Pricing Login
Interactive demos

Click through interactive platform demos now.

Live demo, real expert

Schedule a platform demo with a Sumo Logic expert.

Start free trial
Back to blog results

September 2, 2021 By Davor Karafiloski

Ransomware attacks 2.0: How to protect your data with SOAR

The COVID-19 crisis prompted a spike in ransomware attacks, which was expected, to say at least.

In fact, Checkpoint research shows that in Q3 2020, there was a 50% increase in ransomware attacks compared to earlier periods of this year. And while this wave of ransomware attacks was anticipated, not all organizations were reinforced enough to repel these attacks with proper resources and technologies.

The new trend in the world of cyber crime is ransomware 2.0, a dangerous evolution of malware that, in addition to data encryption, has adopted new attack techniques to force victims to pay a ransom by threatening to publish confidential data and information.

Given the speed at which ransomware attacks go from alert to incident, to breach, organizations are in dire need of instant cybersecurity reinforcement, and this is an area where Security Orchestration, Automation and Response is particularly influential.

Read on to find out how SOAR plays an integral role in elevating the much-needed efficiency of SOCs in their battle against ransomware attacks.

The rise of ransomware attacks in 2020

According to Cybersecurity Ventures, merely five years ago, the cost of ransomware attacks was around $325 million. That number rose drastically in 2017, to a whopping $5 billion. And in 2019, the cost of ransomware attacks skyrocketed to a jaw-dropping $11.5 billion.

Today, it is estimated that a ransomware attack happens every 14 seconds.

To put that in perspective, the average cost of a ransomware attack is $133,000.

But why the sudden spike in ransomware attacks?

The ongoing pandemic has forced organizations to make drastic changes to their business structure, which has opened many IT gaps, giving hackers the opportunity to exploit those security vulnerabilities and infiltrate a ransomware attack.

Unfortunately, as the number of ransomware attacks becomes more frequent, their complexity becomes more intensified as well. Usually, by the time organizations are alerted of a potential ransomware attack, it is already too late. Their response time to alerts is below par, and they allow the ransomware attack to spread through the systems, causing havoc and infiltrating the entire organization.

What is a ransomware attack?

For those uninitiated of the idiosyncrasies of a typical ransomware attack, the following definition of this particular type of cyber attack will allow you to understand what ransomware attacks are all about:

  • What is a ransomware attack: Ransomware is a form of malware, and its goal is to encrypt the files of a targeted system in order to stop users from accessing their systems or certain data. The attacker then demands a ransom in exchange for restoring access to the victims.

  • How ransomware works: There are a number of ways a ransomware attack can be initiated, with the most common ones being carried out via phishing scams. Ransomware criminals trick people into clicking infected links, and once the victim clicks on the link, the hacker takes over the victim’s computer and infects the organization.

In other, more aggressive cases, a ransomware attack can occur without the need of clicking a specific link.

These more aggressive forms of ransomware attacks seek for security gaps in insufficiently protected organizations and exploit those vulnerabilities to infiltrate the systems without needing to trick people into clicking on a link.

Why are healthcare institutions among the most targeted industries for ransom attacks?

Some industries are more targeted than others, with the healthcare industry getting the short end of the stick. In recent years, hospitals have been the number one target for ransomware attacks, as their security systems are particularly vulnerable to ransomware.

Ransomware criminals usually target organizations that protect highly valuable, sensitive data. And given that medical facilities require immediate access to their files, they are more likely to pay the ransom quickly.

Similarly, other organizations that withhold highly sensitive data, such as:

  • Universities

  • Law firms

  • Governments

  • Manufacturing

  • Financial institutions

Are more likely to surrender to the ransomware attack and pay up the ransom in order to regain access to their data and keep the distressing news of a ransomware attack quiet. They’d be willing to “just be done with it” and pay the hackers instead of having their reputation tarnished by the leak of sensitive data.

This is why these types of organizations are often deemed lucrative targets for ransomware attacks.

Should organizations pay the ransom or deal with recovering their IT systems?

As we mentioned above, some organizations that manage sensitive data can’t afford to risk exposing that data and having the news of a ransomware attack go public and ruin their reputation. That is why the types of organizations we mentioned above are considered to be the most lucrative targets that will pay up the ransom without confronting the ransomware attackers excessively.

It’s understandable that healthcare institutions, universities, governments, and similar organizations would be willing to pay the price because doing the opposite could have far greater ramifications:

  • Damage and destruction of data

  • Exposing sensitive data publicly

  • Reputational harm

  • Lost productivity

  • Downtime

  • Post-attack disruption of the natural order of business

This is why saying no to ransom demands can lead to far greater consequences than actually paying the price. But here’s the trick.

Will the ransomware attack disperse if I pay the ransom?

Not necessarily. After all, you’re negotiating with criminals that do not necessarily abide by bona fide negotiations.

