Pictures of Jane Frankland, Morten Kjaersgaard, Vaishnav Vijayakumar, Nadeem de Vree and Dan Lohrmann next to the text Experts on ransomware

Type “ransomware” into your Google search button.

You’ll be met will millions of hits, with each website claiming to offer the best news, data, or insights on ransomware.

Combing through that maze to find the right information can be… what’s the word? Herculean!

Whether you’re new to the cybersecurity industry or the go-to guy, understanding ransomware and its potential threats is a no-brainer.

We decided to take a different approach. Why not interview some of the world’s best cybersecurity experts and pick their brains on ransomware? And that’s just what we did.

Nenad Sibinovikj and I consulted award-winning cybersecurity practitioners and experts from top security companies. They include CEOs, award-winning practitioners, best-selling authors, and keynote speakers. Some have worked with tech behemoths, including Google and Microsoft. The result is an insightful mix of insights and actionable tips, and we’ll share them below with you.

The Experts and the Questions

Here are the four questions we asked each expert:

  • What are the most common trends in ransomware attacks?
  • What’s the most effective way to shut out ransomware?
  • Why are businesses increasingly vulnerable to ransomware attacks?
  • What should a business do after a ransomware attack?

Here’s a sneak peek at the cybersecurity authorities we interviewed:

The Answers

Below are the answers our experts provided. We have summarized some of the answers into tables and bullet points to make it easier to read. Get a cup of coffee and enjoy!

Note:

The opinions of the cybersecurity experts are theirs and not those of the companies they work for.


1. Jane Frankland (UNESCO Trailblazing Woman in Tech and Bestselling Author)

Jane Frankland

Jane Frankland is an award-winning leader, best-selling author, speaker, and women’s activist. Having spent over two decades in cybersecurity, Jane has become one of the most celebrated female influencers in the world, and UNESCO has called her a trailblazing woman in tech. She built her own global hacking firm in the late 90s and has worked as an executive for world-renowned consultancies. She’s a popular keynote speaker, university guest lecturer, awards judge, and board adviser, and she regularly shares her thought leadership in the media, including the top broadsheets.

Frankland has enabled more than 352 women to receive her scholarships in the past 4-years, a value of half a million dollars. She believes if you’re short on women, you’re less safe, and it’s why she set up her latest venture, The Source.

According to Frankland, the following trends are present in ransomware attacks:

TrendFurther details
Ransomware attacks are becoming more commonAccording to cybersecurity vendor Sophos, who surveyed 5,600 IT professionals globally in 2022, around 2 in 3 organizations suffered a ransomware incident in the previous 12 months, up 78% over the previous year. Ransomware is still good business for cybercriminals. Attacks deliver an extremely effective return on investment, especially considering Ransomware as a Service (RaaS) is now available as a subscription on the dark web for as little as $40/ month.
Ransomware attacks are becoming more sophisticatedRansomware attacks have become increasingly sophisticated in recent years, with attackers honing their techniques and becoming more and more target-specific. As attackers become more knowledgeable about the systems they target, they can develop more advanced techniques to penetrate those networks. These techniques include the use of phishing emails, malicious attachments, and exploiting unpatched vulnerabilities in software. These attacks can have a devastating effect on businesses, as they can render systems unusable and cause significant financial losses and brand damage.
Ransomware attacks are becoming more targetedToday’s top ransomware targets include organizations in the media, leisure, entertainment, retail, energy distribution, and transport sectors.
Ransomware attacks are growing, with destructive attacks becoming more costlyAccording to a report by IBM, the share of breaches caused by ransomware grew 41% in the last year, taking 49 days longer than average to identify and contain destructive attacks increasing in cost by over USD 430,000.
Ransomware attacks are not as lucrative for cybercriminals as they once wereAlthough ransomware attacks are still rising, researchers believe ransomware revenue dropped in 2022 by 40.3% in 2022. Possible reasons for this include fewer victims being willing to pay, or report payments. Interestingly, Gartner, predicts the percentage of countries passing legislation to regulate ransomware payments fines will rise 30% by the end of 2025 from less than 1% in 2021.

What’s the most effective way to shut out ransomware?

According to Frankland, there’s no definitive answer to this question, as there are a variety of ways to shut out ransomware that can be effective depending on the situation. Some common methods include backing up data regularly, keeping security software up to date, and avoiding clicking on links or opening attachments from unknown sources.

Additionally, she emphasized that it’s important to be aware of the signs of a ransomware attack so that you can act quickly if your system is compromised.

