Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

How to Outplay the Ransomware Playbook

Organizations across industries are increasingly concerned about their cybersecurity posture and overall ransomware preparedness – and rightfully so – with the 64% increase in attacks from 2019 to 2020 (304 million attacks worldwide in 2020). We have also seen a 2x increase in demand for ransomware preparedness assessments and exercises.

However, one of the biggest hurdles for cybersecurity practitioners to respond to ransomware is creating a response plan for the full life cycle of a ransomware attack. This should include the identity, protection, detection, response and recovery stages.

Security practitioners should work with the organization’s C-level executives to answer questions and develop a ransomware protection plan. Consider how ransomware is prevented and detected in addition to how your organization would respond. 

To develop a plan, organizations should ask themselves:

  • How do we contain the ransomware when an attack happens?
  • How can we identify what systems are being affected? What is our exposure?
  • Will we negotiate with the hackers? How can we respond?
  • What is our stance on the payment of ransom?
  • When would external response resources be leveraged?
  • Are there better solutions available to prevent ransomware from taking hold in the environment?

Today, ransomware attacks are more than just an adversary dropping encryption software into a system and letting it run across an environment. While cybersecurity experts have increasingly improved their ability to respond to ransomware attacks and decrypt the environment, hackers have a much more sophisticated and calculated playbook, moving from encryption to extortion. Adversaries can combine ransomware attack methods with malware tools to exfiltrate sensitive data and threaten to release the information to the public if a ransom is not paid.

Security administrators need to be prepared on multiple fronts. It’s not just about securing the endpoints but also ensuring a strong data loss protection plan and solid backup infrastructure in place.

The majority of ransomware incidents occur as a result of two issues. Either the patching cadence within the organization is weak or slow, or the organization has not deployed endpoint protection solutions across all systems. Without a full implementation, machines without EDR are often the foothold hackers need to attack the system. Organizations need to make sure systems are up to date and patched with an EDR tool installed on every device. 

Ransomware Preparedness Service

Ransomware Preparedness Service

Ransomware attacks have continued to rise year on year, and it is estimated an attack occurs every 11 seconds, according to Cybersecurity Ventures. The threat of a ransomware attack is a high priority concern for both business and security leaders who are seeking assurance that their organizations have the appropriate controls to detect, respond and recover from a ransomware incident. 


Unfortunately, a lot of organizations are just not doing this holistically. Instead, organizations should run tabletop preparedness exercises to prepare for three common ransomware scenarios:

The most common is a ransomware incident resulting from a phishing attack. Organizations should reduce their risk of email-originated threats with organization-wide security awareness training. People still click on links in suspicious emails—it’s human nature. However, this behavior can lead to the attacker installing a remote access tool or a per-stage ransomware malware on a work machine. The hacker can then run automated discovery so the malware can start propagating itself and encrypting any data that is accessible. This activity can also lead to more lateral movement across the network.

The second scenario is often for organizations with separate networks—like manufacturers or medical facilities. Security practitioners should consider what happens if a system on the operational network gets compromised and the effect this might have on the entire environment. This situation then becomes a hostage scenario; the attackers are not holding data but instead taking hostage the availability of a system, which can significantly affect business operations.

The third scenario is related to the supply chain. Consider: If a key supplier or section of the supply chain has been affected, is it possible for that supplier to propagate infection into the organization’s network based on the connections they have with them? The impact of this type of attack can be two-fold. First, the breach could propagate into the network or render supplier systems inoperable, causing business continuity concerns.

For robust ransomware protection, organizations need to consider their overall security strategy, including data segmentation. Even with this segmentation strategy, organizations need to understand every way an attacker can breach a system across the environment. If you believe there is a risk of attack, consider how to minimize the impact of that breach across the environment. First, identify where you house critical data for everyday operations and administration. Then, segment your operational components from administrative components to prevent the spread of potential malware. Be sure also to consider the different access controls or permissions needed.

Organizations need security professionals and C-level executives on board to get ahead of ransomware attacks. Keep in mind the possible scenarios and where your environment might be vulnerable to attack and be prepared with a plan. The more prepared organizations are to detect and respond, the better.

Latest Trustwave Blogs

Comparably Honors Trustwave with Leadership and Career Growth Awards

Comparably, the leading workplace culture and compensation monitoring employee review platform has recognized Trustwave with two major awards: 2024 Best Companies for Career Growth and 2024 Best...

Read More

Why Removing Phishing Emails from Inboxes is Crucial for Healthcare Security

The adage "data is the new oil" doesn't resonate with everyone. Personally, having grown up around cars thanks to my dad, a master mechanic, I see oil as messy and cumbersome. Data, in my view, is...

Read More

How Deepfakes May Impact Upcoming Elections Worldwide

The common fear regarding election interference is that a threat actor will gain access to either ballot machines or the networks that tally votes. However, there is a much easier method a person...

Read More