How to Survive a Ransomware Attack – Before, During, and After
September 8, 2020
It’s a fact that ransomware is dominating the cybersecurity landscape. Did you know that a company is hit with ransomware every 40 seconds? New tactics, new variants and more sophisticated cyber criminals are resulting in an increase in these attacks, not just against individuals, but against businesses.
If your company suffered an attack, it was more likely to be a business email compromise resulting in a ransom demand than anything else. It is the cyber criminal’s attack vector of choice.
What is Ransomware and How Does it Impact Organizations?
Ransomware cripples businesses and wreaks havoc by penetrating companies with malicious software designed to restrict users from accessing their computers or files stored on computers until they pay a ransom to cybercriminals. Cybercriminals use ransomware to lock files with crucial information from being used and the users are compelled to pay the ransom in order to regain access. Business impact can include:
- Loss and damage to business reputation
- Destruction of mission-critical or crucial information
- Damage of hostage systems, data and files
- Significant business downtime and significant loss of revenue
No Industry or Company is Immune
Small companies, medium-sized businesses and large enterprises across industries are under attack. When it comes to ransomware, company size or industry is not a factor. Cyber criminals don’t discriminate. While some industries continue to be bigger targets than others, data shows that no sector is immune to ransomware attacks. Healthcare organizations however, continue to be high-profile but, organizations in the Education, IT/Telecoms, Entertainment/Media, and Financial Services sectors have been recently hit, as well.
One would likely ask the question: how do I protect my company from these malicious attacks? What are the necessary steps? I’m glad you asked.
How to Prevent Ransomware
The first line of defense against malware is prevention. It is often said that a best defense is a good offense. So, organizations must take the necessary prevention, detection and preparation measures.
- Train, test and re-train employees – employees should know how to identify malicious emails, how to avoid being hacked, and how to report suspicious emails.
- Beware of email – install antimalware scanners and advanced threat prevention
- Conduct regular network risk assessments
- Keep software and systems up-to-date with all patches and updates
- Back up, back up, back up: regularly back up data
- Limit privileged admin accounts and review quarterly
- Implement Multifactor Authentication (MFA) for remote access and privileged admin access
- Prohibit local storage of data
Preparation goes hand-in-glove with prevention. Proactive preparation involves everything from identifying where sensitive data resides to ensuring that your company has cyber insurance and a written incident response plan. To prepare for ransomware attacks, companies must:
- Develop an incident response plan
- Identify where sensitive data resides
- Identify systems that are critical to operations
- Determine recover point objective for a and b.
- Obtain guidelines from your cyber insurance carrier on how to forensically handle incidents.
- Backup and test restores for the data and systems identified above based upon the required recover point objective.
- Determine criteria for ransomware payment and decision process
- Establish local physical security, police and FBI relationships.
- Develop and update the Incident Plans frequently specifically for ransomware attacks.
- Test all Incident Plans via table top tests.
We’ve Had a Ransomware Attack, Now What?
1. Disconnect from the Network and determine the scope of the attack
2. Involve Your Legal Team and Cyber Insurance Provider, Immediately
- Involve the legal department in the incident from the onset—make sure they are in the incident plan
- Work with Legal in advance to properly identify what needs to be labelled and how it needs to be labelled so attorney client privilege criteria are met. Update the Incident Plan.
- Involve Compliance/Privacy in the incident from the onset—make sure this is in the plan.
3. Communicate, Communicate, Communicate
a. Before an event occurs, develop a written communication plan that all relevant departments have approved, especially for internal and external communications.
- Identify a primary decision-maker.
- Publish the plan to the appropriately restricted audience.
- Create an RACI chart, so everyone is aware of responsibilities.
- Include your Managed Services Provider (if applicable) and any other third parties in the plan development.
b. In the case of an event, contact your local authorities and the FBI though the proper channels in your enterprise if you determine that a criminal act has occurred.
4. Execute your Incident Response Plan and prepare a response.
After the Breach: It’s Time to Recover and Restore
- Ensure that all malware has been detected before restoring servers and storage.
- Understand that it is better to scope extent of the infection properly which takes time.
- Make a forensic clone before restoring to that root cause analysis can be done later.
- Conduct risk assessment and vulnerability reviews
- Document, document, document all meetings, decisions, and actions.
Take some time to assess your cybersecurity landscape and ensure that you are backing up your data regularly in the end, you’ll be glad you did. It will definitely pay off in the event of an attack.
During and after the incident, keep an auditable record of the incident handling and lessons learned. Then, create an action plan for improvement to prevent and prepare for the next incident if it comes.
Traditional security solutions don’t provide sufficient protection against threat propagation. Contact our security specialists to find our more about our security / ransomware solutions.