Ransomware Prevention to Incident Response

A ransomware attack can be a debilitating event for an unprepared person or organization. Depending on the type and value of the data stored on an infected computer, the impact of an incident can range from a minor hiccup in operations to the death of the company.

According to a recent report, ransomware demand costs could exceed $1.4 billion in the U.S. in 2020. This expense, combined with the price of the resulting 16-day downtime caused by a ransomware infection, could propel the overall cost of these ransomware attacks to a high of $9.3 billion in the U.S. alone.

The good news is that ransomware attack protection is possible and can be accomplished through a few easy steps. But in the event that your organization is hit with a ransomware attack when unprepared, the incident response process is also straightforward. This article covers ransomware prevention to incident response

Related Reading: Why Pen Tests are Key to a Robust Incident Response Plan

How to Protect From Ransomware Attacks

Ransomware has shown to be profitable to hackers and will probably continue to exist until the potential for gain goes away. Your organization can protect against ransomware attacks through these steps.

Fighting Ransomware with Backups

If ransomware manages to install and execute on a machine, a recent, comprehensive, and segregated backup is your best friend. Rather than attempting to remove the malware and attempt (probably unsuccessfully) to decrypt affected files, the infected machine can be wiped and restored from the clean backup with minimal impact on operations.

Backups should be performed regularly and stored on media that is not directly connected to the machine.  For example, a network drive accessible to the machine or an external hard drive that is constantly attached to the machine are poor backup solutions since many ransomware variants will search for and infect other drives or shared folders.  Cloud-based backup solutions are a popular and efficient choice when choosing solutions that are resilient to ransomware attacks.

Frequent backups minimize the impact of a ransomware attack as only hours or days of data is lost as opposed to weeks, months, or even years.

Using a Golden Image to Protect Against Ransomware

Without a backup of an infected machine, the best way to recover from a ransomware attack is to completely wipe the affected machine. This can still involve a significant investment in time and resources, but it is favorable compared to paying a ransom that may or may not be honored by the attacker. Depending on the number of types of programs installed and used on the machine, this could mean that the user spends hours reinstalling and reconfiguring programs on the machine after a ransomware incident. 

If all data is stored in the cloud or on servers, keeping frequent backups of user machines may be unnecessary. 

However, to avoid the time spent reconfiguring machines after an incident, it’s advisable to have a secure clean image, sometimes referred to as a “golden image”, with all important programs installed, latest security patches applied, and configured so that users can get back up and running in the minimum time possible.

Security Awareness Training for Employees

Taking strides to prevent a ransomware attack is, of course, always the best strategy. Ransomware is just another form of malware, and one of the most common methods for spreading malware is by exploiting an organization’s weakest link: its humans. This is often done through social engineering means like phishing and watering hole attacks.

In fact, Verizon’s 2019 Data Breach Investigations Report revealed that phishing was the number one type of social engineering attack, accounting for 80 percent of the thousands of incidents the company investigated, and 94 percent of malware cyberattacks began with a phishing email.

By training users to identify suspicious emails and websites, the probability of a ransomware infection is greatly reduced and the chance you will avoid ransomware attacks altogether is increased.

Related Reading: Social Engineering Q&A: How to Strengthen Your Weakest Link

Responding to a Ransomware Incident

First and foremost, having an incident response plan and user-friendly incident response playbooks directing employees on what to do if they come face to face with ransomware can exponentially increase an organization’s resilience to ransomware attacks.

Unfortunately, taking preventative measures to avoid ransomware attacks is not foolproof and you may have to turn your strategy from ransomware prevention to incident response.

If you’ve prepared for a ransomware attack using the steps described, incident response is easier; wipe the infected computer, restore from a recent, clean backup, and continue operations. 

On the other hand, if you’ve been hit when unprepared, follow the steps outlined below to minimize the damage and get systems back up and running with minimal downtime.

Related Webcast: 5 Essential Steps to Creating a Relevant Incident Response Plan

Isolate the Ransomware Infection

After ransomware has been identified on a computer, the first step is to make sure that the infection doesn’t spread further.  The methods by which ransomware spreads can be broken into two main categories: exploitation of loopholes in program security and taking advantage of human behavior.

To isolate ransomware that spreads through the first method, the infected machine should be disconnected from the network.  This can be accomplished by removing the network cable or disabling the wireless network that the machine is connected to.  Do not power off the machine at this stage as this may negatively impact future steps.

