It’s a given that ransomware is here to stay for the foreseeable future. It’s not new, so organizations should be pretty well-versed in how to stave an attack, as well as how to remediate one should it successfully encrypt the organization’s data and/or systems. However, attacks have changed in recent years so these are the best prevention steps to take in 2021:
Basic Cybersecurity Hygiene. Improving basic cybersecurity hygiene is the most important defense against any type of attack, including ransomware. Cybersecurity hygiene can mean a lot of different things, but a good place to start is by making sure you have strong vulnerability management practices in place and that all devices have the latest security patches. Other basic security precautions can include running up-to-date antivirus software, restricting access to systems that can't be made compliant and other actions you would already take for regulatory compliance.
Penetration Testing. Once basic cybersecurity hygiene is covered, a further step may be engaging pen testers to further ensure that anything Internet-facing in your organization is protected. By finding what means or mechanisms attackers could hack or brute-force an attack to gain access to applications or internal systems by bypassing other protections such as firewalls, you can take action to fix those areas before bad actors find them.
Board Discussions. Cybersecurity is increasingly becoming a board of directors-level issue. That's because an attack can have a significant impact on an organization's revenue, brand, reputation, and ongoing operations. Because of that, it's worth having a specific board-level conversation about ransomware to ensure they understand the specific risks it could pose to the business, and that there is budget made available to prevent or limit the damage of an attack. That discussion will prove critical if the company wants to implement added protections, such as improved cyber hygiene, or put in place automated reactive technologies to limit the spread of an attack.
Tailored Training. There is one vulnerability that has proven effective again and again as an entry point for attack: people. You can buy all the latest and greatest cybersecurity technology, but if you aren't training your employees, then you're leaving yourself vulnerable. Training to prevent ransomware starts by teaching employees to recognize phishing attacks and what to do if they suspect one. This is important because — even though many users have gotten better — phishing and social engineering remain two of the most effective ways for an attacker to breach your organization. Teaching users to validate URLs or avoid clicking on links or attachments altogether can go a long way toward protecting against all types of attacks.
In addition to preventing an attack, security leaders can also think about adding specific training for ransomware response. It's pretty easy for an employee to know when they've been hit with ransomware — their work screen may go away and they may get a pop-up directing you to a URL to pay the ransomware (likely in bitcoin). Training your users in what steps they can take in response or giving them an emergency point of contact on the security team can make them feel more in control in the panic of an attack.
Limit the Scope of an Attack. Ransomware protection should include not only preventing an attack but also taking steps to minimize the damage of a successful one. That starts with having tools in place, such as SIEM systems that can identify the behavior patterns and heuristics of an attack and begin to automatically isolate and remediate those systems when indicators are flagged. It also means embracing tools such as network segmentation that can prevent the lateral movement of an attack across the network
What's a good Ransomware incident response plan?
STEP 1: Disconnect Everything - Unplug the infected computer(s) from network, and turn off any wireless functionality: Wi-Fi, Bluetooth, NFC.
STEP 2: Determine the Scope of the Infection,
Check the Following for Signs of Encryption:
a. Mapped or shared drives
b. Mapped or shared folders from other computers
c. Network storage devices of any kind
d. External Hard Drives
e. USB storage devices of any kind (USB sticks, memory sticks, attached phones/cameras)
f. Cloud-based storage: DropBox, Google Drive, OneDrive etc.
STEP 3: Determine if data or credentials have been stolen - Check logs and DLP software for any and all signs of data leaks. Look for unexpected large archival files (e.g., zip, arc, etc.) containing confidential data that could have been used as staging files. Look for malware, tools, and scripts which could have been used to look for and copy data. One of the most accurate signs of ransomware data theft is a notice from the involved ransomware gang announcing that your data and/or credentials have been stolen.
STEP 4: Determine Ransomware Strain - What strain/type of ransomware? For example: Ryuk, Dharma, SamSam, etc.
STEP 5: Determine Response - Now that you know the scope of the damage as well as the strain of ransomware you are dealing with, you can make a more informed decision as to what your next action will be. There are many response types, here is a summary of potential responses: