Locked Out: Ransomware Prevention and Incident Response
A ransomware attack can be a debilitating event for an unprepared person or organization. Depending on the type and value of the data stored on an infected computer, the impact of an incident can range from a minor hiccup in operations to the death of the company.
The impact of ransomware on small to medium size businesses (SMBs) can be particularly devastating. In its Second Annual State of Ransomware Report, Malwarebytes reported that among SMBs that experienced a ransomware attack, roughly one in six suffered 25 or more hours of downtime, with some organizations reporting to be down for more than 100 hours. Further, 22 percent reported they had to cease business operations immediately.
The good news is, protecting against a ransomware attack is fairly simple and can be accomplished through a few easy steps. In the event that your organization is hit with a ransomware attack when unprepared, the incident response process is also simple and straightforward.
Protecting Against Ransomware Attacks
In an ideal world, ransomware would not exist and no-one would need to protect against it. However, ransomware can be profitable to hackers and will probably continue to exist until the potential for profit goes away. Protecting yourself or your organization against ransomware attacks can be accomplished through a few easy steps.
If ransomware manages to install and execute on a machine, a recent, comprehensive backup is your best friend. Rather than attempting to remove the malware and attempt (probably unsuccessfully) to decrypt affected files, the infected machine can be wiped and restored from the clean backup with minimal impact on operations.
Backups should be performed regularly and stored on media that is not connected to the machine. For example, a network drive accessible to the machine or an external hard drive that is constantly attached to the machine are poor backup solutions since many ransomware variants will search for and infect other drives or shared folders. Frequent backups minimize the impact of a ransomware attack as only hours or days of data is lost as opposed to weeks, months, or even years.
Without a backup of an infected machine, the best way to clean up after a ransomware attack is to completely wipe the affected machine. Depending on the number of types of programs that are installed and used on the machine, this could mean that the user spends hours reinstalling and reconfiguring programs on the machine after a ransomware incident. If all data is stored in the cloud or on servers, keeping frequent backups of user machines may be unnecessary. However, to avoid the time spent reconfiguring machines after an incident, it’s advisable to have a clean image sometimes referred to as a “golden image” with all important programs installed and configured so that users can get back up and running in the minimum time possible.
Security Awareness Training
Preventing a ransomware attack is, of course, always the best solution.
Ransomware is just another form of malware, and one of the most common methods for spreading malware is by exploiting an organization’s weakest link: its humans. This is often done through social engineering means like phishing and watering hole attacks. In fact, the Enterprise Phishing Susceptibility and Resiliency Report reveals that 91% of cyberattacks and the resulting data breach begin with a spear phishing email.
By training users to identify suspicious emails and websites, the probability of a ransomware infection is greatly reduced.
Responding to a Ransomware Incident
If you’ve prepared for a ransomware attack using the steps described previously, incident response is easy: wipe the infected computer, restore from a recent, clean backup, and continue operations. If, on the other hand, you’ve been hit when unprepared, follow the steps outlined below to minimize the damage and get systems back up and running with minimal downtime.
After ransomware has been identified on a computer, the first step is to make sure that the infection doesn’t spread further. The methods by which ransomware spreads can be broken into two main categories: exploitation of loopholes in program security and taking advantage of human behavior.
To isolate ransomware that spreads through the first method, the infected machine should be disconnected from the network. This can be accomplished by removing the network cable or disabling the wireless network that the machine is connected to. Do not power off the machine at this stage as this may negatively impact future steps.
If malware takes advantage of human error via phishing emails or similar tactics, disconnecting the infected machine from the network will not prevent infection via emails that have already been sent. Immediately notify potentially affected parties both internal and external to the organization and instruct them not to open any emails from the infected account until further notice.
After the threat of the ransomware spreading to the rest of the network has been eliminated, the next logical step is to take action on the infected machine. If a recent backup has been performed and securely stored, the simplest way to accomplish this is restoration of the machine from the backup after the backup has been scanned for signs of infection.
If a backup does not exist, the first step in the remediation process is identification of the specific type of ransomware that has infected the machine. Often the malware name will be provided in the ransomware’s “instruction screen”; however, if this is not the case, examination of the extension of infected files can give a clue.
Before continuing in the remediation process, it is advisable to create a backup copy of the infected machine using removable media. Currently, many ransomware variants are unbreakable, and any encrypted data should be considered permanently lost. However, there is the potential that this may change in the future, so maintaining a copy of the encrypted data leaves open the possibility of retrieving it in the future if a solution is discovered.
In most cases, data encrypted by ransomware is not recoverable. Most ransomware variants use unbreakable encryption algorithms and are well-implemented. However, some variants include logical or programming errors that have allowed experts to develop solutions that may enable decryption of some or all of the encrypted files. A good resource for this is the No More Ransom Project (https://www.nomoreransom.org), which provides a list of decryption keys and tools for ransomware variants for which a solution has been discovered.
If a solution does not exist for the ransomware variant that infected a machine, it may be tempting to cave in and pay the ransom. However, this is not a good choice for a couple of reasons.
What happens if you pay the ransom and the hackers don’t provide you with a decryption key or software? This happens in half of the cases where ransomware victims pay the ransom, and now you’re out both your data and the ransom payment.
There are also longer-term considerations. Paying ransoms makes ransomware profitable and increases the probability that it will continue to be a threat in the future. Being known as an organization that is willing to make ransom payments may have negative reputational impacts with customers and increase the probability that you will be targeted in the future since a ransomware attack against you in the past was successful.
The simplest method for guaranteeing that a computer is no longer infected with ransomware is wiping it completely and restoring it from a known clean image. If for some reason this is not possible, more research is required. Most ransomware variants are well-researched, and information is available online on how to eradicate it from an infected machine. However, this approach is riskier as it leaves open the possibility that the malware will persist on the infected machine and resume infection of the network once operations resume. For this reason, if wiping the machine is not an option, it is advisable to have an expert perform a forensics inspection and sanitization of the machine before reconnecting it to any network.
At the end of the day, work must go on. Once the infected machine has been cleaned and the latest backups have been applied, the machine is ready to be reconnected to the network.
Getting Assistance with Ransomware Protection
Sword & Shield offers several services to help with ransomware prevention and incident response. For instance, our Ransomware Defense Assessment service identifies and explains your current ransomware vulnerabilities, and provides recommendations of how to close those gaps through proper remediation and targeted security awareness training. Our Phishing Services assist you in both understanding your employees’ knowledge in relation to cyberthreats and training those employees to improve their cyber awareness. Our Incident Response Program Development service provides you with peace of mind in knowing you have a plan to deal with unexpected security incidents.
Contact us for a free consultation to learn more about ransomware prevention and incident response tailored to your organization.