Why are businesses increasingly vulnerable to ransomware attacks?

Ransomware attacks have become increasingly common in recent years, Frankland said, and businesses are particularly vulnerable to them. This is due to several factors, all of which contribute to the risk businesses face when it comes to ransomware.

One factor is the increasing reliance on technology for communication and data storage and hybrid ways of working since the pandemic. With more people using their work computers and other digital devices for personal purposes or sharing them with family members, there is an increased risk of attack from malicious actors who can exploit vulnerabilities in these systems.

Jane Frankland, Award-Winning Cybersecurity Leader

Another factor is the rise in IoT devices such as CCTV, coffee machines, and so on in the workplace. These devices are hard to manage and, when connected to the network without the permission of the IT/ security team, can introduce vulnerabilities.

What should a business do after a ransomware attack?

Frankland mentioned that security experts and law enforcement do not recommend paying the ransomware attacker as you have no guarantee they will decrypt your files upon payment. Instead, they advise you to stay calm and not panic. Then follow these instructions:

  • Take a photo of your ransomware message that’s on your hijacked computer screen.
  • Contact law enforcement and seek professional help to assess the situation and determine the best course of action. This is important to ensure that the attack is properly addressed and that the perpetrator is held accountable.
  • Disconnect your infected computer from the internet or any external storage devices.
  • Let your IT or security team know about the ransomware attack ASAP. They’ll need to ensure no one can access your computer remotely and reduce the infection spread.

Your IT team will be working on your ransomware strain. Sites such as No More Ransom may be able to help as they can match some ransomware with free tools to remove it. Alternatively, they may try your antivirus software or search online using a smartphone and cellular data. After this, they’ll be resetting all credentials, safely wiping the infected systems, and reinstalling the operating system.

It’s also important to take steps to prevent future attacks, such as improving security measures and training employees on cybersecurity. This includes:

  • Implementing strong passwords
  • Using multi-factor authentication
  • Whitelisting applications
  • Restricting admin privileges
  • Employing daily backups (offline and in the cloud)
  • Providing employees with security awareness training
  • Disabling Remote Desktop Protocol (RDP) or unpatched remote access devices
  • Regularly patching and updating systems and software

The Cybersecurity and Infrastructure Security Agency (CISA) also offers great guidance on ransomware response and recovery.


2. Morten Kjaersgaard (CEO at Heimdal Security)

Morten Kjaersgaard

Morten Kjaersgaard is the CEO of Heimdal Security, a leading European provider of cloud-based cybersecurity solutions based in Copenhagen, Denmark. Over the years, he has propelled the company to over 10.500 customers and 20M USD ARR globally. Kjaersgaard has a degree in Corporate Marketing and spent years at the top of the IT business as the CCO of BullGuard Ltd. and the CEO of a major Danish IT Reseller before joining Heimdal.

Kjaersgaard has previously been on several company boards and is a frequent event speaker and an Internet Security evangelist. He can be found online on LinkedIn and on Heimdal Security’s website, where he discusses the state of the cybersecurity market in light of key economic and social events.

Kjaersgaard believes these are the prevailing trends in ransomware.

TrendFurther details
Businesses have become targetsThe most common trend in the past few years is that attackers increasingly target businesses and organizations, rather than individual users. Naturally, this is because businesses and organizations often have much more valuable data that can be used to extort a higher ransom payment.
Sophisticated methods of spreading ransomwareAnother common trend is that attackers are using more sophisticated methods to spread the ransomware (phishing, RDP, MSSP, network propagation, privilege escalation, unpatched vulnerabilities, and drive-by downloads, to name just a few) and encrypt data (intermittent encryption is a powerful recent technique), making it more difficult for victims to recover their data without paying the ransom.
Supply chain attacksDistributing ransomware through supply chain attacks and leveraging IOT and OT devices’ insecurity by design, in many cases, are also rising movements.
Double and triple extortion approachMore recent trends also include double and triple extortion approaches, which have become cybercriminals’ new normal.
Targeting specific industriesFinally, attackers are increasingly targeting specific industries or sectors, such as healthcare or education, which may be more likely to pay a ransom to regain access to their critical data.

What’s the most effective way to shut out ransomware?

According to Kjaersgaard, there’s no one-size-fits-all answer to preventing ransomware infections. The most effective approach will vary depending on the specific threat and organizations’ IT usage profile.

However, there are some basic steps that all businesses can take to reduce their exposure to this type of attack.

One of the most important things businesses can do is ensure that their systems and data are properly backed up. This way, even if their files are encrypted by ransomware, they’ll still have access to a clean copy to restore. It’s also crucial to update every software, as many ransomware strains exploit known vulnerabilities in outdated programs. By patching these gaps, companies will make it much harder for attackers to gain a foothold on their network.

Morten Kjaersgaard, CEO at Heimdal

Last but clearly not least, any company, regardless of size, must implement security measures, including:

  • A proper privileged access management
  • A zero-trust-based security architecture
  • A powerful ransomware encryption protection software

These tools can help stop ransomware before it has a chance to encrypt any data.

Any business should also have an incident response plan in place, so they know what to do if their systems are compromised.

Why are businesses increasingly vulnerable to ransomware attacks?

Ransomware attacks can have severe consequences for businesses, including financial losses, reputational damage, and operational disruption, Kjaersgaard stated.

The factors that make businesses vulnerable to cyberattacks are multiple and usually intertwined:

  • Outdated or legacy software
  • Overlook patch management
  • Have no proper backup plans
  • Lack of a robust cybersecurity strategy
  • The lack of cybersecurity awareness training for their employees

The need for an entry point for ransomware to attack a network is obvious; cybercriminals will always look for ways to exploit weaknesses and get their ransomware inside. It is the responsibility of cybersecurity solution providers to make this task as challenging as possible.

However, we share this responsibility with our clients, who must also know what to do and, most importantly, what not to do to keep their business safe.

What should a business do after a ransomware attack?

Kjaersgaard is emphatic with his answer: First of all — don’t pay the ransom! Ensure you notify the authorities in charge (CISA or the Internet Crime Complaint Center, for example) and then assess the damage.

This means determining what systems and data have been affected, and whether or not the ransomware has been successfully removed.

Once the damage has been assessed, businesses need to determine how they will recover their data. This may involve restoring from backups or using data recovery software. They will also need to take measures to prevent future attacks, such as increasing security protections and employee training on cybersecurity.

Developing a communications plan to keep stakeholders, partners, and clients informed of the situation and its resolution is also mandatory.


3. Vaishnav Vijayakumar (Building Security & Cyber Resilience Solutions at Google)

Vaishnav Vijayakumar

Vaishnav Vijayakumar is a security practitioner with over 14 years of expertise in the technology risk management and security industry. He is passionate about helping businesses build resilient operating environments to enable them to mitigate the impact of cyber disruptions. In the last six years, he has helped companies globally to tackle the threat of data integrity attacks such as ransomware across multiple industries (financial services, energy, and state governments).

Vijayakumar highlights the following as the trends to keep an eye on:

TrendsFurther details
Businesses under threatRansomware continues to be a major threat to businesses impacting data integrity and availability.
RaaS modelsThe ecosystem around monetizing ransomware has evolved, giving rise to ransomware-as-a-service operating models.
Double extortion attacksDouble extortion attacks are being used to threaten organizations to publish organizational IP and also threaten to delete their data leaving businesses paralyzed. Businesses must establish a cyber resilience security program and operating model to ensure they can withstand and safely resume operations in the wake of any destructive cyber attacks.

What’s the most effective way to shut out ransomware?

According to Vijayakumar, do the following to keep ransomware at bay:

  • The most effective way is to improve user awareness of phishing and spear phishing attacks, which are still the most common infiltration vector.
  • Ensure all external access is periodically authenticated and have multi-factor authentication enabled for on-premise and cloud infrastructure.
  • Patch systems periodically to ensure vulnerabilities are not exposed.
  • Constantly monitor external threat intelligence from industry-leading organizations such as the DHS and FBI for attack vectors used by nation-state ransomware groups.
  • Establish a relationship with incident responders (IR) and have IR retainers and insurers ensure ransomware attacks are covered under their cyber insurance policies.

Why are businesses increasingly vulnerable to ransomware attacks?

Businesses are vulnerable because ransomware attacks are becoming easier to execute, with financial incentives and benefits for RaaS operators. All businesses are increasingly dependent on their data to conduct business operations. Ransomware impacts data integrity and availability and impedes the organization’s ability to effectively operate.

Vaishnav Vijayakumar, Building Security & Cyber Resilience Solutions at Google

In some extreme cases, it creates existential threats for organizations that can’t recover fully without access to their critical data repositories. Ransomware attacks the business at its core (i.e. data). Hence, there is a bigger incentive to either pay the ransomware groups to access data or get their insurance providers to provide payouts.

What should a business do after a ransomware attack?

