Ransomware was first thrust into the spotlight when the WannaCry attack crippled the NHS in 2017. Since then, ransomware has continued to hit businesses and has only seemed to have gotten worse. Since 2013 infections have increased steadily to the point that a company is hit with a ransomware attack once every forty seconds – New tactics, variants and sophisticated methods are resulting in a huge increase in these types of attacks.
Unfortunately, with these new tools and processes, we are also seeing these attacks become more targeted. Instead of seeking mass infections through relatively blunt means, threat actors are now using more precise infection vectors to achieve initial compromise. Unfortunately, we have seen that no business or industry is immune regardless of size or vertical.
This begs the question – What is the best way to protect myself from ransomware attacks? And what should I do in the event that my company is breached?
Protecting yourself from ransomware
Ultimately, the first line of defense against most cyberattacks is through proper prevention and preparation. With this in mind, organizations must take the necessary prevention, detection and preparation measures to keep themselves protected. These include:
- Employee Security Awareness Training – Employees are the first line of defense against malware as they are the ones who are actually being targeted during an attack. Proper training ensures that employees can identify malicious emails, avoid being hacked, and understand how to report suspicious emails.
- Implementing Multi-Factor Authentication (MFA) – provides an additional layer of security by requiring an extra token of authentication before access is provided. This helps to ensure that stolen credentials are not readily usable in the case that an attacker obtains them.
- Develop an incident response plan – This should identify where sensitive data resides and which systems are critical to operations. These should be reviewed and updated regularly.
- Backup and Test Restores for your Data
Should I pay the Ransom?
In the event that your company is breached, the question of whether or not to pay the ransom demand will inevitably come up. The answer should almost always be no. You should never pay a ransom because there is no guarantee that you will get your data back. Similarly there is no guarantee that your data is even usable or undamaged. All paying the ransom does is encourage further cybercriminal activity while also providing the funding for future attacks.
So What do I do if I am breached?
1. Isolate Infected Machines
When it comes to ransomware, speed is always king. The longer an infected system goes by unnoticed, the longer an attacker has to move laterally in the network and escalate their privileges. With this in mind, the first thing you should do if you suspect that a machine has been infected is immediately disconnect it from the rest of the network.
2. Notify your IT Security Team
Immediately notify your IT team so that they can contain the spread of ransomware and put in place the correct procedures to deal with the attack. This is where your incident response plan should come into play.
3. Identify the type of ransomware
There are two main types of ransomware – The kind that locks your screen, and the type that encrypts your files. The first kind – the screen locking variant – is easiest to resolve, and files will usually be safe until the payment is made. However, the variants that encrypt your files are usually more difficult and will require significantly more effort to deal with.
4. Inform Employees
In the event of a breach, you should immediately inform your employees that there has been a breach. Explain what it means for the company and outline the steps you will be taking to mitigate the incident. Employees deserve to know what is going on and should be fully briefed on the evolving situation.
5. Change Login Credentials
If hackers compromise admin credentials, they will be able to move laterally around networks, crypt files, and wipe out entire backups. If you suspect that your admin credentials have been compromised, you should change them immediately after a breach.
6. Take a photo of the ransom note
This will serve as evidence and will be helpful for providing further information on attack methods and investigations.
7. Partner with an trusted Managed Security Services Provider like Stratejm
A reputable cybersecurity company like Stratejm can put the full weight of their expertise and resources towards the recovery of your systems and data. MSSPs benefit from vast expertise managing cybersecurity threats across various different verticals, and will often have the tools and incident response capabilities needed to provide the most complete recovery of your data.