Ransomware is a major business risk. You need a plan to know what to do when this happens to your company. This guide to ransomware preparedness will help you create a solid response plan.
Ransomware is a huge problem, and there are many guides online for how to protect your company. Such guides often have a long list of things you can do to reduce the probability of a ransomware infection. But what if you are infected anyway?
What is ransomware?
Ransomware is computer malware that criminals use in digital extortion schemes. Criminals will infect computers in you company with a virus. Then they steal your most important documents and data. They will try to turn off your backup system. Then they will use encryption to make your data and systems unusable. After doing all this, they demand money to give you the secret key that can fix the situation. If you don’t pay, not only is your data destroyed, but they will release your most important documents online, or sell them to your competitors.
How do we stop ransomware attacks?
If we can stop ransomware attacks completely, that is the best solution! A good ransomware preparedness plan starts with answering the question: “how can we make the extortion scheme more difficult or risky for the attacker?”.
What you can do depends on the people in your organization. This means that you need to prepare a plan that fits the competence in your company.
In the following table we go through a well-known model of a cyber-attack known as the “cyber kill-chain“. At each stage of this phased model we suggest actions you can take to stop the attack. We separate the actions into two categories, one called “basic”, and one called “advanced”. The basic actions are easy to take in any organization, even if you don’t have a dedicated IT team. In contrast, the advanced actions would typically require IT professionals to help set up and maintain them.
|Reconnesaince||Don’t over share about your IT systems|
Avoid exposing systems on the internet if not necessary
|Be careful with subdomain names that reveal the types of technologies and incident response capabilities you process|
|Weaponization||Collect threat intelligence on typosquatting domains|
Collect and analyze strategic threat intelligence on the threat landscape
|Delivery||Provide role-based cybersecurity awareness training for everyone|
Run a modern antivirus solution on all computers
|Disable Microsoft Office macros if you can|
|Exploitation||Turn on automated updates on all operating systems and applications||Establish a patch management program|
Reduce execution possibilities through system hardening
|Installation||Modern antivirus solutions that try to detect common malware behaviors||Log forwarding and alerting based on event correlation|
|Command and Control||Modern antivirus solutions that try to detect common malware behaviors||Anomaly detection using machine learning to detect beaconing, unusual network traffic|
Use threat intelligence feeds for malware domains
|Actions on Objectives||Avoid being logged on as an administrator|
If you don’t need an internal network, don’t create one
Block remote execution pathways on the endpoints
How do we plan a response to a ransomware attack?
Ransomware attacks can be so costly that businesses go bankrupt. The criminals achieve their goals through extortion. To better cope with this, we need to take away some of their leverage.
- Identify the most important documents that you would not like them to share online or give to your competitors. Guard those documents closely by reducing who has access to it (need to know basis) and by using encryption.
- Identify the data and systems that are critical for your business. Make backups a priority, and store backups in a way that hackers cannot reach.
- Set up a business continuity plan. We need a plan for how we can continue delivering the most important services to our customers even during a crisis.
- Plan your communications. What will you tell your customers, owners, suppliers? What about the media? Owning the message reduces damage. Openness and transparency is the expected norm today.
Incident response plan for ransomware attacks
Just like we can look at several phases in a cyber-attack, we can look at phases in incident response too. For example, a common model for cyber incident response uses 6 phases. These phases are; preparation, detection and analysis, containment, clean-up, recovery and lessons learned. The most important phase of all these, is preparation.
An ounce of preparation is worth a pound of cureBenjamin Franklin
The following table shows recommended actions you can take to improve your ability to respond to cyber-attacks.
|Prepare||Assign the responsibility for making decisions|
Focus on backups and protecting key assets
|Set up log collection and create alerts|
Create procedures for analysis
|Detect & analyze||React to alerts created by antivirus software||Triage the events and decide whether it is a false positive or not|
Create “indicators of compromise” and determine the blast radius
|Contain||Disconnect machines with detections from the Internet||Follow the incident response plan|
Secure forensic images for evidence if needed
|Clean up||Format and reinstall||Format and reinstall|
|Recover||Restore data from backup|
Observe closely in case of reinfection
|Restore data from backup|
Observe in a safe test environment before bringin back to production
|Lessons learned||How did we get infected?|
Why did it happen?
How do we stop it from happening again?
|Describe the infection chain|
Understand why security controls did not stop the attack earlier
Get our free guide for ransomware preparedness
We have prepared a 10-page ransomware preparedness guideline that will help you set up your plan.
Make sure you tick the box for marketing communications if you want us to e-mail you the link to the Whitepaper!