March 31, 2023 By John Le 6 min read

The 2023 Threat Intelligence Index reveals ransomware attacks are getting faster. IBM Security can help organizations protect and defend against them.

As organizations increasingly migrate higher volumes of data to the cloud, more of their sensitive data is at risk of being compromised. The IBM Security X-Force Threat Intelligence Index 2023 found that 17% of attacks involved ransomware. Even though the amount of ransomware attacks declined slightly over the year, these attacks have become much faster for threat actors to deploy. In fact, an X-Force study found that the time to execute attacks dropped 94% over two years. In 2019, the average ransomware deployment time was over 60 days; in 2021, the average ransomware deployment time was only 3.85 days. Clearly, with attackers moving faster, organizations must take a proactive, threat-driven approach to cybersecurity. They need modern solutions that detect real threats, secure their data and quickly respond to attacks.

How does ransomware work?

Ransomware attacks occur when hackers try to gain access to a computer or a device and then restrict users from accessing their own files until a ransom is paid. Sending a ransom note however, is the final stage of the attack. A ransomware attack can be summarized in four main steps:

  • Step 1: An attacker first tries to gain the access to the network—this could be months or even years before the attack takes place.
  • Step 2: Once they have the initial access, the attackers move laterally throughout the infrastructure to increase access privileges, say on an administrator level.
  • Step 3: Upon succeeding, they install the ransomware, encrypting files and sensitive data.
  • Step 4: It is only after this deployment that the ransomware is revealed to the victim.

How companies can handle a ransomware attack

Mitigating the damage of a cyberattack or a data breach and avoiding reputational damage are the top priorities for organizations. IBM Security recommends three ways to handle ransomware attacks:

  1. Early ransomware detection with powerful endpoint security for faster responses
  2. Leverage an encryption solution to help protect your sensitive data.
  3. Use AI-powered threat intel and analysis to generate high-fidelity alerts.

1. Early ransomware detection with powerful endpoint security for faster responses

Amplifying your cybersecurity with a strong endpoint detection and response (EDR) solution should be one of the top things to include in your incident response plan. Why? Because an EDR platform ensures that threats are contained before the devices get encrypted by ransomware. An AI-driven EDR solution can help detect and remediate known and unknown threats within seconds. Unlike antivirus software, EDR tools don’t rely on known signatures and can detect unknown threats.

An AI-driven EDR solution like IBM Security QRadar EDR relies on behavior detection, identifying anomalous activities like ransomware behavior in near real-time. This could be an unusual backup deletion or an unexpected encryption process that starts without warning and automatically terminates upon detection.

As new and sophisticated threats of ransomware variants emerge, IBM Security QRadar EDR uses data mining to hunt for threats that share behavior and functional similarities and responds as needed. This helps security teams quickly identify if new threats have entered an environment and understand “early warning signs” of an attack so weak spots or vulnerabilities can be effectively patched.

This post further details four ways IBM Security QRadar EDR can help you prevent ransomware, including detecting and responding to phishing attacks. Request a live product demo to see IBM Security QRadar EDR in action.

2. Leverage an encryption solution to help protect your sensitive data

The threat from ransomware has grown exponentially as the tools and capabilities available to threat actors have become more sophisticated. To help protect against such threats, organizations have started to deploy protection along every layer of the chain. Encryption of corporate data is one such defensive mechanism against ransomware. Encrypting data renders it useless to the threat actor looking to exfiltrate the information.

If the threat actor further encrypts encrypted data, the organizations can restore business operations by replacing it with a secured backup. Along with deploying encryption technologies, sophisticated organizations may also deploy security solutions that detect suspicious user behavior on their sensitive data spread across multiple clouds.

IBM Security Guardium Data Encryption is a robust encryption solution that combines standard encryption methods with dependable and adaptable capabilities, such as application allowlisting and intelligent access policies. Through application allowlisting, the solution permits only authorized users to perform encryption and decryption of critical business data wherever it may reside. Any unknown processes will be detected at the guard point and denied access before it can read or encrypt the data. In this way, application allowlisting serves to neutralize the malware because even if the malware can identify that the sensitive data exists, it will be blocked from being able to encrypt the underlying data. If the encrypted data is then stolen, it no longer holds value to the intruder since it cannot be used to expose confidential information. 

Guardium Data Encryption also incorporates fine-grained, policy-based access controls that define which users have access to specific protected files, applications and the corresponding activity the user can perform. Applying these policies across the network helps ensure that malware cannot exploit inconsistent privileges.

Enforcing granularity also comes with an improvement in governance capabilities due to role-based access controls making separation of duties more clearly defined and simpler to audit. Guardium Data Encryption’s granular access controls go beyond just user identity and the activity they are requesting to perform. As any strong encryption tool should, Guardium Data Encryption creates policies based on a wide collection of criteria, such as processes, time restraints, the type of data source being accessed and level of sensitivity.

