Ransomware: Preventing an Attack and Responding to and Recovering From an Attack
Ransomware attacks have been around for many years. In the past, cyber-threat actors would penetrate a company’s computer and network systems and obtain data with the objective of returning it upon payment. The demanded payments were usually smaller than the ransoms requested in recent incidents. Most of these incidents weren’t financially material, nor were they reported publicly.
By contrast, today’s ransomware perpetrators execute well-orchestrated attacks accompanied by more significant financial demands. These incidents don’t focus on simple “theft” of data; instead, their intent is to disrupt the business. During a ransomware event, cyber attackers may contact and converse directly with their victims, offering a well-articulated list of demands along with clear threats of further business disruption if demands aren’t met. The attackers may bargain over the amount of payment, promoting quick resolution to the attack, with guarantees of full recovery when their demands are satisfied.
The impacts to businesses affected by a ransomware attack can take many forms. Several recent attacks have targeted businesses in industries where the level of cybersecurity investments is generally less than businesses with higher security profiles, such as those operating critical infrastructure or subjected to regulations prompting increased investment in cybersecurity.
Companies affected by ransomware become victims when a perpetrator finds a security weakness that enables access to an organisation’s systems. Aggressive ransomware gangs use various techniques to gain access to systems. Common strategies include:
- Using stolen credentials to access systems where ransomware can be installed.
- Tricking a user into installing ransomware onto their device.
- Exploiting failure to remediate or “patch” a known cybersecurity vulnerability.
The human perimeter may be just as important as the technical perimeter. The cybersecurity mindset of a company’s employees may be one of its most important ransomware defense mechanisms. Their awareness of the risks and vigilance as data defenders make it more difficult for cybercriminals to obtain sensitive information or deceive unsuspecting users into downloading an infected file. Training and constant reinforcement through simulated phishing email testing can transform employees into a resilient line of defense against unusual email messages, attachments from unfamiliar parties and running unrecognised apps downloaded from the internet.
Anti-malware software, kept up to date, offers protections from phishing and malware attacks by detecting and blocking malicious files and warning users when they’re visiting suspicious websites. Secure email gateways filter inbound and outbound email communications to identify threats and prevent their delivery, stopping ransomware files in their tracks. Post-delivery protection solutions powered by machine learning systems or artificial intelligence algorithms can stop advanced email threats that penetrate the email network. Organisations can also use web filtering solutions to restrict user access to certain websites.
The impact of ransomware attacks has increased in velocity. The current generation of ransomware attacks are orchestrated through preplanned, strategic campaigns of reconnaissance, penetrating the organisation’s attack surface, and quickly exfiltrating data. Campaigns continue with the extortion receipt, outlining actions requested of the victim.
If a business finds itself under attack, it’s critically important to follow all established cyber-incident response plans and operational resilience protocols to manage the incident. Due to the holistic impact associated with modern-day ransomware attacks, managing the actual incident requires a larger-scale crisis management approach. Such an approach enables organisations to effectively address the broader list of business processes these attacks impact, including the initiation of full recovery and data verification post-attack.
An in-process ransomware situation requires many new procedures, processes and skills to combat the attack. Examples include:
- Interacting with cyber insurance companies
- Seeking outside legal counsel who have ransomware experience to help negotiate ransomware payments
- Engaging law enforcement, the decision for which is a policy matter
Obviously, an important consideration is whether to pay the ransom. If the company has backed up the encrypted systems and data, management is in a much stronger position to negotiate. Otherwise, the business must assess the value of the encrypted data loss against the requested ransom. Another important consideration: Paying the ransom doesn’t guarantee that the cybercriminals will return access to the stolen data. Furthermore, the malware remains in the system, requiring a thorough cleansing of the system after the attack.
In the aftermath of a ransomware attack, it’s first things first: Conduct a postmortem on why and how it happened and take corrective action to prevent and detect future attacks more effectively. This assessment entails understanding how the attacker obtained the access needed to enable encryption and lock down company data. To that end, endpoint detection and response solutions which continuously monitor all incoming and outgoing traffic on a network for potential threats can provide transparency as to where the attack started and how it progressed. The business can use this insight to help prevent similar incidents from happening again.
Erasing ransomware from company systems is a priority in the aftermath of an attack. This task can be very difficult to accomplish with confidence if the criminals don’t provide the keys to decrypt the infected files. And, even if they do, how can management be confident the files are fully cleansed without wiping down all files and storage devices and starting anew?
Using prior data backups can reduce the severity of an attack’s impact on the business. Daily data backups should include processes to store data off-site, without any connections to the organisation’s IT systems.
Prevention, response and recovery are all about operational resilience, or the organisation’s ability to detect, prevent, respond to, and recover and learn from cyberattacks and other operational disruptions that may impact delivery of important business and economic functions or underlying business services. There are six components to achieving resiliency:
- Evolve governance and culture.
- Identify important business services and processes.
- Establish front-to-back mapping of important business services and processes.
- Define “intolerable harm” and establish impact tolerances.
- Scenario test and improve.
Resilience is a market expectation of mature organisations and it extends to a ransomware attack. Having a solid understanding of how to minimise the impact of a ransomware disruption, knowing where the organisation’s vulnerabilities lie, and developing cyber resilience will help the business respond and recover more quickly from an attack and minimise customer harm.
- Do we have effective security controls in place that are designed to prevent or limit the impact of ransomware? How often are these controls tested?
- Do we know where our critical data resides? Do we have the processes and components in place for operational resilience?
- Can we effectively quantify the impact of a ransomware event?
- Do we have 24x7 defense and monitoring against a ransomware event?
- Are cyber controls in place to protect our privileged access accounts?
- What is our backup strategy to mitigate ransomware? Do we have a consistent backup cadence and are our backups stored in off-site locations?
- What is our incident response plan if we’re the target of a ransomware attack? How broadly is the plan shared within our organisation?
- What are our incident response capabilities? Do we have a provider on retainer?