Vijayakumar advises that businesses should execute their incident response and incident plans. They should involve authorities early, obtain external support from their IR team where necessary, and proactively communicate with their stakeholders.

This step is key to mitigating the reputational and brand risk associated with data leaking to the press through unofficial channels, thereby negatively impacting the brand.

Maersk is one of the organizations in the recent past that has demonstrated transparency in their incident response and recovery efforts. Even though the Not-Petya ransomware attack crippled their business, their recovery efforts and transparency demonstrated their efforts toward building a cyber-resilient business for the future.


4. Dan Lohrmann (Award-winning CISO, Bestselling Author, Client Advisor, and Keynote Speaker)

Dan Lohrmann

Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker, and author with 30 years of experience in the computer industry. He previously served with the National Security Agency, Michigan’s cybersecurity and infrastructure teams, Security Mentor, Inc., and Lockheed Martin. He is currently the public sector CISO for Presidio.

Lohrmann is the author of several books, including Cyber Mayday and the Day After: A Leader’s Guide to Preparing, Managing, and Recovering from Inevitable Business Disruptions and Virtual Integrity: Faithfully Navigating the Brave New Web. Over the years, he has received numerous national awards, including CSO of the Year, Public Official of the Year, and Computerworld Premier 100 IT Leader.

Below are Lohrmann’s responses about ransomware trends:

TrendFurther details
Ransomware attacks increasingThere are numerous examples of schools, hospitals, financial institutions, and governments being victims around the world, and there is no end in sight to these cyberattacks. According to an FBI report, the top three sectors hit in 2022 were healthcare (and public health), critical manufacturing, and government facilities.
Ransomware payments are going upThe State of Ransomware 2022 Report from Sophos details that in 2021, 11% of businesses paid ransoms of $1 million or more, up from 4% in 2020. And the hackers aren’t letting you get off the hook for cheap either; the proportion of those paying less than $10,000 decreased to 21% from 34%.
Double and triple extortion are increasingly commonThis means the bad actors may sell your data on the black market, in addition to demanding a ransom payment to decrypt your data. Also, they may return and try again if you don’t protect your environment.

What’s the most effective way to shut out ransomware?

According to Lohrmann, here’s what you should do:

  • Patch your systems.
  • Train your employees well.
  • Use multi-factor authentication for all systems.
  • Securely build, deploy, and manage your systems with appropriate defenses to minimize the ability for ransomware gangs to get into your environment.
  • Monitor your systems for unauthorized access 24/7/365.
  • Deploy a zero-trust architecture.
  • Make sure your systems, and especially critical data, are backed-up and test those system backups. Have immutable backups.
  • Have an incident response plan that is tested, updated, and effective. Run a cyber tabletop exercise with senior management to ensure understanding and good communication 360 degrees.

Why are businesses increasingly vulnerable to ransomware attacks?

Here are Lohrmann’s insights:

  1. Global bad actors are well-resourced and getting better. They are also targeting their victims with extensive research.
  2. This is a moving technology target, with critical vulnerabilities constantly evolving. System environments are often complex, with tech/cyber teams losing sight of the most important tasks. Also, this is a people, process, and technology issue — and many just focus on the technology, at the expense of repeatable processes and people issues.
  3. Supply chains and partners are still not adequately monitored to ensure risks are remediated and reduced.
  4. The internet, which is now essential to global commerce and communications, was never adequately built or upgraded for the level of cyber risks we are now facing. Companies must think about end-to-end protections.

Many management teams still neglect cybersecurity or underfund protections. They don’t believe ransomware will really happen to them. They see this as the duty of a few cybersecurity pros and not a company culture where everyone has a role in protecting the organization.

Dan Lohrmann, Internationally recognized cybersecurity leader

What should a business do after a ransomware attack?

It depends, Lohrmann said, posing these questions:

  • Are you ready? (Do you have a tested incident response plan that includes the C-suite executives?)
  • Do you have cyber insurance?
  • Do you have visibility into what is actually down in the business?  
  • Do you have good backups that are tested?

How long will it take for you to recover?

According to Lohrmann, some general recovery steps often include bringing the business, technology, finance, and legal teams together to deal with this, as in other emergencies. Also, include tech partners, cyber insurance POCs, law enforcement, communications teams, and other partners. You may also need to disconnect from the Internet, depending on your situation.

Communication and coordination are key, and there are entire books on this topic. Lohrmann wrote one himself, titled Cyber Mayday and the Day After: A Leader’s Guide to Preparing, Managing, and Recovering from Inevitable Business Disruptions.