The combined competencies of Guardium Data Encryption create a protective “checks and balances” system so the defense mechanics can react when other controls may fail. Managing all these activities may cause concern for the amount of overhead and resources an organization must dedicate to keep them on task. However, tools like Guardium Data Encryption are ideal for executing several defense activities simultaneously, such as deploying encryption methods, governing granular access controls and managing encryption keys from one central management console.

Administrators can create policies and quickly apply them across the enterprise, which helps to avoid security gaps and inconsistencies. With a strong focus on access controls at a granular level, our solution helps reduce the number of resources needed by being very particular about which users have access to what data and the associated processes, limiting the opportunities for unauthorized access or accidental changes.

Given that cybercriminals have access to advanced decryption tools now, it is imperative for organizations to implement a modern data encryption and key management tool. IBM Security Guardium Data Encryption is a highly scalable solution that offers organizations the capabilities needed to help protect their data and business from threats, such as ransomware attacks.  

3. Use AI-powered threat intel and analysis to generate high-fidelity alerts

When suspicious behavior triggers an alert, security analysts need to know whether it’s a random event or tied to known cyber-adversary tactics, techniques and procedures (TTPs). This means that security operations center (SOC) teams need to correlate analytics, threat intelligence and network and user behavior anomalies in real-time. SOC teams need a solution that can enrich security alerts with threat intelligence details and integrate threat intelligence with security controls to immediately block malicious domains, files, IP addresses, emails, etc. Operationalizing threat intelligence in this way acts as a backbone for a modern SOC.

Threat intelligence using TTP analysis enables teams to quickly determine if anomalous behavior within their environment is a part of a recognized cyber-adversary attack like ransomware. SOC teams need a solution that can enrich security alerts with threat intelligence details like malicious indicators of compromise (IOCs) or related attack patterns. Threat intelligence enrichment can also help organizations align individual alerts and events to malicious intent by mapping to the MITRE ATT&CK framework.

These are the capabilities that a leading SIEM solution like IBM Security QRadar SIEM can provide. QRadar SIEM includes over 500 correlation use cases, including several related to ransomware. When threat actors trigger multiple detection analytics, move across the network or change their behaviors, it can track each tactic and technique being used. More importantly, it correlates, tracks and identifies related activities throughout a kill chain, with a single high-fidelity alert automatically prioritized for the team so that they can respond seamlessly with their SOAR solution, such as IBM Security QRadar SOAR. Another IBM blog post covers much of what a leading SIEM solution can do.


As one of the most common and devastating attack threat action objectives today, ransomware continues to pose a major security risk for organizations to protect against. Given the average speed at which a ransomware attack is deployed today, SOC teams must rely on a host of solutions to prevent and minimize the many different attack techniques, actions and impacts that can lead to or result in ransomware. Some of the most important solutions include the following:

  1. Endpoint protection: Help prevent ransomware with early detection and minimize business disruptions with faster remediation.
  2. Data encryption: Better protect your sensitive data from being compromised.
  3. Threat intel and analysis: Help security analysts stay focused on investigating and remediating the right threats using AI-powered threat intel and analysis.

Get started with IBM Security solutions

Read the full IBM Security X-Force Threat Intelligence Index 2023.

Was this article helpful?

More from Security

Enhance your data security posture with a no-code approach to application-level encryption

4 min read - Data is the lifeblood of every organization. As your organization’s data footprint expands across the clouds and between your own business lines to drive value, it is essential to secure data at all stages of the cloud adoption and throughout the data lifecycle. While there are different mechanisms available to encrypt data throughout its lifecycle (in transit, at rest and in use), application-level encryption (ALE) provides an additional layer of protection by encrypting data at its source. ALE can enhance…

Enhancing data security and compliance in the XaaS Era 

2 min read - Recent research from IDC found that 85% of CEOs who were surveyed cited digital capabilities as strategic differentiators that are crucial to accelerating revenue growth. However, IT decision makers remain concerned about the risks associated with their digital infrastructure and the impact they might have on business outcomes, with data breaches and security concerns being the biggest threats.   With the rapid growth of XaaS consumption models and the integration of AI and data at the forefront of every business plan,…

IBM named a Leader in Gartner Magic Quadrant for SIEM, for the 14th consecutive time

3 min read - Security operations is getting more complex and inefficient with too many tools, too much data and simply too much to do. According to a study done by IBM, SOC team members are only able to handle half of the alerts that they should be reviewing in a typical workday. This potentially leads to missing the important alerts that are critical to an organization's security. Thus, choosing the right SIEM solution can be transformative for security teams, helping them manage alerts…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters