Introduction
From the moment it emerged, ransomware has been a thorn in the side of organizations. But with the rise of ransomware-as-a-service and the growing convergence between IT and OT, that thorn has evolved into something far more dangerous—sharper, faster, and backed by a thriving criminal business model. Now that governments are moving to ban ransom payments in an effort to choke off profits, targeted organizations like yours are being painted into a corner. What makes your organization a target? As we’ve previously covered, organizations in the food and beverage industry are especially attractive—despite how critical uptime is, OT systems are often inadequately defended. But any company that relies heavily on automation and operates in a critical infrastructure sector can also be a target.
So, in a world where payment is becoming impossible, should you rely on intervention to take down the bad guys or build resilience? Intervention is reactive. It depends on outside forces—law enforcement, political turnover, and too often hinges on the attacker making a mistake. Passivity is not a luxury you can afford. Resilience is proactive—and the only path that doesn’t depend on luck, timing, or politics. We argue that resilience is the only reliable strategy. It gives you the power to take meaningful action in the areas you do have control over. In this piece, we’ll make that case and offer you tools to help you defend your organization rather than wait for a cavalry that may never come.
Payment Refusal: Starving the Ransomware Economy
The simplest response to ransomware seems to be to pay the ransom. However, this thinking is exactly the reason both ransomware and its successor, ransomware-as-a-service groups, became so lucrative. The profitability of these models is also fueled by technological advancements and increasingly sophisticated hacking techniques from hungry and ambitious threat actors. The promise of a huge payoff with minimal drawbacks has put critical infrastructure, and therefore public safety, in the crosshairs of many cyber criminals. Paying the ransom feeds back into this ecosystem.
There’s also no guarantee that the ransomware actor will give the correct decryption key to the target after they’ve been paid, an eventuality that many LockBit victims had to face in 2024. Other victims also found that even after they paid the ransom, their stolen data remained exposed on the Internet, instead of being deleted as promised. In fact, broken promises are common across ransomware groups; some attackers continue to leak or sell data even after payment, others fail to even provide a decryption key at all, and still others double-dip, such as when ALPHV re-extorted Change Healthcare. Even with the correct decryption key, organizations have already been disrupted and compromised quite seriously, and many things that encryption has altered will have to be fixed. Thus, paying a ransom does not guarantee data restoration or privacy protection, but it does encourage ransomware groups to continue using the same tactics to get their payout.
This reason, among others, is why FBI and CISA public advisories repeatedly emphasize to victims that they shouldn’t pay ransoms. Internationally, the official position is also against ransom payments. Countries are beginning to write this into law, such as Australia, which now requires “victims of ransomware attacks to declare to the government any extortion payments made on their behalf to cybercriminals.” These mandatory declarations would increase visibility of ransomware criminal activity while also serving the psychological purpose of casting shame on the organizations that have paid. Although it may seem cruel to add the salt of reputational harm to the wound of financial loss, paying the ransom also hurts the collective efforts of those organizations that refuse to pay. This lack of coordination means that those taking a stand against ransomware are punished for their response because others are undermining their efforts by paying out. It’s like one unit surrendering during a siege—it puts everyone else at greater risk, no matter how well-fortified they are.
In January of this year, the UK proposed that hospitals and schools be banned from making ransom payments, an expansion of the ransom-paying ban for government departments that is currently already in effect. In addition, all victims would be required to report incidents. These proposals are meant to establish the UK’s non-payment position, broadcasting a message to potential attackers that if it’s a UK organization they’re targeting, it would be a financial dead-end for them. This consultation ended on April 8, but the decision to write these proposals into law has not yet been made or revealed. However, these proposals show the seriousness with which governments are taking ransomware and cybersecurity. As this trend continues, if an organization chooses to pay, they themselves will be breaking the law.
These proposals also reflect the broader goals of the Counter Ransomware Initiative, a coalition of more than 50 countries working to starve ransomware of its financial lifeline through coordinated policies and public refusal to pay. Globally, it is now widely recognized that the linchpin of ransomware deterrence is payment refusal. So, we can see that in an ecosystem where the motive of profit reigns supreme, the only way to eliminate this potent strain of cybercrime is to starve it to death. But, if paying the ransom is no longer an option, what can a ransomware target do instead? You can count on one of two strategies: resilience, or intervention.
You Can’t Depend on Intervention
Resilience entails an organization having a cybersecurity posture strong enough to withstand a ransomware attack without paying and also recover quickly enough from that attack so that their reputation and stakeholders’ data are kept intact. Governments have been bolstering their regulations and creating committees, all in the hopes of giving organizations the guidance needed for them to stand on their own. When it comes down to it, resilience is the only path that allows you to have control over your organization’s destiny. By weaving cybersecurity measures, solutions, and awareness into the fabric of your operations, you will have the ability to shape your future rather than waiting for the next disaster. Let’s take a look at the other option—intervention.
Intervention is the use of law enforcement to investigate and take down ransomware groups. A significant moment of hope was when BlackCat aka ALPHV seemed to have been taken down in December of 2023. However, in time, it became widely believed that this was ALPHV performing an exit scam, faking their own death and running off with the money. This was a double blow—not only was there no confirmed law enforcement involved in this major takedown, but right after ALPHV went dark, their last victim Change Healthcare was re-extorted by RansomHub which quickly rose to take ALPHV’s place. Here are further details on the rise of RansomHub and how it revived the ransomware cybercrime space.
According to veeam, 2024 was a year of law enforcement success, with various agencies carrying out arrests and takedowns of major cybercriminal groups. Most notably, the FBI carried out Operation Cronos in October, crippling major ransomware gang LockBit (but not eliminating it). In November, multiple members of Scattered Spider, another notorious ransomware gang, were indicted. Wazakawa, a ransomware actor tied to multiple gangs was arrested, along with other ransomware actors from various countries. It seemed like the dismantling of ransomware, and an internationally coordinated crackdown on cybercrime, was well on its way.
Unfortunately, despite the progress law enforcement seemed to be making in the past two years, ransomware gangs are still bouncing back. Soon after the takedown, LockBit was revived, though it has diminished in power and reach. What’s more, other ransomware gangs have also taken lessons from LockBit’s downfall. For example, it’s been widely observed that dwell times, the amount of time between initial access and attack execution, have decreased. Others have skipped dropping the ransomware payload and gone directly for extortion, since they tend to get caught at the phase of dropping ransomware. In addition, there are threat actors who haven’t joined new groups but instead became lone actors.
At the end of the day, external intervention is unpredictable and therefore inconsistent. It is admittedly tempting to leave it up to the law and concentrate on business only, trying to ignore the burdensome question of cybersecurity. But this is a passive response, similar to an ostrich burying your head in the sand, only emerging to react to an attack that could’ve been prevented if you had been clear-eyed and strategic in the first place. The main issue with this passive approach is that external factors remain outside of your control. All the progress made against cybercrime can be undone with circumstances like the changing of a government’s administration Recent events show how much of a difference an administration change can make, as Trump’s presidency has come with major cuts to the U.S. Cybersecurity and Infrastructure Agency (CISA).
In May of this year, a discretionary budget request was submitted to the U.S. Senate that proposed cutting $491 million from CISA, claiming that its funds had previously been used more for censorship and misinformation than for “protecting the Nation’s critical systems.” Thankfully, the House committee did not cut that full amount, but they did cut $135 million, an amount that severely undermines ongoing cybersecurity defenses. Depending on law enforcement leads to moments like these—in the end, these types of decisions are out of your hands.
This is how intervention falls through as a strategy—there are many moving parts, and most of them are circumstances outside of your control. Let’s focus now on what is within your scope of influence. Inside your own organization, you do have control over how your cybersecurity budget is spent. Using what you have, you can invest in your company’s resilience directly and secure a stance of self-sufficiency.
Let’s Talk About Resilience
Now that we’re talking about what you can control, that includes your own OT cybersecurity budget. According to our annual report, 87% of organizations out of the 150 surveyed are increasing their OT cybersecurity budget. This shows that most businesses already understand that security is a top priority. So, it’s not an issue of funding that stands in the way of resilience for you. It’s how you use that funding. Investing in resilience is the only way to ensure your organization can stay afloat, no matter how the tides may change. That means focusing on the real-world tactics attackers use and countering them with targeted protections. Scanning and cleaning assets, regular patching, network segmentation, and continuous monitoring for abnormal behaviors are not theoretical best practices—they’re crucial to the continuity of your business. Below, we’ll walk through how you can address these priorities:
- Increase Asset Onboarding Hygiene
USB devices and removable storage serve as primary vectors for malware introduction. Before allowing assets to enter your shop floor, you can grant yourself enormous peace of mind by preventing threats before they enter. Safe Port is a touchscreen device that provides real-time media inspection that can clean removable media of malware and provide secure file transfer in both connected and air-gapped environments. It’s complemented by Portable Inspector, which is a handy tool in the form of a USB that can be inserted into assets to quickly scan them for malware. With this duo, you can ensure that malware doesn’t piggyback into critical environments. - Fix Known Weaknesses
Ransomware gangs heavily abuse known software vulnerabilities to carry out their attacks. Patch management can address these vulnerabilities before they are leveraged against you, and regularly updating your software can close security gaps as well. But in OT environments, patching can be complicated. A combination of flexible patch management configurations and virtual patching as a stopgap measure can address this issue. - Segment Your Network
Once ransomware invades a network through one vulnerable device, it doesn’t stay put. Instead, it spreads laterally, taking advantage of flat, interconnected OT networks to move freely. By segmenting your network, you can contain the blast radius of any cyberattack, so that if one system is compromised, the entire operation isn’t taken down. EdgeIPS supports this segmentation at the zone level. Its AI-powered auto-rule learning helps generate communication policies based on observed network behavior. Once you approve them, these policies are enforced, controlling which traffic is allowed without requiring you to rebuild your OT architecture from scratch. This greatly limits the opportunities for threats to move laterally or exploit unseen gaps. - Protect Endpoints from Ransomware
Endpoints such as compromised engineering workstations are commonly used by ransomware gangs to enter a network. Once inside, attackers move fast to encrypt files or steal data. You can move beyond passive monitoring to active prevention with Stellar, TXOne’s OT-native endpoint security software solution. Designed to catch ransomware in action before it can do damage, Stellar continuously monitors your endpoints in real-time for suspicious activity using behavior-based detection, not just known malware signatures. It watches for any unexpected behavior and stops them in their tracks before they can execute. Since this is an automated response, instead of consuming time to analyze the unexpected change and identify whether or not it is malicious, it stops the behavior and puts it aside so your operation can continue running. At a later time, this incident can be analyzed, and if it’s determined to be a benign behavior or process, it can be manually granted permission. This prevents threats from even gaining a foothold in your organization’s systems. With this solution, you can protect your assets and maintain market competitiveness without disruption. - Have a Disaster Recovery Plan
Chances are you already have something along these lines, but it’s a good idea to update your plan to make sure that it is well-defined and detailed. A good disaster recovery plan (DRP) should give specific guidance on how to quarantine infected systems, how to disclose and distribute information about the incident to relevant stakeholders, and how to restore operations as quickly and completely as possible. It’s highly recommended to conduct simulations and drills, just like a fire drill, so that your organization is prepared to handle a cyberattack before it happens.
You don’t need to start from scratch to build ransomware resilience. You just need the right tools for the job. Intervention depends on forces outside of your control. Resilience gives you agency over your organization and its future.
To gain that agency, you need to invest in resilience. TXOne Networks offers solutions to fortify the cyber defenses of companies like yours. If you’re done suffocating with your head in the sand and ready to take action, reach out to us. Let’s talk about what resilience looks like for you.
