How to deal with Ransomware
Ransomware Incident Response
When your network is breached by malicious behavior, the extent of the damage you sustain will depend on your immediate detection and response. To optimize the protection of your data, your reputation, and your company, you should establish a set of policies and procedures for malicious breaches like ransomware. These policies and procedures are known as an incident response plan (IRP).
What is ransomware?
Ransomware is malware that is used to ransom data. Malicious software is used to access data and hold it hostage. The cybercriminals will then demand payment in exchange for a decryption key or password or they will offer the data to competitors for a price. In some cases, attackers will threaten to release the data to the public if they don’t receive payment.
How can you prevent ransomware?
Cybercrime is making technological leaps as fast as or faster than many legitimate businesses. There are steps you can take to reduce the risk of a malware incident in your network, but it’s equally as important to create an IRP because there are no 100% guarantees against cybercrime. By taking proactive measures and creating an IRP, you can minimize the damage done by breach incidents.
Backup Your Data
The easiest defense against a standard ransomware attack is to keep updated backups that will allow you to access your data. Your backup strategy should be carefully planned with consideration to your budget and storage space, speed of data accumulation or changes, and the advanced nature of ransomware viruses.
How often should you backup your data?
Backing up your data too frequently will increase the cost and storage requirements, but not updating frequently enough will leave you with outdated and somewhat useless data in the event of a ransomware attack.
How long should you keep backups?
Some ransomware viruses are programmed to lay dormant for extended periods. The goal is to be copied into a data backup and remain undetected until your clean backups have been deleted. If this happens, your data and your backups will be corrupted. Backups should be kept for a minimum of two months and longer if storage space will allow.
Annual Test Restoration
Practice restoring your data from a backup at least once a year. This practice will allow you to identify any issues in your data backup and restoration procedures and verify that everything will work as expected in the event of a real malware incident.
User Permission Audit
Access to files is provided by user permissions. By regularly auditing and limiting permissions as much as possible, you can minimize the impact of ransomware attacks. When malware gains control of a user in your network, the databases that can be corrupted will be based on that user’s user permissions to read and write on other databases.
Active monitoring will alert you to cybersecurity incidents in real-time, allowing you to react and limit the blast radius. You can set alerts for certain behaviors like more than 30 files being opened and edited in less than a minute. Behaviors like this will require investigation, which can begin as soon as you are made aware by your monitoring solution, which should be connected to the security control agents like antivirus, anomaly detection, internet gateway, and firewalls.
Incident Response Procedures and Practices
An incident response plan accelerates the response time of your IT team and reduces the impact of breach events. During a cybersecurity incident, there will be no delay in assigning tasks and leadership. Defense and reparation can be executed immediately based on established guidelines.
Dealing with Hackers
Paying a ransom does not guarantee access to your data. In some cases when access is restored, hackers have been known to discreetly retain control of a network to repeat the attack in the future, now that it’s marked as a paying customer. When attackers utilize more than one of the following extortion options, it’s known as “double extortion”.
- Encrypting all files
- Retaining network control
- Creating a backdoor
- Releasing/selling data
Your board may decide to negotiate with the attackers. For this course of action, it is recommended to use an experienced and professional service provider that specializes in negotiation with cybercriminals. By negotiating with attackers, you can:
- Identify your security vulnerabilities
- Reduce ransom demands
- Extend the deadline for payment
- Profile the attacker to learn their probably next steps
- Discover the full extent of the breach
- Make a deal for essential data
Dealing with Ransomware
Your first move should be to contact the incident response team. Your in-house IT team may or may not have the necessary skills. In some countries, the government offers these services in cooperation with service providers to the best of their ability. Until the incident response team takes over, there are steps you can take to reduce the damage and stop the spread of malware.
Identify the Point of Infection
For any action to run on a computer, it needs a PC, process, and user. Find out which computer is running the malware and then identify the user and the infected process. This information can help the incident response team solve the issue faster.
Start with the breach notification. Identify the source and review the changes that were made to files in that location, as well as the permissions given to that user. To make this step easier, your monitoring system should log the date, IP, user, action, and parameters of:
- Read file
- Write file
- Delete file
Isolate the Infected Computer
Use firewall rules to restrict outgoing and incoming access to the infected computer. Deny all traffic to and from the infected computer until it is verified as virus-free. Keep in mind that any login information, including IT login, could be captured and the credentials could be used to attack other networks.
Apply the same restrictions to the user and the process. Disable the user and manually mark the process hash signature as suspicious on the corporate AV so it will be blocked on any other corporate network. Malware often names the infected process as a legitimate operating system process, so blocking it by name can cause workflow disruption.
Monitor for Similar Activity
Focused monitoring flags specific security events that are typical to the malware, such as opening certain files or heavy loads of communication. Monitoring for similar activities can help detect lateral movement and malicious activity running on other machines.
Document the Event
Keep a detailed log of the event, the team’s response, and tasks completed. This will help to inform the incident response team, formalize a report, and prove due diligence to authorities.
Consider the Health of Your Backups
During a crisis, do not delete any backups. Keep in mind that the most recent backups could be infected. Identify your most recent clean backup before taking any action to restore your data from a backup.
Practice Your Incident Response Plan
Test and practice your IRP at least once a year to identify any gaps that could cause a delay during a real ransomware event. Annual practice improves your posture against malware by ensuring your procedures, response teams, backups, and monitoring are practical and functional when you need them.
Critical Data Breach Notifications
Some data breaches require that you notify authorities and customers within a specified period. Not reporting could cause increased fines and sanctions on your organization. There should also be a plan to notify employees who can provide any relevant information to help with defense and response. Prepare contact information for applicable parties ahead of time and define the criteria that would require notification. Regulations that require notifications include:
Business Continuation Plan (BCP)
A BCP will enable your organization to return to regular operations more quickly and minimize the impact of a data breach. If you don’t have a BCP, make one that can be implemented concurrently with your IRP.
How to Follow Up a Ransomware Incident
When the breach is contained and operations have been restored, review your security posture and identify opportunities for improvement that could prevent future incidents. Some appropriate actions include:
- Revise IRP
- Risk Assessment
- Design Review
- Penetration Testing
- Phishing Simulation
- Vulnerability Assessment