A recent State of the Incident Response report by Kroll, Red Canary and VMware states that about 49 percent of organizations lack adequate tools to detect and respond to cyber threats. While a business is unable to fully protect itself from these unpredictable attacks, there are a few steps business owners can take to prepare for a possible ransomware attack. The Cybersecurity and Infrastructure Security Agency (CISA) recommends the following prevention measures:
Maintain offline, encrypted backups of data and regularly test those backups. It is important to maintain at least one offline copy of your backups because many ransomware variants will try to find and delete your backups if they are digital. If you ensure you have an offline copy of your backups, it will not be necessary to pay a ransom because you will still have access to your data. A cloud provider is another good option to store backup data. With this option, ensure that the credentials you use to access your cloud provider are completely different from those used on your local network.
Create, maintain, and exercise a cyber incident response plan and communications plan. Having prepared an incident response plan and having worked through it to ensure it is functional – and informing the key stakeholders of the plan – will put your organization in a position to respond to such system invasions promptly and in a well-rehearsed, well thought out manner.
Conduct regular vulnerability scanning to identify and address vulnerabilities.
Regularly patch and update software and operating systems to the latest versions.
Ensure devices are properly configured and that security features are enabled.
Employ best practices for use of Remote Desktop Protocol and other remote desktop services.
Disable or block “Server Message Block protocol outbound.” This is what threat actors use to propagate malware across organizations.
Increase employee awareness of phishing, a tactic where attackers send an email to a user either trying to get the user to provide confidential information or with a link in it. If such link is clicked, the link causes the deployment of malicious software on the user’s computer and can spread to the rest of a business’s network. Emails that purport to come from the CEO, when the CEO rarely ever communicates with you directly, is a huge red flag. Repeatedly remind your employees to check the “address behind the address” if a suspicious email comes through. While the email may say it is from their immediate supervisor, the underlying email address of the sender can be viewed simply by hovering over the “from” area on the email.
Ensure antivirus and anti-malware software and signatures are up to date.
Use “application directory allow listing” in all assets to ensure that only authorized software can run and unauthorized software is blocked.
Consider implementing an intrusion detection system to detect command and control activity and other malicious network activity that occurs prior to ransomware deployment.
Take into consideration the risk management and cyber hygiene practices of third parties with whom you perform work.
Employ multifactor authentication and create strong passwords that you do not reuse.
Allow users to only have access to the systems and services they need to perform their job.
Enable security settings in association with cloud environments.
Develop a comprehensive network diagram that describes systems and data flows within your organization’s network to help incident responders understand where to focus their efforts.
If your business has cyber insurance, be sure to take that into account in your incident response plan. Incorporate the required processes and controls into your plan, along with key contacts should such an event occur. Not following the insurance company’s protocol can jeopardize the potential for coverage in such an event.
Creating a Ransomware Response Plan
If the unfortunate does happen and your business or organization is the victim of a ransomware attack, the following checklist from CISA provides an example of a ransomware response plan. Here is what to do if your business or organization becomes a ransomware victim:
Determine which systems are impacted and immediately isolate them.
If you cannot temporarily shut down your network to preserve potential malware evidence, power down your devices to prevent the further spread of the ransomware infection.
Prioritize which systems need to be restored first and determine the nature of the data on each system.
Meet with your team to develop and document and understanding of what has occurred based on an initial analysis.
Engage your internal and external teams and stakeholders with an understanding of what they can provide to help you mitigate and respond to the ransomware attack.
If no initial mitigation appears possible, take a system and memory capture of a sample of affected devices, and collect any relevant activity logs and samples of any precursor malware binaries and associated observables.
Consult with federal law enforcement regarding possible decryptors available. Researchers have already broken the encryption algorithms for some ransomware variants.
Identify the systems and accounts that were involved in the initial breach. This can be an email account.
Contain any associated systems that may be used for further or continued unauthorized access. This could include disabling virtual private networks, remote access servers, single sign-on resources, and any cloud based or public facing assets.
Conduct an examination of existing organizational detection or prevention systems (antivirus, Intrusion Prevention System, etc.) and logs. Doing so can highlight evidence of additional systems or malware involved in earlier stages of the attack.
Conduct an extended analysis to identify outside-in and inside-out persistence mechanisms.
Rebuild systems based on a prioritization of critical services using pre-configured standard images, if possible.
Once the environment has been fully cleaned and rebuilt, issue password resets for all affected systems and address any associated vulnerabilities and gaps in security.
Declare the incident over.
Reconnect systems and restore data from offline, encrypted backups based on a prioritization of critical services.
In this third and final installment of this ransomware series, we'll discuss whether or not you should pay the ransom and if cyber insurance is worth it.