If malware takes advantage of human error via phishing emails or similar tactics, disconnecting the infected machine from the network will not prevent infection via emails that have already been sent.  Immediately notify potentially affected parties both internal and external to the organization and instruct them not to open any emails from the infected account until further notice.

Related e-Book: Everything You Need to Know to Create An Effective Incident Response Plan

Remediate the Ransomware Damage

After the threat of the ransomware spreading to the rest of the network has been eliminated, the next logical step is to take action on the infected machine.  If a recent backup has been performed and securely stored, the simplest way to accomplish this is the restoration of the machine from the backup after the backup has been scanned for signs of infection.

If a backup does not exist, the first step in the remediation process is the identification of the specific type of ransomware that has infected the machine.  Often the malware name will be provided in the ransomware’s “instruction screen”; however, if this is not the case, examination of the extension of infected files can give a clue.

Before continuing in the remediation process, it is advisable to create a backup copy of the infected machine using removable media.  Currently, many ransomware variants are unbreakable, and any encrypted data should be considered permanently lost.  However, there is the potential that this may change in the future, so maintaining a copy of the encrypted data leaves open the possibility of retrieving it in the future if a solution is discovered.

Recovering Data After a Ransomware Attack

In most cases, data encrypted by ransomware is not recoverable.  Most ransomware variants use unbreakable encryption algorithms and are well-implemented. However, some variants include logical or programming errors that have allowed experts to develop solutions that may enable decryption of some or all of the encrypted files. A good resource for this is the No More Ransom Project (https://www.nomoreransom.org), which provides a list of decryption keys and tools for ransomware variants for which a solution has been discovered.

If a solution does not exist for the ransomware variant that infected a machine, it may be tempting to cave in and pay the ransom. However, this is not a good choice for a couple of reasons.

What happens if you pay the ransom and the hackers don’t provide you with a decryption key or software?  This happens in half of the cases where ransomware victims pay the ransom, and now you’re out both your data and the ransom payment.

There are also longer-term considerations.  Paying ransoms makes ransomware profitable and increases the probability that it will continue to be a threat in the future.  Being known as an organization that is willing to make ransom payments may have negative reputational impacts on customers and increase the probability that you will be targeted in the future since a ransomware attack against you in the past was successful.

Eradicate the Malware

The simplest method for guaranteeing that a computer is no longer infected with ransomware is wiping it completely and restoring it from a known clean image. If for some reason this is not possible, more research is required.

Most ransomware variants are well-researched. Often information on how to eradicate the threat from an infected machine is available online. However, this approach is riskier as it leaves open the possibility that the malware will persist on the infected machine and resume infection of the network once operations resume. For this reason, if wiping the machine is not an option, it is advisable to have an expert perform a forensics inspection and sanitize the machine before reconnecting it to any network.

Rebuild and Resume Operations Following a Ransomware Attack

At the end of the day, work must go on. Once the cause of the breach has been identified and eradicated, ensure all systems have been hardened, patched, replaced, and tested before you consider re-introducing the previously compromised systems back into your production environment.

Determine a time frame for when systems can be returned to production and how long you should monitor affected systems as well as what to monitor them for. Based on the type of breach, assess tools, such as file integrity monitoring and intrusion detection and protection, to help you ensure similar attacks will not reoccur.

As a final step, verify normal operations through communication with stakeholders. Once you’ve implemented all steps to restore normal operations and prevent a future incident, you should communicate with stakeholders. This will help you verify that all systems are stable and functional. Monitor closely for validation of normal operations and be prepared to act quickly in the event of a problem.

For help with all aspects of malware from ransomware prevention to incident response, rely on the experts at Avertium. Reach out to start the conversation.

Trending Phishing Techniques and Tips for Detection

With high stakes like data loss, credential compromise, ransomware infection or other types of malware infections, and financial loss, organizations must learn how to prevent phishing attacks.  

Download Now

 

 

HOW YOU CAN MOBILIZE FASTER WITH AVERTIUM'S DFIR RETAINER

Get a team that minimizes the impact faster because they know you, your systems, your business, and the threats you face. Our Cyber Response Units (CRU) stand at a ready to mobilize at a moment's notice to join you in the trenches if and when crisis strikes.

• Support for the entire incident response lifecycle
• Dedicated crisis response unit
• Rapid response in < 2 hours
• More cost-effective than emergency DFIR services
• Built-in escalation to minimize downtime
• Ability to reallocate unused hours to preventative services (for Flex and Protect plans only)

 

 

 

 

 

 

 

 

---

 

 

 

 

 

 

Learn more about Avertium's DFIR Retainer.