delivery Canvassing Extortion
and control access
Source: JPMorgan, “The Anatomy of a Ransomware Attack,” 7 September 2022, http://www.jpmorgan.com/commercial-banking/insights/the-anatomy-of-a-ransomware-attack

FIGURE 4: New Zealand CERT Life Cycle of a Ransomware Incident

Life cycle of a ransomware incident

The common attack paths of a human-operated ransomware incident
(based on examples from CERT NZ)

Initial access Consolidation and preparation Impact on target

Attacker looks for a way into the network Attacker attempts to gain Attacker steals and encrypts
access to all devices data, then demands ransom

Valid
Phishing credentials
Internet- Data
exposed exfiltration
service
Lateral
Password movement
guessing
Command
and
Destroy
control
backups
Exploit Privilege
vulnerability escalation

Encrypt
Malicious data
Email Malware
document

Source: Government of New Zealand and CertNZ, “How Ransomware Happens and How to Stop it,” http://www.cert.govt.nz/it-specialists/guides/how-ransomware-happens-and-how-to-stop-it/ ©
Govt NZ 2023. Reprinted under https://creativecommons.org/licenses/by-nc/4.0/.

© 2023 ISACA. All Rights Reserved.

7 BLUEPRINT FOR RANSOMWARE DEFENSE

Understanding the life cycle of a ransomware attack ransomware developers lease/offer the malicious code to qualifying

can help business professionals identify threats, assess affiliates (aka "operators") who possess the hacking skills to execute

risks, and implement effective mitigation strategies. It targeted intrusions and deploy ransomware in enterprise networks.

also enables them to develop an incident-response plan The model allows ransomware developers to reduce the skill level

and promote a culture of cybersecurity awareness. required to launch a ransomware attack and to scale up those

attacks by offering up ransomware to multiple affiliates while also

Ransomware Incident Types transferring to those affiliates the risk of getting identified and

arrested. Affiliates receive the largest percentage of the ransom

We have seen malicious software evolve from manual
(usually around 60‒70%) and don't have to manage the extortion
computer to computer transfer (e.g., floppy disk or USB
activities (e.g., negotiations, cryptocurrency transfers, leak site
drive) to virus replication to the development of remote
management, ransomware development, etc.).
access tools. Previously, organizations were attacked and
their private information compromised with the intent that
the stolen information would be sold within the criminal Ransomware Threat Actors
underground. Now, criminals weaponize cryptographic
Three main types of threat actors generate
software or use system encryption functionality. They
ransomware attacks:
demand immediate payments via cryptocurrency. Our
readiness and ultimate response to these threats must • Criminal Groups—The only objective of these threat actors is to

change. Ransomware is no longer for amusement but make money. They view a ransomware attack as a business

rather has become a highly lucrative business. transaction in which currency is extorted from a target.

• State-Sponsored Threat Actors—These actors focus on disruption

Ransomware is no longer for amusement but rather
to further their geopolitical and sociopolitical goals and influence
has become a highly lucrative business.
the direction of a target. State-sponsored actors are backed by their

governments. Ransomware is often used in advance of a kinetic

The three major ransomware incident types are:
engagement, as seen with the Russo-Georgian War in 2008 and

• Mass Automated Infection of Isolated Systems—Threat actors cast more recently with suspected Russian campaigns targeting Poland,

very wide nets and are heavily reliant on automation to exploit disrupting transportation and logistics organizations and a key

and spread ransomware to targets of opportunity. Typically, these conduit supplying military aid to Ukraine.4

yield a lower return on investment to the threat actor. This attack

• Ransomware-as-a-Service (RaaS) Providers—Threat actors
type was common between 2015‒2019 before the emergence of
use a criminalized version of Software-as-a-Service, in which
the enterprise ransomware.
ransomware campaign risk (e.g., costs, resources and legal) is
• Enterprise Ransomware (aka "Big Game Hunter")—Threat actors reduced and returns are shared between affiliate members and
focus on targeted intrusions for profit (extortion). The victims are the RaaS provider.
usually enterprise networks of small to medium enterprises and large

Current Observed Ransomware

organizations. Enterprise ransomware constitutes the most common

form of ransomware attack after 2019, and it is also responsible for

most of the innovation around extortion tactics and the emergence of Trends
ransomware supply-chain ecosystems (i.e., access brokers, exchange Threat actors are refining their operations—Instead
and money mule services, bulletproof hosting, malware delivery of investing resources to gain access, threat groups
networks, etc.)3
are leveraging their relationships with initial access
• Ransomware-as-a-Service (RaaS)—This is a novel delivery model brokers, allowing the threat groups to spend more time
designed to support enterprise ransomware operations in which orchestrating targeted attacks instead of investing

3 theNET By CLOUDFLARE, “Ransomware attackers escalate extortion tactics,” http://www.cloudflare.com/learning/insights-ransomware-extortion/

4 Cybersecurity & Infrastructure Security Agency (CISA), “Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure.” Retrieved 2
March 2023. http://www.cisa.gov/news-events/cybersecurity-advisories/aa22-110a

© 2023 ISACA. All Rights Reserved.

8 BLUEPRINT FOR RANSOMWARE DEFENSE

resources to initially compromise a target. This also the ransomware marketplace. The barrier to entry is at an
opens the market to less sophisticated attackers who all-time low, and it continues to drop, allowing more threat
may not have the experience, skill or capability to breach actors to enter the market.
perimeter defenses, but can follow a runbook.
This drop in cost is another driver for enterprises to look
Changes in threat-group operations require enterprises objectively at their plans and preparations for threat attacks.
to review their security awareness and training programs
and ensure that their workforces are well aware of both Threat actors are getting better at hiding their identity and

the ransomware threat and their company’s ransomware actions—Threat actors obscure their identities, leveraging

policies. An employee’s policy-awareness should common anonymizing services not only when they

include the official company stance and response, e.g., interact with their criminal counterparts, but also to

“Acme will never pay a ransom” vs. “Acme will approach make it more difficult for enterprises to defend against

ransomware on a case-by-case basis.” attacks. Attackers also use ethically flexible VPN and
cloud-service providers to further obfuscate their origin.
Changes in threat-group operations require enterprises
to review their security awareness and training Better identity obfuscation reinforces the need for
programs and ensure that their workforces are well enterprises to upgrade their threat-hunting and incident-
aware of both the ransomware threat and their management capabilities.
company’s ransomware policies.

Zero-day exploits are rising—In the past, phishing

Because enterprises must transform, adapt and innovate
campaigns have been the most successful method for
to maintain a dominant presence in the marketspace,
adversaries to gain their foothold. Today, zero-day
criminal operators must do the same. Threat actors
exploits are more common, from highly publicized
are investing in their products to adapt to the changing
remote exploits like Log4J (CVE 2021-45046), to a variety
market landscape, i.e., the enterprise attack surface.
of Microsoft Windows-based exploits,5 highlighting the
need for inventory maintenance, configuration
Threat groups are specializing and maturing their
management, vulnerability management and patch
technical capabilities, often faster than enterprises can
management programs.
learn to adapt and defend against them. This rapid rate
of innovation and adaptation requires enterprises to In addition to the data hygiene practices common to a
continuously monitor for threats and to enhance their businesscentric security management program, these
incident-management and digital-forensics (reverse exploits show the need for additional protection, e.g.,
engineering) capabilities. attack-surface management, threat hunting, patch
management, network segmentation and baselining
Ransomware barrier to entry is dropping—The landscape
behavior (network and user).
of cyberattacks has evolved significantly, with the advent of
Ransomware-as-a-Service (RaaS) which allows malicious The use of artificial intelligence to create ransomware is
actors to leverage pay-for-use malware to launch and emerging—Accessibility and ease of artificial intelligence
sustain ransomware campaigns. Rather than having to (AI) allows it to be weaponized, further lowering the
develop their own ransomware code and execute a tailored barrier to entry for ransomware. Although current
set of operations, attackers can now avail themselves AI can create basic and rudimentary ransomware
of a platform that offers the requisite ransomware code capabilities that may not be sophisticated enough to
and operational infrastructure. The increase in as-a- bypass available endpoint detection and response (EDR),
Service providers (e.g., initial access brokers and tailored extended detection and response (XDR) or managed
ransomware packages) is decreasing the cost to enter detection and response (MDR) platforms, the global

5 MS Office Graphics Remote Code Execution (CVE 2022-47213), MS Edge Elevation of Privileges (CVE 2022-44708), MS SharePoint Server Remove
Code Execution (CVE 2022-44690).

© 2023 ISACA. All Rights Reserved.

9 BLUEPRINT FOR RANSOMWARE DEFENSE

rate of adoption of such platforms warns us that many in 2019 and has since increased the effectiveness of
businesses may find themselves victims of this type ransomware campaigns. While most ransomware
of attack. attackers invest in breaching organizations (big game
hunters), some threat actors are using Ransomware-as-a-
As AI capabilities increase, more bad actors will leverage Services who still leak data, even after ransom for the data
it, requiring all enterprise professionals to maintain a has been paid.
higher level of vigilance.
Triple Extortion—A tactic used in which additional attacks
Double Extortion—A tactic employed by threat actors (i.e., Distributed Denial of Service) are employed to apply
who, after encrypting a target’s files, then exfiltrates and additional pressure to targeted organizations.
threatens to release those files. This was first employed

Preparedness and Readiness

Ransomware, just like any other threat we face in Governance
business, requires a formalized preventative approach When a ransomware incident occurs, the response
and protective stance. Just as organizations define and timer is counting down. Therefore enterprises should
establish policies for ensuring the proper management have a plan for their approach to the threat. An official
of other business affairs, cybersecurity protocols need ransomware policy informs and directs enterprise
to be clear and concise, articulating the appropriate and practices and operations, and its response to a
expected response should your organization be attacked ransomware incident.
with ransomware.
Senior management needs to define their official stance
The ransomware policy provides the rationale and on extortion attacks. The ransomware policy provides
justification about why investments are made in one the rationale and justification about why investments are
area over another or why certain changes to business
operations are made. made in one area over another or why certain changes to
business operations are made.

The good news is that by getting back to basics of systems

Ransomware/extortion does not necessarily need to be
and network hygiene, enterprises can address and mitigate
its own policy. What matters most is that ransomware
many attacks. Implementation of egress filtering increases
attacks are adequately covered in crisis management,
the likelihood of being able to interrupt communication
business continuity, incident detection and response
with command and control (C2) nodes. Done correctly
playbooks, etc.
(and enforced), network segmentation actively reduces
overprovisioned accounts. Lastly, backups must meet Figure 5 shows enterprise ransomware/extortion policy
business needs and be tested for usability. levels and the consequences of not having a policy.

© 2023 ISACA. All Rights Reserved.

10 BLUEPRINT FOR RANSOMWARE DEFENSE

FIGURE 5: Ransomware/Extortion Policy Levels

Levels of Ransomware/Extortion Policy

We Will Not Pay Limited Basis No Defined Policy
• Under no circumstances will we • Only business critical systems • The enterprise will get caught off
pay a ransom. or processes will warrant guard; react, not respond; and
consideration for paying a ransom. lose productivity, valuable time,
• This will require the Board and stakeholder confidence and
senior management to meet. This • Noncritical systems and processes public trust.
also will inform decisions and where regulated or sensitive data
should be used to justify resource have not been exposed will warrant • The enterprise incident-response
acquisition and investments. no further action. costs will increase.

• This requires an intimate • This will require support • Enterprise employees will
knowledge and understanding of from senior management to experience burnout.
the operating environment and unilaterally prioritize and identify
justification and traceability for business-critical systems and • The enterprise insurance carrier will
the investments in the people, processes (and their supporting most likely delay, deny and defer
processes and technology in IT- subsystems) across the entirety the claim because the enterprise
related business programs. The of the enterprise; this will reduce was not adequately prepared.
infrastructure needed to satisfy the scope of what needs to be
this requirement must reach the protected, allowing the organization • The enterprise has accepted 100
entirety of the organization. to focus resource and financial percent of the responsibility and
investments for the purposes of accountability for something that
• This includes significant risk optimization. it either did not fully understand
investments and dedication of or has mistakenly assumed would
resources into IT-related • Although investments will still never happen to it.
business programs. need to be made for the common
IT-related business programs
and infrastructure, the scope
can be reduced to focus only on
those business-critical systems
and processes, allowing the
organization to make an
informed decision.

