How does cybersecurity prevent ransomware?

Recently, a company—we’ll call it Company A—that had data held for ransom via a cyberattack reached out to us for help. Although we were able to help them recover the data, they weren’t able to use their IT systems for over a week. Here’s a timeline of the events surrounding the attack and eventual service restoration:  

Tuesday: Company A receives and opens a OneNote document via email from a hacked email account of one of their suppliers.

Wednesday: The hacker receives a notification that their malware has been installed on one of Company A’s computers and moves laterally on the network to a server.

Thursday Morning: The hacker analyzes Company A’s systems and data sets and eventually finds personal, identifiable information about Company A’s employees and customers. After copying and uploading the information to his system, the hacker encrypts Company A’s main server hard drives, which also encrypts all drives on Company A’s virtual servers. 

Thursday Afternoon: The hacker demands almost $500,000 to provide the encryption key. Company A can no longer access its IT systems. Company A engages its cybersecurity insurance company and an incident response consultant that brings in a forensics expert. They then contacted our company to restore data and access and remediate the vulnerability that allowed the breach. 

Friday: Our engineers deployed cybersecurity software that allowed us to remove any “back doors” to the system and to monitor for additional suspect behavior. In addition, we collected forensics to determine which user opened the email and what data the hacker collected. This process helped Company A assess its position relative to the “ransom value” of the data while we began to help restore IT systems access.

Saturday: Negotiations begin with the hacker over their ransom demand and continue over the weekend.

Monday Afternoon: Company A can access its IT systems. Our engineers deploy endpoint detection and response (EDR) software to prevent future attacks of this type. 

Tuesday:  Company A successfully negotiates ransom payment to the hacker. 

If Company A had followed cybersecurity best practices and had EDR deployed before this attack, the EDR service would have detected the attack and isolated the compromised computer from the network. The hacker would have ceased further breach attempts on the first day. Instead, Company A couldn’t use its IT systems for over a week and unnecessarily spent thousands of dollars on recovery. The annual investment for EDR protection for Company A would be less than 1% of the loss sustained by this cyber attack.