Ransomware is a major business risk. You need a plan to know what to do when this happens to your company. This guide to ransomware preparedness will help you create a solid response plan.

Ransomware is a huge problem, and there are many guides online for how to protect your company. Such guides often have a long list of things you can do to reduce the probability of a ransomware infection. But what if you are infected anyway?

What is ransomware?

Ransomware is computer malware that criminals use in digital extortion schemes. Criminals will infect computers in you company with a virus. Then they steal your most important documents and data. They will try to turn off your backup system. Then they will use encryption to make your data and systems unusable. After doing all this, they demand money to give you the secret key that can fix the situation. If you don’t pay, not only is your data destroyed, but they will release your most important documents online, or sell them to your competitors.

Ransomware preparedness means preparing for extortion from gangsters
Ransomware is the modern digital equivalent of the 1930’s gangster running an extortion racket. The gangster says: “pay us money or we destroy your business”.

How do we stop ransomware attacks?

If we can stop ransomware attacks completely, that is the best solution! A good ransomware preparedness plan starts with answering the question: “how can we make the extortion scheme more difficult or risky for the attacker?”.

What you can do depends on the people in your organization. This means that you need to prepare a plan that fits the competence in your company.

In the following table we go through a well-known model of a cyber-attack known as the “cyber kill-chain“. At each stage of this phased model we suggest actions you can take to stop the attack. We separate the actions into two categories, one called “basic”, and one called “advanced”. The basic actions are easy to take in any organization, even if you don’t have a dedicated IT team. In contrast, the advanced actions would typically require IT professionals to help set up and maintain them.

Attack phaseBasicAdvanced
ReconnesainceDon’t over share about your IT systems

Avoid exposing systems on the internet if not necessary
Be careful with subdomain names that reveal the types of technologies and incident response capabilities you process
WeaponizationCollect threat intelligence on typosquatting domains

Collect and analyze strategic threat intelligence on the threat landscape
DeliveryProvide role-based cybersecurity awareness training for everyone

Run a modern antivirus solution on all computers
Disable Microsoft Office macros if you can
ExploitationTurn on automated updates on all operating systems and applicationsEstablish a patch management program

Reduce execution possibilities through system hardening
InstallationModern antivirus solutions that try to detect common malware behaviorsLog forwarding and alerting based on event correlation
Command and ControlModern antivirus solutions that try to detect common malware behaviorsAnomaly detection using machine learning to detect beaconing, unusual network traffic

Use threat intelligence feeds for malware domains
Actions on ObjectivesAvoid being logged on as an administrator

If you don’t need an internal network, don’t create one
Network segmentation

Block remote execution pathways on the endpoints
Recommended mitigations to help stop ransomware attacks

How do we plan a response to a ransomware attack?

Ransomware attacks can be so costly that businesses go bankrupt. The criminals achieve their goals through extortion. To better cope with this, we need to take away some of their leverage.

  1. Identify the most important documents that you would not like them to share online or give to your competitors. Guard those documents closely by reducing who has access to it (need to know basis) and by using encryption.
  2. Identify the data and systems that are critical for your business. Make backups a priority, and store backups in a way that hackers cannot reach.
  3. Set up a business continuity plan. We need a plan for how we can continue delivering the most important services to our customers even during a crisis.
  4. Plan your communications. What will you tell your customers, owners, suppliers? What about the media? Owning the message reduces damage. Openness and transparency is the expected norm today.

Incident response plan for ransomware attacks

Just like we can look at several phases in a cyber-attack, we can look at phases in incident response too. For example, a common model for cyber incident response uses 6 phases. These phases are; preparation, detection and analysis, containment, clean-up, recovery and lessons learned. The most important phase of all these, is preparation.

An ounce of preparation is worth a pound of cure

Benjamin Franklin

The following table shows recommended actions you can take to improve your ability to respond to cyber-attacks.

PrepareAssign the responsibility for making decisions

Focus on backups and protecting key assets
Set up log collection and create alerts

Create procedures for analysis
Detect & analyzeReact to alerts created by antivirus softwareTriage the events and decide whether it is a false positive or not

Create “indicators of compromise” and determine the blast radius
ContainDisconnect machines with detections from the InternetFollow the incident response plan

Secure forensic images for evidence if needed
Clean upFormat and reinstallFormat and reinstall
RecoverRestore data from backup

Observe closely in case of reinfection
Restore data from backup

Observe in a safe test environment before bringin back to production
Lessons learnedHow did we get infected?
Why did it happen?
How do we stop it from happening again?
Describe the infection chain
Understand why security controls did not stop the attack earlier
Identify improvements
Phases in your incident response plan.

Get our free guide for ransomware preparedness

We have prepared a 10-page ransomware preparedness guideline that will help you set up your plan.

Make sure you tick the box for marketing communications if you want us to e-mail you the link to the Whitepaper!

Leave a Reply