Management ransomware defense. Figures 6–9 show the multitude of

Management has the responsibility to set the strategy and roles, programs, processes and technologies needed to
dedicate the resources necessary to develop an effective implement and maintain the strategy.

FIGURE 6: Enterprise Roles Required to Support Operations and Strategy

People
Application Architect Enterprise Architect Ransomware Negotiator
Application Dev Team Forensic Analysts Reverse Engineer
Chief Financial Officer Human Resources Risk Analyst
Chief Information Officer Insurer Security Architect
Chief Information Security Officer Internal Audit SOC Team
Chief Operating Officer IT Architect Systems Administrator
Chief Privacy Officer Legal Counsel Threat Intelligence Analyst
Chief Technology Officer Line of Business
Data Privacy Officer Network Engineer

© 2023 ISACA. All Rights Reserved.

11 BLUEPRINT FOR RANSOMWARE DEFENSE

FIGURE 7: Programs Required to Support Operations and Strategy

Management Programs
Asset Management Human Resources Security Risk Management
Business Continuity & Disaster Identification & Authentication Secure Engineering & Architecture
Recovery Management Management
Capacity & Performance Planning Incident Management Security & Privacy Governance
Change Management Information Assurance Security & Privacy Management
Cloud Security Management Information/Cybersecurity Standards Security Awareness & Training
Management
Compliance Management Maintenance Security Operations
Configuration Management Mobile Device Management Staff Skills Management
Continuous Monitoring Network Security Management Technology Development &
Acquisition
Cryptography Management Patch Management Third-Party Management
Data Classification & Handling Physical & Environmental Security Threat Management
Management Management
Embedded/Smart/IoT Technology Privacy Engineering & Architecture Vulnerability Management
Management
Endpoint Security Management Project & Resource Management Web Security

FIGURE 8: Processes Required to Support Operations and Strategy

Processes
Access Control Electronic/Cryptographic Key Risk Assessment (Ransomware
specific)
Asset Inventory (inclusive of): Enterprise Architecture Risk Management

• Accounts (Human & Nonhuman)

• Applications
• Cloud
• Data, Information & Knowledge
• Hardware
• Supply Chain/Third-party
Application Access Control Identity and Access Review Secure Software Development Life
Cycle
Application Engineering Incident Management Security Awareness & Training
Management
Asset Management Incident Response Security Engineering
Business Impact Analysis Information Cybersecurity Policy Security Strategy Development &
Development Alignment
Business Process Engineering Information/Cybesecurity System Access Control
Procedures
Centralized Logging Information/Cybersecurity Process Threat Intelligence Management
Management
Change Management Information/Cybersecurity Standards Threat Modeling
Configuration Management Patch Management User Access Review
Continuous Monitoring Privacy Impact Assessment Vulnerability Management
Crisis Communication Privileged Account Review
Data Backup & Recovery Testing Ransomware Negotiations
Data Classification, Handling & Ransomware Playbooks
Inventory

© 2023 ISACA. All Rights Reserved.

12 BLUEPRINT FOR RANSOMWARE DEFENSE

FIGURE 9: Technology Required to Support Operations and Strategy

Technology
Access Controls End-Point Detection & Response Network Discovery Scanner
Antivirus/Antimalware End-User Controls Network Forensic Tools
Asset Inventory System File Integrity Management Network Monitoring System
Baseline (User & Network) System Full Packet Capture Network Segmentation
Centralized Logging Honey Pots/Tokens Password Manager
Configuration Management Host Forensic Tools Patch Management
Data Analytics, Mining & Visualization Information Sharing Platform Sandbox
Data Encryption Intrusion Detection/Prevention Security Incident & Event
System Management System
Data Loss Prevention Memory Forensic Tools System Hardening
Detection & Response Middleware Management Threat Intelligence Platform
Directory Services Multi-Factor Authentication Vulnerability Scanner
Encryption At Rest NetFlow Capture Web Application Firewall
Encryption In Transit Network Access Controls Web Proxies

Key Roles • Ransom Negotiator—Aligned to the official enterprise ransomware

policy, this individual is the primary point of contact in

Preceding a successful ransomware attack, it is
communicating and negotiating the ransom. This individual can
important to identify key roles in the enterprise business,
be internal to the enterprise or a retained negotiator.
processes and technologies (figures 6–9) that may
typically be involved. These roles need to be clearly • Insurance Provider—Upon notice, an insurance carrier will request

documented, understood and communicated, and staff information and assess the details of the incident in order to

adequately trained to ensure an effective and efficient determine applicability of the policy.

response. The following are typical key roles:

Processes and Objectives
• Incident-Response Team—The team is tasked with investigating

the incident, determining the extent of the compromise, collecting

The ability of an enterprise to successfully

evidence, and leading containment and eradication efforts. This

navigate and manage a ransomware attack relies on its

team may include the internal or external staff responsible for

ability to quickly identify and respond. The faster it can

incident response and digital forensics. It is highly advisable that

identify an attack, the faster it can respond, reducing

all work is performed in consultation with legal counsel to attach

both long-term impacts to business operations and

attorney-client privilege to potentially sensitive communications.

dwell time of the adversary. Well-defined processes and
procedures help an enterprise to contain and remove
• Legal Counsel—Internal and external counsel have the key role of
threats sooner.
coordinating with all teams in order to understand the details of

the incident and provide legal advice on all aspects of resolution. While the processes and objectives of recovery from
• Crisis Communication—Well-versed in handling crisis events, a ransomware attack are generally similar to those in
this individual or team works with counsel to develop and then incident-management programs, specific attention
communicate authorized information regarding the incident to must be given to the unique details of a ransomware
internal and external stakeholders, as appropriate.

© 2023 ISACA. All Rights Reserved.

13 BLUEPRINT FOR RANSOMWARE DEFENSE

attack. The key phases of ransomware management are network. Network segmentation and zero-trust adoption can

as follows: reduce the attack surface, but enterprises should be aware that, in

the most enterprise ransomware incidents, trusted relationships

• Planning and Preparation
between users, devices and networks are leveraged by the

• Detection/Identification ransomware operators, and in many cases internal domains

controllers, DNS servers, or DHCP servers were used to deploy

• Containment
ransomware, bypassing most network segmentation measures.
• Eradication
• Impact Analysis—In the situation when detection and response
• Recovery measures failed to detect a ransomware deployment, assessing

the impact on data and systems is an activity that needs to be

• Postmortem/Assessment
balanced with the impulse to restore data and systems from
Each phase should be defined and tailored to the backups (if backups were not destroyed in the attack). Enterprises
organization, taking the following considerations should prioritize recovery and investigation activities based on their
into account: resilience plans and regulatory requirements. Organizations should

be aware that restoring systems and data before collecting forensic

• Visibility—The ability to detect indicators that could lead to
artifacts for analysis will lead to the destruction of valuable evidence
ransomware incidents, visibility refers to the instrumentation,
for the incident investigation and reduce the ability of the forensic
defined processes, documented procedures, and appropriately
investigators to understand how the attack unfolded. Organizations
skilled and competent staff necessary to recognize the indicators of
operating in regulated sectors should consider any reporting
ransomware attacks and to identify whether the attack is a variant
requirements (e.g., disclosure of data breaches that impact personal
strain of known commodity ransomware or from a big game hunter
information, etc.) and determine how to balance the recovery and
moving within the environment.
response/investigation activities.
The type of attack determines what indicators may be present,

and whether they are hashes associated with first-stage file • Determining What Data Were Accessed—Knowledge of the

droppers and scants/probes of Internet-facing, business-critical systems that process, store, transmit or have access to sensitive

systems, phishing attempts against privileged personnel or illicit and regulated data is critical. This requires having current

activity against internal business-critical systems. data flow diagrams, accurate asset inventory and a network

architecture that demonstrates how data flows within the

The type of attack determines what indicators may organization and knowing data owners and business process
be present. owners who are affected.

Visibility allows companies to quickly respond rather than react to Determining what data were accessed requires having
a threat, and therefore typically requires an intimate understanding current data flow diagrams, accurate asset inventory
of both the business and technical aspects of an organization.
and a network architecture that demonstrates how data
flows within the organization and knowing data owners
Having established baselines to determine good from bad is and business process owners who are affected.
essential and requires that organizations have identified and are

actively monitoring their environments. Controls and instrumentation, such as data loss prevention, data

discovery systems, identity and access management systems,

• Initial Investigation and Analysis—The objective of initial
centralized logging and network and user behavior analytics are
investigation and analysis processes is two-fold: early detection
often leveraged to determine what data may have been accessed
and faster response to active and present threats to the
or exposed, and what accounts were used to determine the breadth
organization, and preemptive defensive measures to reduce and
and depth of the adversary’s time in network.
manage the overall attack surface of the enterprise.

• Preventing Lateral Movement—This supports the containment Capabilities employed include incident response and digital forensic

phase activities and the ability to reduce and limit access of the efforts; these need to be tailored to the environment and integrated

threat actor within the environment by isolating infected devices with business operations. Defined processes, procedures and

and reducing the threat actor ability to laterally move within the training of associated staff should be documented. Additionally,

© 2023 ISACA. All Rights Reserved.

14 BLUEPRINT FOR RANSOMWARE DEFENSE

senior management (e.g., COO, CIO, CISO, CRO, CFO) should be Staff involved should include the appropriate senior management

included to make key decisions, remove roadblocks, and prioritize members, incident response and forensic team members,

response efforts for the incident response and forensic team network architects and engineers, system maintainers, and the

requests (CIO and CISO), assess potential business impact (CRO) affected data owners and business-process owners. Additional

and approve financial disbursements (CFO). staff may be included on an as-needed basis.

Staff involved should include the appropriate senior management • Business Resumption—Business recovery efforts should begin
members, legal counsel, incident response and forensic team after containing the ransomware. This process is unique to each
members, and the affected data owners and business process attack and the enterprise official policy on ransomware.
owners; additional staff may be included on an as-needed basis.
• Data Recovery—If the enterprise official policy on ransomware
• Were Data Exfiltrated?—Being able to know if data were
is to pay no ransom, after the threat actor is contained AND
exfiltrated from the environment often means the difference
eradicated from the environment (and all access methods closed
between declaring a data breach and mandatory notification,
off to the attacker), the business can confidently recover data
and not having to report. This determination is an important
from immutable backups and resume operations.
distinction because unauthorized access alone (system or data,

interactive or programmatic) does not imply data were exfiltrated. • Negotiated Recovery—Enterprises need to ensure that they are

To determine whether exfiltration occurred requires being able ready to negotiate the potential recovery of their data (if their

to recreate the steps a threat actor took while they were within official ransomware policy is to pay). Be mindful that payment is

the enterprise network, which requires sufficiently detailed and no guarantee that any data will be recovered.

properly architected logging solutions to be in place. Additionally,

• Negotiations—Based on a threat actor’s skill, resources and level of
common trace artifacts can exist on system and within the
sophistication, the enterprise may be able
network that indicate data exfiltration (e.g., recently created
to negotiate a lower amount than what is being
and then deleted compressed files, file transfers to unknown
asked. An identified, trained and skilled negotiator can mean
destinations, and memory-resident applications). Ensuring that
the difference between data loss and recovery. Some basic
incident response and digital forensic processes and procedures,
considerations prior to attempting negotiations include:
and the team’s capabilities, meet organizational requirements is
• Do not open the ransomware email or click links; normally, the
essential. They need to be able to demonstrate that information is
clock may only start after the first exchange occurs between the
being provided and conveyed to key decision makers.
enterprise and threat actor.

Being able to know if data were exfiltrated from the • Contemplate possible outcomes; determine the best-case
environment often means the difference between and worst-case results. Then plan how the enterprise would
declaring a data breach and mandatory notification,
respond to each outcome.
and not having to report.
• Establish an open communications channel (preferably outside

of the primary channel because the enterprise network is now

Controls and instrumentation, such as NetFlow, directory
compromised). This communication team should include
services, IAM systems, full packet capture platforms, SIEMs and
senior management and legal counsel.
properly configured log settings, are often used to recreate the

activities of an adversary on the network. System forensic tools • Verify if the threat actor is listed on the sanctions list
can be used to identify the creation and deletion of files that were maintained by the Office of Foreign Asset Control6 to prevent
staged for exfiltration. introducing additional risk to the enterprise. This should be

done by legal counsel.

Capabilities employed include incident response and digital

forensic efforts that are built on defined processes, procedures • Leverage the enterprise threat intelligence program, including

and training of associated staff. threat intelligence data from established communication

6 U.S. Department of the Treasury, “Office of Foreign Assets Control—Sanctions Programs and Information,” https://ofac.treasury.gov/

© 2023 ISACA. All Rights Reserved.

15 BLUEPRINT FOR RANSOMWARE DEFENSE

channels with law enforcement. For example, to understand underestimate a threat actor who is holding their data for

the threat actor, get answers to the following questions: ransom, and do not attempt to intimidate or threaten them.

Remember, every hour the enterprise is without its data is

• How have they handled ransoms in the past?
an hour of business interruption.
• Are they reliable in delivering decryption keys that will recover
• Crypto Payment Transfer Obfuscation—Enterprises should not
the data or are they more akin to smash-and-grab criminals?
make ransom payments directly from their corporate account(s).
• Threat Actor Communications—Big game hunters tend to be
There is the chance that the threat actor may not recognize the
financially motivated. They often make significant investments
enterprise during the transaction (even though they have spent
to gain access and spend weeks understanding an enterprise’s
time in your environment). This may work in your favor, because
networks and business operations before launching an attack.
they may not correlate that the enterprise is willing to pay and
They invest in supporting infrastructure (i.e., call centers)
may not attempt to return in the future. A recent study7 reports
to walk an enterprise through the process of setting up crypto
that 80 percent of enterprises that paid a ransom were attacked
accounts to make payment. Negotiations may be quickly
with ransomware a second time, with 40 percent paying again.
resolved. They may also be protracted, taking time for
Seventy percent of these paid a higher amount for the second
offers and counter offers to be made before coming to an
incident.
agreement. It is strongly advised that enterprises do not

Public Communication and

Disclosure
Critical to successfully navigating through the incident- Regulatory Bodies—Work with legal counsel to identify
response process in the wake of a ransomware attack is any disclosure requirements under applicable law,
asking whether and how to communicate with internal including the timing, substance, and recipients of any
and external stakeholders. This requires clear, intentional disclosures. While notification is dependent upon the
messaging tailored to the different audiences. This application of laws to the facts, this notification chart
should be done by individuals (carefully selected and should be documented and maintained to align with
trained prior to the event) working in consultation with evolving legal and regulatory developments.
legal counsel to help ensure that messaging is delivered
in a timely, context-appropriate manner that does not Insurance Provider—Work with legal counsel to identify the
obfuscate, misrepresent or mislead. enterprise’s points of contacts, including what information
must be disclosed under the policy (and when).
Law Enforcement—Work with legal counsel to establish
these relationships in advance of an incident. Get to Public Inquiries and Public Media—Work with legal
know who will be working with the enterprise, when counsel, crisis management, corporate communications,
the enterprise is authorized to contact them, what their the public relations firm, customer support services
capabilities are to support the enterprise, and what level and the social media department to ensure that only
of detail the enterprise is permitted to share. This should approved messaging that accurately reflects the incident
be documented and kept current. is shared. Legal counsel should review the message to

7 ContinuityCentral.com; “80 percent of organizations that paid a ransom demand were hit again,” 9 June 2022, http://www.continuitycentral.com/
index.php/news/technology/7383-80-percent-of-organizations-that-paid-a-ransom-demand-were-hit-again

© 2023 ISACA. All Rights Reserved.

16 BLUEPRINT FOR RANSOMWARE DEFENSE

Case Study: Colonial Pipeline Ransomware Attack Case Study: Rackspace Attack

In May 2021, Colonial Pipeline experienced a On 2 December 2022, customers of the cloud
ransomware attack. Initial access was gained to the computing giant Rackspace began experiencing
Colonial Pipeline network when criminals exploited a outages relating to their Hosted Exchange Server. Very
legacy virtual private network (VPN) that should not little information was shared regarding the outage
have been in use. impacting several thousand customers beyond stating
In addition to impacting internal business operations, it was “a security incident” after deciding to “power
this incident had a far greater reach, impacting other down and disconnect” the service.11
industries (i.e., commercial air travel) and initiating panic In its regulatory filing, Rackspace states, “The Hosted
buying with at least 17 states over a four-day period. Exchange Email business represents approximately 1%
Although there are questions about how a legacy VPN of Rackspace's total annual revenue and is comprised
system without multifactor authentication (MFA) was of primarily small and medium businesses who solely
still in use, Colonial Pipeline leadership did not attempt use this product. No other Rackspace products,
to dodge responsibility or deflect blame for the resulting platforms, solutions, or businesses were affected
incident. They identified the cause and worked to or are experiencing downtime due to this incident.”12
address the matter in a manner that they felt at the time While this can be viewed as good news for Rackspace
was in the best interest of their stakeholders.8 and perhaps its larger clientele, it does little for smaller
enterprises reliant upon solution providers in the
first place. Rackspace public statements regarding
Case Study: The Guardian Ransomware Attack
corporate preparedness conflict with what reportedly
On 20 December 2022, The Guardian was hit by a enabled the attack to occur – failure to patch for
cyberattack incident believed to be a ransomware CVE-2022-41080 and CVE-2022-41082.13, 14, 15 Worse,
attack. In January 2023, The Guardian confirmed that Rackspace has seemingly blamed its decision not
the attack was ransomware, and that UK staff-member to patch based on characterization by Microsoft.16, 17
personal data were accessed. News staff were able to Regardless of reason, customers were unhappy
continue producing a daily newspaper while working resulting in at least two lawsuits.18
from home until the IT staff completed system
restoration. The Guardian hired “external experts The Rackspace ransomware incident illustrates how
to gauge the extent of the attack and to recover its the mishandling of an incident can influence public
systems.”9 Management informed the public and staff sentiment. Additionally, it highlights the importance of
of the disruption associated with the operations.10 good crisis communications and empathy.

