How to Defend Against Ransomware

Chris Krebs, former CISA Director

At the RSA Conference in 2020, I gave a joint talk with Chris Krebs, CISA Director at the time, on the formal collaboration between the agency and the non-profit, ICS Village. One of our biggest concerns for the future was ransomware. And unfortunately, we were right.

Ransomware increased exponentially in 2020 and continues to increase in 2021. The incentive is there: ransomware attacks made $350m in 2020 (311% increase over 2019). And businesses are suffering the consequences: global ransomware attacks cost them $20B (up from $11.5b in 2019). Another report found that total vulnerabilities associated with ransomware quadrupled from 57 in 2019 to 223 in 2020, while the number of ransomware families are up from 19 in 2019 to 125 in 2020.

While this blog was in the editing process, Kia announced US operations were impacted by a ransomware attack, that also affected customers, with a $20M ransom by the DoppelPaymer gang. The Central Piedmont Community College, an institution with 50,000 students in Charlotte, North Carolina, tweeted this about a recent ransomware attack that has affected the school for a week so far:


“The malicious and unwarranted cyberattack against us on February 10, feels like a punch to the chest: It knocked us back some, but we are not out,” Deitemeyer wrote. And, they’re not alone. Schools, hospitals, and local government have been especially hard hit by ransomware attacks.

What can businesses do? 

Rather than waiting for an attack and hoping for the best, prepare now to defend against and minimize the impact of a ransomware attack. The recommendations below leverage ADR methodology - attack, detect, and respond - as strong steps to build resiliency for your company. 

Brandon Wales, Director (Acting) of CISA

Defensive Products and Situational Awareness.

Stopping ransomware from executing on a system, ie - prevention, is clearly valuable. Rigorous patching and maintaining updates for your defensive solutions are the baseline defense. After that, establishing network visibility, host logging, event correlation, and alerting provide your team the ability to respond. We’ll cover more in future posts on sysmon, Windows event logging, correlation, and SIEMs.

Network Segmentation.

A flat network is especially vulnerable to widespread ransomware attacks. Combining this vulnerable architecture with previously identified weaknesses like outdated SMB versions (make sure SMB communications don’t go outside your perimeter) or exposed/misconfigured network shares and the potential for impact increases dramatically. A commonly overlooked element of segmentation is accounting for the remote workforce. Consider setting up a limited access network for employees to VPN into with Role-Based Access Controls for additional systems/services.

Table Top Exercises.

The quickest way to validate assumptions is to run a table-top exercise. Bring the stakeholders together and walk through a ransomware scenario like it is a script. The moment that an action and responsibility is in question will highlight gaps in people, process, and technology. Regular table top exercises serve as training to bring new staff up to speed and reinforce consistency in your future response.


You’ve got the new hot EDR, a well segmented network, and your employees are trained on proper cybersecurity hygiene… so now what? Validate your assumptions. Conduct real-world tests to see what actually happens and tune your systems. At SCYTHE, we emphasize testing beginning with a post-breach scenario which focuses on identification and containment with contextual business risk (if it’s not your risk, then it’s academic) since complete prevention is impossible. Testing provides metrics on the ability and speed of detection, response, and remediation. In our Threat Thursdays, we covered multiple ransomware campaigns and will continue to provide you actionable data on the latest threats.


Resilience is the final back-stop. Ensure you’re backing up data and configurations. Keep in mind that ransomware operators know this too, back-ups with direct access to the network will be targets. Your strategy should account for this threat: have a local back-up and a disconnected solution (off-site solutions account for environmental/physical threats). As a final measure, test them! Avoid that terrible moment of going to the back-up to discover that it doesn’t work or have the data you expected.


SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors.