Critical infrastructure: The rising ransomware victim
Ferhat Dikbiyik, the chief research and intelligence officer at Black Kite, explains how critical infrastructure providers can better protect their systems.
Organizations providing critical infrastructure are the lifelines that keep society functioning. Unfortunately, due to their importance, they have become prime targets for ransomware attacks. In fact, of the ransomware attacks that occurred in the past year, a staggering 88% were attacks on organizations in critical sectors.
The infiltration of ransomware into America’s essential industries is a pressing concern because these systems can’t afford to be offline for prolonged periods. As a result, ransomware groups know they will likely be successful in getting paid a ransom if they attack these industries. Recent trends indicate a shift toward sectors essential to daily life and national stability, with government functions, health care and critical manufacturing leading the list.
Critical sector agencies must adopt proactive security strategies to adequately protect themselves and their stakeholders. While they can’t control whether they are a target, organizations can be proactive in preventing an attack from being successful and minimizing its impact.
Here’s how organizations in critical sectors can protect themselves.
Proactive strategies for ransomware defense
Building resilience against ransomware attacks starts with awareness, proactive measures and preparation.
- Monitor ransomware indicators: Organizations should routinely check for indicators like open critical ports, leaked credentials, phishing domains and email security weaknesses. Early detection of these signs provides an opportunity to close gaps before attackers can exploit them.
- Prioritize patch management: Outdated software with known vulnerabilities is an open door for ransomware. Keeping systems, applications and firmware up to date is critical, especially for vulnerabilities that allow remote code execution. Regular audits and timely patching ensure that known weaknesses are addressed promptly, reducing the attack surface.
- Strengthen endpoint and email security: Effective endpoint security, including antivirus and anti-malware solutions, helps block potential entry points. Advanced tools, like micro virtual machines, can prevent malware from spreading. Email security is equally important. Implementing sender policy framework (SPF), domainkeys identified mail (DKIM) and domain-based message authentication, reporting and conformance (DMARC) significantly reduces phishing risks. Coupled with employee training, these measures create a robust defense against email-borne threats.
- Fortify network security: Securing networks involves closing unnecessary ports, restricting remote access, and enforcing multi-factor authentication for critical systems. Virtual private networks (VPNs) add another layer of protection for remote connections. Combining these measures makes it more difficult for attackers to find entry points into critical systems.
- Implement reliable backup systems: Regular backups of critical data ensure a quicker recovery after an attack. For added safety, use a combination of on-site and off-site storage with air-gapped systems. Routine testing of backup and recovery processes is essential to confirm their reliability during a crisis.
- Develop and regularly update your incident response plan: A well-documented and tested incident response plan is crucial for managing ransomware attacks. The plan should outline roles, communication protocols, and recovery steps. Regular simulations ensure the team is prepared to act quickly when needed, minimizing confusion during an actual incident. Regular updates are also critical to address changes to systems and technology as well as emerging regulatory requirements.
- Evaluate third-party vendors: Ransomware frequently targets vulnerabilities in an organization’s third-party vendors. Regularly evaluating vendors’ cybersecurity measures and ensuring compliance with industry standards helps mitigate this risk. Transparency and open communication strengthen the ability to manage shared risks effectively.
Steps to recover from an attack
Even with robust defenses, breaches can happen. A swift and strategic response minimizes damage. The following actions are essential in effectively managing a ransomware attack and mitigating its impact:
- Isolate affected systems: Disconnect compromised systems to stop the ransomware from spreading.
- Notify authorities and stakeholders: Inform law enforcement, regulatory bodies and key stakeholders to ensure compliance and coordinated action.
- Engage cybersecurity experts: Professionals can assess the situation, contain the threat and guide recovery efforts.
- Preserve evidence: Documenting the incident supports legal actions and insurance claims.
Post-attack recovery
After an attack, organizations must take steps to analyze the incident to identify the root causes and vulnerabilities that allowed the attack to occur. Implementing recommended security measures based on these findings can help prevent similar attacks in the future. Updating the organization’s incident response plan to incorporate lessons learned can improve preparedness for future incidents, while sharing information about the attack with relevant parties and collaborating with industry peers can help improve overall cybersecurity across the sector.
Building a resilient future
As ransomware groups focus more on critical infrastructure, these organizations must take note. Learning from past attacks and taking proactive measures to ensure excellent security hygiene will help organizations go a long way in prevention. Staying informed and prepared are the keys to effectively managing security and avoiding falling victim to the crippling ripple effects of ransomware attacks.
Ferhat Dikbiyik is the chief research and intelligence officer at Black Kite.
Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.