8 David Sanger; Krauss, Clifford; Perlroth, Nicole; “Cyberattack Forces Shutdown of a Top U.S. Pipeline,” New York Times, 8 May 2021,
https://www.nytimes.com/2021/05/08/us/politics/cyberattack-colonial-pipeline.html
9 Milmo, Dan; “Guardian Confirms it Was Hit by Ransomware Attack,” The Guardian, 11 January 2023, http://www.theguardian.com/media/2023/
jan/11/guardian-confirms-it-was-hit-by-ransomware-attack
10 Waterson, Jim; “Guardian Hit by Serious IT Incident Believed to be Ransomware Attack,” The Guardian, 21 December 2022,
http://www.theguardian.com/media/2022/dec/21/guardian-hit-by-serious-it-incident-believed-to-be-ransomware-attack
11 Beaumont, Kevin; “Rackspace Cloud Office suffers destructive security breach,” DoublePulsar, 2 December 2022, https://doublepulsar.com/
rackspace-cloud-office-suffers-security-breach-958e6c755d7f
12 MarketScreener, US Securities and Exchange Commission, “Rackspace Technology: Regulation FD Disclosure – Form 8-K,” 9 December 2022,
http://www.marketscreener.com/quote/stock/RACKSPACE-TECHNOLOGY-INC-110370321/news/Rackspace-Technology-Regulation-FD-
Disclosure-Form-8-K-42514786/
13 Kovacs, Eduard; “Rackspace Completes Investigation Into Ransomware Attack,” Security Week, 6 January 2023, http://www.securityweek.com/
rackspace-completes-investigation-ransomware-attack/
14 Culafi, Alexander; “Rackspace: Ransomware attack caused by zero-day exploit,” TechTarget, 4 January 2023, http://www.techtarget.com/
searchsecurity/news/252528884/Rackspace-Ransomware-attack-caused-by-zero-day-exploit
15 Robichaux, Paul; “What We Can Learn from the Rackspace Breach,” Practical 365, 19 January 2023, https://practical365.com/what-we-can-learn-
from-the-rackspace-breach/#:~:text=Rackspace%20didn’t%20install%20the,2022%2D41082%20was%20remotely%20exploitable
16 Op cit Kovacs
17 “Rackspace blames Microsoft over ransomware attack,” The Stack, 6 January 2023, https://thestack.technology/rackspace-blames-microsoft-
exchange-zero-day/
18 Kovacs, Eduard; “Rackspace Hit With Lawsuits Over Ransomware Attack,” Security Week, 12 December 2022, http://www.securityweek.com/
rackspace-hit-lawsuits-over-ransomware-attack/

© 2023 ISACA. All Rights Reserved.

17 BLUEPRINT FOR RANSOMWARE DEFENSE

prevent providing too much information and to ensure public inquiries or statements being made on social
that information that needs to be safeguarded is media platforms. Playbooks, processes and procedures
not disclosed. must be documented and maintained. Training
needs to be conducted periodically to refresh
Media relations should always be handled delicately. knowledge and responses tested to ensure that
Never assume that information disclosed is off the they are properly aligned.
record. Ensure that only those individuals who have
been trained and are authorized to speak with the A communication/disclosure strategy is important for
public are sharing the messaging. This safeguard both short-term and long-term impact, and leadership
reduces the chance of accidentally revealing too much must:
information, especially if the investigation involves law • Demonstrate their resolve and commitment to corrective actions.
enforcement and is ongoing. Ensure that your social
• Announce the incident.
media department and customer support services are
prepared and trained on how to respond and handle • Be honest and act with accountability.

Assurance
Ransomware Readiness readiness requires the enterprise to prioritize and potentially

overhaul the management of staff, processes and technologies

Assessment used to defend it.

This section aims to help organizations ensure adequate To gain the desired level of assurance, enterprises
preparedness for a ransomware attack. The following can consider leveraging the Ransomware Readiness Audit
guidance and steps can help organizations enhance their Program,21 a vendor-agnostic approach to determining the overall
readiness and response capabilities. readiness of an enterprise to address ransomware attacks. This

program helps senior management and management teams

1. Governance—To prepare for a ransomware attack, the organization
increase their operational efficiencies and reduces the chance
governing body (e.g., board of directors or board of regents) needs
of insurance claims being denied because they know where the
to ensure that proactive steps are in place to determine not only
enterprise should focus its ransomware protection resources.
the enterprise’s ability to respond to the incident, but also its level of

readiness. 2. Management—Management must understand which data

assets the enterprise most needs and values (both on-premises

Historically, this has meant increasing cyberinsurance. and with third-party providers) and clearly account for risk
However, more insurance providers are pulling coverage from ransomware poses to those data. Managing an organization’s
ransomware incidents or instituting much stricter underwriting
19
ability to effectively and efficiently respond to a ransomware
requirements (i.e., objectively demonstrable proof of sufficient,
20
attack requires viewing the risk across the spectrum of attack
not merely adequate, programmatic management of information categories, re-evaluating its operational posture, and ensuring
security and privacy efforts within the organization). Response systems and network hygiene.

19 Cohn, Carolyn; “Insurers Run From Ransomware Cover as Losses Mount,” Reuters, 19 November 2021, http://www.reuters.com/markets/europe/
insurers-run-ransomware-cover-losses-mount-2021-11-19/
20 Violino, Bob; “Rising Premiums, More Restricted Cyber Insurance Coverage Poses big Risk for Companies,” CNBC, Technology Executive Council,
October 2022, http://www.cnbc.com/2022/10/11/companies-are-finding-it-harder-to-get-cyber-insurance-.html
21 ISACA, Ransomware Readiness Audit Program, 2022, https://store.isaca.org/s/store#/store/browse/detail/a2S4w000005uz6vEAA

© 2023 ISACA. All Rights Reserved.

18 BLUEPRINT FOR RANSOMWARE DEFENSE

3. Information Protection Processes and Procedures— Senior management needs to make human controls a priority and

Organizations that prioritize and plan for a ransomware attack remind and train everyone on the parts they play in protecting the

need to ensure that they have the appropriate processes and organization.

procedures in place.

Operationally, enterprises have relied heavily on undocumented

Ransomware Readiness Testing
knowledge to sustain business. Processes and procedures need 1. Tabletop Exercises—Tabletop exercises are an essential part
to be written down and those records kept current to ensure that, of an organization's cybersecurity preparedness program,
in the event of an incident, responding and recovery are done in particularly given the rapidly changing capabilities of attackers.
the most effective and efficient manner feasible. These exercises simulate real-world cybersecurity incidents

and allow different parts of the business to test their response

Enterprises must look objectively at their IT and security
capabilities and refine their incident-response procedures.
architectures and identify gaps to ensure that business
Key to a successful tabletop engagement is involving the right
continuity and disaster-recovery efforts consider and account for
stakeholders. It is important to ensure the gaps are identified and
ransomware attacks.
addressed based on an internal risk-impact prioritization scale.
4. Technology Controls—The problem with the acquisition and It is recommended that these testing methods be performed
implementation of technology controls stems from the lack periodically throughout the year. These exercises can help
of full integration of those controls within enterprise business organizations understand the evolving threat landscape, practice
operations. incident-response procedures, foster a culture of cybersecurity

awareness and demonstrate their preparedness to stakeholders.

Although some technology controls may be easy to acquire,

such as a new endpoint detection and response (EDR) or data 2. Simulation—These testing methods are a bit more invasive in nature

loss prevention (DLP) solution, other technology controls require and are meant to test control efficacy and aid in identifying overall

significant thought, consideration of execution and re-engineering readiness strengths and potential gaps that may exist within the

of technology and business workflows (e.g., introducing environment.

segmentation of an existing network environment).

Simulations should be leveraged to verify and validate

management assertions of business resiliency, continuity,

Ransomware attacks leverage an enterprise’s controls and control
incident-response and disaster-recovery capabilities. To provide
gaps against it. Attackers are successful because a gap exists.
the level of assurance required by the governing body and
Not only must tools be properly attuned to the environment, but
senior management, simulations must be conducted in context
staff must be properly trained on tool capabilities and how to
of technical operations. It is recommended that simulations
operate them.
be conducted in context of technical business operations and
5. Human Controls—The most difficult aspect of ransomware business impact analysis, identifying impacted systems involved
readiness is likely to be the human element because organizational with the simulation. During the simulation, staff from business
culture drives the success or failure of ransomware readiness plans and IT should be able to quickly identify impacts.
and efforts.
Simulations could be planned or covert. Planned simulations should
In order for human controls to succeed, an enterprise must be well coordinated to minimize the impact to the business while
ensure that staff are aware of the various tactics, techniques meeting the goal to identify, document and assess in a controlled
and procedures (TTPs) of attackers, the potential impact of an manner. Done properly, simulations will allow enterprises to develop
attack and who to contact. Enterprises must also ensure that all appropriate corrective actions and mitigation steps not previously
contacts are aware of the approved actions and steps to be taken known or identified. The purpose of covert simulation is to test the
and how to escalate such incidents. organization response to real attacks.

© 2023 ISACA. All Rights Reserved.

19 BLUEPRINT FOR RANSOMWARE DEFENSE

Ransomware Readiness
IT staff fill multiple roles when addressing the threat of

ransomware. They should have a solid understanding of supporting

Training playbooks/standard operating procedures that define the activities

and steps that management has already deemed permissible, the

1. End Users—It is important to ensure that everyone on staff knows
actions that require management approval, and escalation paths
what their responsibilities are, and when and how to perform
and associated timelines to reduce adversary dwell time on a
them. Ransomware attacks may go unreported simply because
system or within the network and diminish the spread and impact
the end user does not know who to contact, thinks that IT is
of an attack. They need to be intimately familiar with the operating
taking care of the issue or does not trust that the Help Desk staff
environment to better support incident-response capabilities,
will help them.
specifically those relating to containment, eradication and
Ransomware attacks often begin by targeting end users.
recovery efforts.
Attackers know that end users are the last line of defense. Senior
3. Ransomware Incident Responders—Effective and efficient
management needs to ensure that end users are aware of threats,
responses to ransomware require specific training, skills and
know the steps to take if they suspect illicit activity, and report it in
competencies. It also requires sufficient planning and preparation,
a timely manner to reduce the impact and effects of a ransomware
based on the enterprise ransomware policy (i.e., the official stance
attack. End-user education and awareness must be of sufficient
on paying ransom).
frequency to address organizational needs.
Numerous attackers and a wide range of ransomware strains
2. Information Technology—Given their increased privileges, access
exist, and responders may not know what they are facing until
and reach within the environment, IT staff must be made aware
they are actively engaged. Responders need to keep their skills
and reminded that they are frequent targets of attackers. They
and competencies relevant to current ransomware.
need to be trained on how to engage with the respective incident
Figure 10 shows common skills and competencies associated with
response and cyber and information security teams if there is a
ransomware incident-response efforts.
suspected ransomware event.

FIGURE 10: Common Ransomware Incident-response Skills

Personal Skills Technical Skills

Ability to follow directions, policies and procedures Adversary tactics
Collaboration Identifying forensic artifacts
Communication (written and oral) Incident analysis
Diplomacy Incident handling skills
Documentation IT and security architecture
Integrity IT and security engineering
Investigative Malicious software
IR life cycle Monitoring
Knowing one’s limits Network applications and services
Leadership Network operating systems
Maintenance of incident records Network protocols
Presentation Operating systems
Problem solving and persistence Programming
Self-awareness Security issues (network and host)
Stress management Security principles
Time management Security vulnerabilities/weaknesses

© 2023 ISACA. All Rights Reserved.