Actually, it’s very possible that even after you pay the ransom your systems will still be infected, and there is no guarantee that you’ll restore access to your data.

Keep in mind that the criminals that have infected your systems have leverage over you and will probably threaten to publicly expose your data. And the cruel reality is that even if you pay up the price, you’ll be likely to be targeted in the future.

So, given that paying up the ransom is not always a sure-fire way to get rid of ransomware attacks, organizations should instead make efforts to prevent the ransomware attacks from getting infiltrated in the first place. And the best way to do that is to reinforce their cyber security posture with the most contemporary security technologies for the job. And the best one that fits the bill is, without a doubt, SOAR.

How to prevent ransomware attacks with SOAR?

Apart from training your employees to distinguish spear phishing emails and follow the best security practices, many organizations can’t solely rely on cybersecurity awareness, and in fact, need to invest in cybersecurity tools if they want to prevent ransomware attacks.

This is where SOAR steps in.

Organizations are on the lookout for next-generation cybersecurity tools that make SOC teams more efficient in the battle against ransomware attacks, and this is exactly what SOAR does.

It becomes increasingly difficult for organizations to protect their systems against the growing number of attacks. And given that ransomware criminals can attack certain organizations with thousands of malicious emails on a daily basis, employing a small team of security professionals won’t cut it.

Responding to the sheer volume of potential attacks can’t be possible without implementing technologies like Cloud SOAR. Why? It’s simple:

  • Notifying analysts only in case of real threats: SOAR can orchestrate and automate the task of investigating every malicious email without the need for human intervention, and analysts will only be notified in case there is a potentially dangerous activity and get involved in the process in a timely manner.

  • Automated investigation of every alert: SOAR decreases the necessity of manually assessing cyber threats, as SOAR’s playbooks take care of repetitive and menial tasks such as investigating emails, attachments, URLs, and other potentially hazardous activities. And while SOAR takes care of these repetitive tasks, analysts can focus on more important investigations.

  • Improved incident response time: Sometimes, mere seconds can be decisive in the battle against stopping ransomware attacks. And by aggregating the data from alerts into a unified platform, SOAR allows the entire SOC team to make timely and proper measures toward nullifying ransomware attacks, thus largely increasing the incident response time.

  • Gartner-recommended solution: Gartner points out that over 90% of ransomware attacks happen via phishing emails, and recommends SOAR as an ideal solution for preventing phishing attacks from materializing, thus preventing ransomware attacks in the process.

It’s been clear for a long time that some of the major problems that SOC teams are dealing with are connected with the increased number of everyday alerts. Hackers are aware that analysts manually assess alerts, that’s why one of their main strategies is to bombard SOC teams with a plethora of alerts, basically drowning them in alert investigation.

This is why implementing a sophisticated technology that uses automation to replace human investigation of alerts is of the essence.

Why SOAR? Why not another advanced technology against ransomware attacks?

Unlike other sophisticated security technologies, SOAR is equipped with security orchestration and automation, meaning that this technology has the upper hand at detecting complex threats, including ransomware attacks.

The best thing to do in case of a ransomware attack is to catch the attack early before it spreads and infiltrates the computer. This is exactly why SOAR is best-suited for the job, as SOAR’s capabilities are well-known to enhance threat hunting and provide a much-faster incident response time.

In fact, Cloud SOAR increases the incident response time of SOCs by 80%.

Whenever a ransomware attack occurs and infects your computer, Cloud SOAR detects the infiltration process and quickly isolates the infection in its early stages of an attack, thus preventing further damage to be inflicted and keeps the business impact at a minimum.

Cloud SOAR relies on pre-defined Incident Response playbooks for faster execution, and once containment of the ransomware attack is achieved, Cloud SOAR guides security professionals through the process of remediation, using its machine learning engine to provide applicable recovery recommendations.


The number and complexity of ransomware attacks will keep on growing, whether we like it or not. Now, it’s a matter of WHEN not IF ransomware attacks occur, so the best way to be prepared for those attacks is to implement a force-multiplying security solution such as SOAR.

Needless to say, with SOAR, companies will keep ransomware attack costs at a minimum, as SOAR not only allows SOC teams to be better at preventing ransomware attacks, but it also ensures minimum impact and cost when a ransomware attack does occur and increases their efficiency at detecting and remediating other sophisticated threats as well.

Learn more about how SOAR increases the efficiency and collaboration of SOC teams while enhancing their incident response time and threat hunting capabilities at the same time.

Complete visibility for DevSecOps

Reduce downtime and move from reactive to proactive monitoring.

Sumo Logic cloud-native SaaS analytics

Build, run, and secure modern applications and cloud infrastructures.

Start free trial
Davor Karafiloski

Davor Karafiloski

SEO and Content Marketing Specialist

More posts by Davor Karafiloski.

People who read this also enjoyed