5. Nadeem de Vree (Global Chief Information Security Officer at PPG)

Nadeem de Vree

Nadeem de Vree is a security professional with over 20 years of experience in the cybersecurity and risk management industry. Besides being passionate about technology and helping to create an IT-resilient environment and high-performing teams.

In his journey, de Vree has worked with some of the world’s strongest and largest companies globally to tackle the threat of data integrity attacks such as ransomware across multiple industries by helping them achieve even higher levels of cybersecurity in their IT, OT, and physical environments.

According to de Vree, ransomware is a relatively simple form of cyberattack requiring very low skill levels. As such, one sees that most ransomware attacks are not targeted attacks but rather attacks of opportunity.

Ransomware attacks take advantage of the lack of cybersecurity maturity either within the whole organization or within certain departments of an organization. An interesting trend around ransomware is that those organizations that are performing ransomware attacks realize this is a business model and, as such, do release data once a ransom has been paid. They know that if they do not, their victim will have no incentive to pay.

Nadeem de Vree, Chief Information Security Officer at PPG

What’s the most effective way to shut out ransomware?

Here’s what de Vree thinks about stopping ransomware:

  • Psychological studies have shown that some departments are more susceptible to ransomware attacks than others. This is simply due to the nature of the work performed there and the types of people that are drawn to that type of work. While security awareness is critical to cyber defense, these parts of the organization should get additional attention.
  • Additionally, it is imperative that an organization is aware of what its crown jewels are and applies a layered defense approach to protect this part of your organization.
  • Finally, at the very least, an organization must have implemented MFA, patch management, version control, BCDR, and a strong security awareness campaign. Even then, organizations must recognize that ransomware attacks can, and probably will happen. I’m aware that many people will talk about the need for 24/7 real-time monitoring of one’s network. However, these sorts of services are very expensive, and the majority of the SME industry cannot maintain these sorts of services. And as such, they will remain the easiest targets for ransomware attacks.

Why are businesses increasingly vulnerable to ransomware attacks?

Below are de Vree’s observations:

ReasonExplanation
COVID-19The number of endpoints outside an organization’s network has exploded because of remote work caused by COVID-19, and security is struggling to keep up with the changes. The fact that applications are being added to the network without security assessments, the increasing use of shadow IT, and the lack of security awareness of employees all bring increased risks to an organization.
Migration to the cloudAs organizations continue to migrate to a cloud environment (away from on-premise), we’re going to see a reduction in the vulnerabilities that are inherently built into the architecture.

Note: This is only true if the cloud environments are set up correctly and securely. It is still an organization’s responsibility to use the functionality offered but not standard implemented.

What should a business do after a ransomware attack?

Right after an attack, de Vree believes businesses should do the following:

  • Locate and isolate the infected area to prevent the further spreading of the ransomware. Followed by forensics to identify how the attack was successful and take steps to avoid a repeat. And finally, restore the latest backup, from a secure place.
  • Once all systems are back up and running, an organization should work on the forensics report to identify if this was an isolated incident of a structural flaw in the architecture and work to address these. This would most likely be a combination of training, and IT changes. An incident is never an isolated event; humans remain the weakest link.
  • Lastly, some organizations must recognize that if mission-critical processes are compromised, it may be in their best interest to pay the ransom and do the forensics later. The policy of “We do not pay ransoms” sounds great on paper, but the reality is that many organizations do, for good reason. If they didn’t, these attacks would not be so prolific.

Key Takeaways

From what the experts above have shared, here are our five main takeaways:

  • Ransomware attacks are becoming more sophisticated, targeted, deadly and expensive.
  • You can prevent ransomware through multiple strategies, including having backups, patching your systems, training your employees and having an incident-response plan.
  • Businesses are increasingly vulnerable to ransomware because they depend much more on digital systems and remote working, lack robust cybersecurity and can pay large ransoms. Also, ransomware attackers are evolving and more complex these days.
  • If you suffer a ransomware attack, execute your incident response plan and involve the authorities.

Protect Yourself from Ransomware

According to cybersecurity experts, the best way to prevent ransomware is to stop various forms of cybercrime. Our in-house cybersecurity team has put together helpful guides for you:

Also, use cybersecurity tools to protect your personal or business data. Want to hear more from experts in the field of cybersecurity? This blog listing some interesting cybersecurity books might be right up your alley.

Have you ever been a victim of ransomware, or do you know someone who has? Share your thoughts with us in the comments section below.

Leave a comment