20 BLUEPRINT FOR RANSOMWARE DEFENSE

Conclusion
Having a defined strategy and roadmap to reduce the A ransomware strategy ensures that the enterprise is
likelihood of a large-scale attack is the first step in ready for a ransomware attack and defines desired goals
exposing a ransomware attack for what it truly is—an and objectives in the context of a potential attack. If one
avoidable disaster. This requires preparation. When objective is to ensure quick recovery, it needs to invest in and
enterprises have established a defined strategy for validate (i.e., test, test, test) the ability to recover business-
ransomware that is managed within the level of risk they critical assets. If an enterprise is open to negotiating with
are prepared to accept, well-informed decisions can be an extortionist to get back its data, then it needs to have
made. If a ransomware incident occurs, it will be managed cryptocurrency ready so it does not lose precious time.
within the risk appetite of the business and well-informed
decisions will be made. Knowledge Check: CPE Quiz
Test your knowledge on ransomware defense by
In the past, enterprises attempted to transfer taking this quiz: https://www.isaca.org/resources/
ransomware risk to insurance carriers, but today white-papers/blueprint-for-ransomware-defense-cpe-
providers are instituting much stricter underwriting quiz. ISACA members earn 1 CPE credit by passing
requirements or pulling coverage altogether. A with a score of 75%.

ransomware attack is just another risk an enterprise ISACA values your input: https://www.research.net/r/
needs to consider and address. VPKKJN3.

© 2023 ISACA. All Rights Reserved.

21 BLUEPRINT FOR RANSOMWARE DEFENSE

Acknowledgments
ISACA would like to recognize:

Lead Developer Board of Directors

Edward McCabe
Pamela Nigro, Chair Brennan P. Baybeck
CISM, CGEIT, CRISC, CDPSE, COBIT, ISO/
CISA, CGEIT, CRISC, CDPSE, CRMA CISA, CISM, CRISC, CISSP
IEC 27K1 ISMS LI, SABSA
Vice President, Security, Medecision, USA ISACA Board Chair, 2019-2020
Founder/Principal, The Rubicon Advisory
Vice President and Chief Information
Group John De Santis, Vice-Chair
Security Officer for Customer Services,
USA Former Chairman and Chief Executive
Oracle Corporation, USA
Officer, HyTrust, Inc., USA
Expert Reviewers Niel Harper
Rob Clyde
CISM, NACD-DC
Joyce Chua CISA, CRISC, CDPSE, CISSP
ISACA Board Chair, 2018-2019
CISA, CISM, CDPSE, CIMP, CAEG Chief Information Security Officer, Data
Independent Director, Titus, Executive
(Professional), FIP, CIPP(E), (C)CISO, Privacy Officer, Doodle GmbH, Germany
Chair, White Cloud Security, Managing
CIPM, CIPP(A), CFE, CIA, PMP, ITIL, MCP,
Gabriela Hernandez-Cardoso Director, Clyde Consulting LLC, USA
IRCA ISMS Associate Auditor
Independent Board Member, Mexico
First Vice President, UOB
Singapore Maureen O’Connell
NACD-DC
Sergiu Sechel, Ph.D.
Board Chair, Acacia Research (NASDAQ),
CISA, CISM, CRISC, CFE, CEH, CBP,
Former Chief Financial Officer and Chief
CSSLP, CDPSE, GICSP, GPEN, GWAPT,
Administration Officer, Scholastic, Inc.,
GCFA, GNFA, GASF, GCTI, GREM, PMP
USA
Boston Consulting Group
UK Veronica Rose
CISA, CDPSE
Ramona Ratiu
Senior Information Systems Auditor–
CISA, CISM, GSTRT, MS
Advisory Consulting, KPMG Uganda,
Cyber Security Manager–Zurich
Founder, Encrypt Africa, Kenya
Insurance
Adjunct Professor– DePaul University Gerrard Schmid
USA Former President and Chief Executive
Officer, Diebold Nixdorf, USA
Manjunath A.T
CISA, CSA, CCSK Asaf Weisberg
IT Compliance Auditor, Applied Materials CISA, CISM, CGEIT, CRISC, CDPSE, CSX-P
India Chief Executive Officer, introSight Ltd.,
Israel
Julia Hermann
CISM, CDPSE, CISSP, CCSP Gregory Touhill
Head of Security Architecture and Cyber CISM, CISSP
Defense, ISACA Board Chair, 2021-2022
Giesecke+Devrient GmbH Director, CERT Center, Carnegie Mellon
Germany University, USA

Kevin Fumai Tracey Dedrick

CDPSE, CIPP/US/E, CIPM, CIPT, FIP, PLS, ISACA Board Chair, 2020-2021 and
CCSK, CEET Interim Chief Executive Officer
Assistant General Counsel,
Oracle America, Inc.
USA

© 2023 ISACA. All Rights Reserved.

22 BLUEPRINT FOR RANSOMWARE DEFENSE

About ISACA
ISACA® (https://www.isaca.org/) is a global community advancing
individuals and organizations in their pursuit of digital trust. For more than 50 1700 E. Golf Road, Suite 400
years, ISACA has equipped individuals and enterprises with the knowledge, Schaumburg, IL 60173, USA
credentials, education, training and community to progress their careers,
transform their organizations, and build a more trusted and ethical digital Phone: +1.847.660.5505

world. ISACA is a global professional association and learning organization

Fax: +1.847.253.1755
that leverages the expertise of its 170,000 members who work in digital trust
fields such as information security, governance, assurance, risk, privacy and Support: support.isaca.org
quality. It has a presence in 188 countries, including 225 chapters worldwide.
Website: www.isaca.org
Through its foundation One In Tech, ISACA supports IT education and career
pathways for underresourced and underrepresented populations.

Provide
DISCLAIMER
Feedback:
ISACA has designed and created Blueprint for Ransomware Defense (the https://www.research.net/r/VPKKJN3
“Work”) primarily as an educational resource for professionals. ISACA makes
no claim that use of any of the Work will assure a successful outcome. Participate in the ISACA Online
The Work should not be considered inclusive of all proper information, Forums:
https://engage.isaca.org/
procedures and tests or exclusive of other information, procedures and tests
onlineforums
that are reasonably directed to obtaining the same results. In determining
the propriety of any specific information, procedure or test, professionals Twitter:
should apply their own professional judgment to the specific circumstances www.twitter.com/ISACANews
presented by the particular systems or information technology environment.
LinkedIn:
www.linkedin.com/company/isaca
RESERVATION OF RIGHTS
Facebook:
© 2023 ISACA. All rights reserved.
www.facebook.com/ISACAGlobal

Instagram:
www.instagram.com/isacanews/

Blueprint for Ransomware Defense

© 2023 ISACA. All Rights Reserved.