Ransomware - Defence and Response

What Ransomware is, how to defend from being attacked and how to respond effectively.

Ransomware is currently the worst nightmare for many IT departments and business owners. The impact of a ransomware attack is instant, identification and containment activities have to be swift and the recovery is incredibly difficult. Within hours, a thriving business can be completely locked out of its sensitive data. In some cases, the consequences can be severe.

Imagine a hospital being locked out of patient services, for example.

Small companies up to entire countries and further Globally can be targets of cybercriminals. You will have seen on the news recently that in the US, the major meat processor JBS was hit and subsequently paid $11 million in ransom to hackers and more recently, Fujifilm was compromised also, but refused to pay the ransomware demands, restoring the network from backups.

So how can you mitigate ransomware attacks for your organisation?

In our useful guide, we do a deep dive into understanding ransomware, which look to will cover:

  • What is a Ransomware Attack?

  • How Ransomware is Distributed?

  • How to Mitigate Ransomware Attacks?

  • How to Recover from a Ransomware Attack?

What is a Ransomware Attack?

Ransomware attacks abuse encryption by locking legitimate users out of their sensitive data. Typically, a user downloads a file, installs a file via USB drive, or falls victim to a phishing email. After the malicious code is installed, the infection begins. The ransomware begins systematically encrypting the hard drive of the computer that it was installed on. As you might imagine, this can have dramatic consequences for users.

How is Ransomware Distributed by Cybercriminals

So how exactly do malicious actors distribute ransomware? Below are four primary methods of distribution used by attackers to infiltrate your networks:

  • Phishing Emails - Phishing emails account for the vast majority of successful cyberattacks. They employ social engineering tactics to scam unsuspecting users and coerce them to click on malicious links. Phishing emails come in many forms and are used by malicious actors to install keyloggers, scam people to wire money, buy gift cards, or download malicious files. Seemingly benign email attachments could result in a cyberattack. Phishing attacks also are the primary way in which ransomware is distributed. Typically, users are enticed to download a file containing ransomware, which then auto-executes.

  • Spear-Phishing - Spear-phishing is essentially a highly targeted phishing campaign. Most phishing emails are mass emailed to hundreds of thousands or even millions of victims. Spear-phishers take the time to investigate the organisation they are attacking, which enables them to impersonate key individuals. These attacks can be substantially harder to detect and can range from fairly basic to extremely sophisticated.

  • Typo-Squatting - Typo-squatting attacks occur when malicious individuals register domains that are incredibly similar to commonly frequented ones. Unsuspecting users then visit these domains and accidentally enter sensitive information or download malicious files that can access encrypted data. In many cases, these downloads may be in the form of “drive-by downloads” where the malicious code is downloaded without the user’s knowledge, subsequently auto-executing on their computers. While typo-squatting is less common than phishing, it remains a common vector for ransomware.

  • Physical Attacks - Due to the prevalence of cyber-threats, many people overlook the physical aspect of information security. Malware attacks and ransomware can easily be distributed via physical media devices such as USB drives. Several high-profile ransomware infections have occurred through this method. In one instance, attackers sent USB sticks in the post to random households hoping that people would be curious enough to plug them in and see what was on them.

Hopefully, you should now have a reasonable understanding of what ransomware is and how it is distributed, so let us move on to how you can prevent yourself from becoming a victim.

How to Mitigate the Risk of a Ransomware Attack

Ransomware is surprisingly easy to prevent if you are willing to practice basic cyber-hygiene. Here are some easy steps you can take that will substantially lower your risk of being hit with an attack.

  • Create and Manage an Effective Incident Response Plan - Forint can assist your organisation in the crafting of an Incident Response Plan that fits your business. We can help identify areas where your organisation has weak security and also offer security services, including network monitoring, intrusion prevention systems, simulated phishing attacks, and other tools and techniques to lower your risk profile.

  • Perform End User Security Training - Security awareness training is one of the most cost-effective ways to reduce your chance of suffering a ransomware attack. By training your users to avoid phishing and typo-squatting, you can often prevent an attack before it even happens.

  • Conduct Dark Web Scanning - Stolen user credentials (emails and passwords) found on the Dark Web can indicate that your company or a 3rd party application or website that your employees use has been compromised, so you can take immediate action. Cybercriminals traffic and buy stolen credentials so they can infiltrate your networks to steal your data. By monitoring the Dark Web for threat intelligence about stolen user data associated with your company’s domains, you can be alerted when a compromise is detected, then respond to stop a potentially costly and widespread data breach.

  • Keep your Devices Patched - Ransomware has been around for a while (since the early 2000s in fact). However, for many it came to prominence with the advent of WannaCry Ransomware. Hundreds of thousands of computers were infected within hours of the attack, and losses totaled over a billion dollars. WannaCry abused an exploit in Windows that was already patched. Unfortunately, many individuals and companies had never downloaded and installed the patch, which left them vulnerable to attack. Ensure that you are keeping all IT systems and servers up to date with the latest patches. Here are some resources you can use to check for the latest updates:

Windows Latest Updates - Follow the link to gain access to the latest Windows OS Updates and Patches

Apple Latest Updates - Follow the link to gain access to the latest Apple OS Updates and Patches
  • Create and Manage an Effective Incident Response Plan - Forint can assist your organisation in the crafting of an Incident Response Plan that fits your business. We can help identify areas where your organisation has weak security and also offer security services, including network monitoring, intrusion prevention systems, simulated phishing attacks, and other tools and techniques to lower your risk profile.

  • Have Data Backups and Disaster Recovery in Place - Backup and disaster recovery doesn’t prevent ransomware or malicious software. But what it can do, is turn what would be a devastating cyber incident into a minor inconvenience. Work with your MSSP or MSP to create a backup and disaster recovery plan customised to your organisation and ransomware protection plan. Backups and plans should be regularly tested to ensure that you could quickly recover from a potential incident with minimal loss of productivity or data and even encrypted files. It isn’t enough just to have a backup/disaster recovery strategy. For backups to remain effective, the capability and associated processes have to be continuously monitored and tested to ensure that the solution works at the time of attack.

  • Use Endpoint Security - Antivirus software is not perfect in preventing malicious software. If you have not already, you should strongly consider switching to an advanced endpoint security solution. Advanced endpoint security uses Machine Learning and Artificial Intelligence to catch attacks that traditional anti-virus software can mix. We highly recommend investing in additional next generation endpoint protection and continuous monitoring.

Ensure Your Email Server Has Content Filtering - Most email providers filter content by default. Gmail and other email providers have invested millions of dollars in automatically sorting spam and phishing emails out of users’ primary inboxes. However, depending on the email provider you may want to add additional layers of protection by using content filter software.

  • Use Two-Factor/Multi-Factor Authentication - Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA) can reduce the risk that an employee’s email account or work-related mobile devices are hacked and used to access personal information and distribute ransomware throughout the organisation. Enabling 2FA/MFA on email accounts and mobile devices is free, easy, and can save you thousands of dollars in lost revenue. Using an effective 2FA/MFA solution is one of the easiest and most cost-effective ways to mitigate the chances of a ransomware attack.

  • Utilise Regular Penetration Testing - Penetration testing involves having an outside party attempt to breach your network to check for any vulnerabilities. By engaging a third party to conduct a regular pen-test, you can identify weaknesses before a malicious actor does. Regular pen-tests also provide valuable lessons on where your organisational cybersecurity needs to improve.

  • Implement Security Policies and Procedures - Many organisations see policies and procedures as wasted paperwork. However, when security policies and procedures are both used and enforced, they can make all the difference. Plans should include preventing employees from engaging in personal business on laptops and desktops, a list of approved software vendors, and requiring the reporting of any real or suspected incident. Establishing clear guidelines and expectations for cybersecurity early on makes a huge difference.

  • Encourage Incident Reporting - Many employees may be afraid to report potential security incidents, fearing that they may lose their jobs. You need to make it clear that you encourage a policy of openly reporting any potential incidents. Employees should feel comfortable alerting their managers that there may be an issue. This simple step can save hours, or even days, allowing you to isolate the ransomware infection and prevent it from spreading to other servers and computers.

  • Create and Manage an Effective Incident Response Plan - Forint can assist your organisation in the crafting of an Incident Response Plan that fits your business. We can help identify areas where your organisation has weak security and also offer security services, including network monitoring, intrusion prevention systems, simulated phishing attacks, and other tools and techniques to lower your risk profile.

  • Get Cyber Insurance - No matter how good your cybersecurity program is you can still be compromised. Purchasing a high-quality cyber insurance plan that includes coverage for instances of ransomware can save you vast amounts of money later. The quality of cyber insurance varies dramatically so ask around and get some quotes, make sure to read the fine print of what is covered and how much is covered, as this could make the difference between a pay out and getting no support.

Forint offers a free basic Cyber Risk Assessment to ascertain the level of risk your company faces. This assessment allows you to accurately gauge what you need to decrease organisational risk and improve your security.

How Do You Recover From Ransomware?

Unfortunately, you can have done everything possible to mitigate the risk of a ransomware attack and still have one. Perhaps a third-party contractor accidentally exposed you or maybe an employee missed their training or your IT department forgot to push out a Microsoft Security update to each of the end clients within your estate. In any case, you have been compromised, so what should you do now?

  • Isolate Infected Systems Quickly - The first and most important thing you need to do is isolate the infected systems from your network. Immediately disconnect any devices (servers or endpoints), identified as being compromised from the network using physical and electronic solutions - powering off at this stage should not be the concern, as this may damage vital evidence. The last thing you want is for the ransomware to spread to other devices, causing more damage and chaos with any type of malware.

  • Contact Incident Response Professionals - Ransomware grows more sophisticated every year. If you become the victim of a ransomware attack, even if you isolate the affected systems, you are still at risk. We highly encourage you to contact cybersecurity incident response professionals who can help remove the malware from your IT infrastructure and ensure that all IT systems are safe to use again. You do not want to run the risk of only partially removing the malware, which could result in even more data loss. Forint can assist you if you have been the victim of a ransomware attack. Please click the contact us button at the bottom of the page to get in touch if you have experienced an attack so we can get you in touch with our security experts. We have experience responding to incidents with various types of malware strains.

In many cases it is a good idea to identify a competent ransomware recovery provider before you are attacked.

Incorporate the Lessons Learned

After any cyberattack or security incident has been resolved, you must incorporate the lessons learned identified within the after-action review in order to ensure that you can respond even more effectively to the next Ransomware attack. Sit down with your internal team and any external agencies and companies who assisted with the response to the incident.

You must then look at working together to develop a plan of action to prevent future malware incidents. When the next security event occurs, you will be that much more prepared to deal with it. If you are looking to improve your cybersecurity presence, find out more about our services.

Still unsure about ransomware? Then call us or visit www.forint.co.uk for a free Risk Assessment to find out how vulnerable you may be. We will work with you to test your systems and ensure that you are adequately protected.

3 views0 comments