In 2021, high-profile ransomware attacks, such as the Colonial Pipeline and Kaseya hacks, caused significant disruptions to supply chains and companies’ operations.
In addition to these high-profile hacks, ransomware attacks have grown more common in general. With the rise of Ransomware as a Service (RaaS), many cybercrime groups have access to high-quality malware. The widespread success and profitability of ransomware mean that any organization can be a target. According to Check Point research, ransomware attacks grew 93% between June 2020 and 2021.
The Risks Of Ransomware
Ransomware is designed to cause disruption and damage to an organization. Modern ransomware exfiltrates and encrypts a company’s sensitive data, providing cybercriminals with multiple levers to extort a ransom. In some cases, ransomware groups expand their operations to target a company’s customers as well.
A ransomware attack poses significant risks to an organization. In addition to the costs of lost productivity and remediating the incident, a company may face reputational damage, lose customers, and face legal and regulatory penalties for failing to protect sensitive data.
How Should a Company Handle Ransomware?
A ransomware attack can cause disruption to operations and significant cost and damage to a company. When faced with a ransomware infection, responding appropriately is essential to minimizing the damage.
#1. Protection and Prevention
Once ransomware has started encrypting files, damage has already been done. Unless a company can restore all files from backups, some data will be lost even if a ransom is paid. Also, modern ransomware commonly steals and exfiltrates data before encrypting it, meaning that the company has likely already suffered a data breach.
Prevention is the best way to manage the threat of ransomware. Some of the ways in which a company can protect itself against ransomware include:
- Patch Management: Some ransomware variants spread by exploiting vulnerabilities for which patches are available. Promptly installing updates and security patches can help to close these infection vectors.
- Phishing Prevention: Phishing is one of the most common delivery mechanisms for ransomware. Companies should train employees to identify and properly respond to phishing campaigns and deploy anti-phishing solutions to block malicious messages from reaching the inbox.
- Access Management: With the rise of remote work, cybercriminals are increasingly leveraging compromised credentials and secure remote access solutions to plant and execute their malware. Deploying multi-factor authentication (MFA) and restricting access based on the principle of least privilege can help to prevent and reduce the efficacy of these types of attacks.
- Anti-Ransomware: If ransomware reaches enterprise systems, detecting and eradicating it as soon as possible limits the damage that it can do. All corporate devices should have anti-ransomware solutions deployed to identify and delete ransomware before it can exfiltrate and encrypt sensitive data.
Closing these potential attack vectors can help to reduce the probability of a ransomware attack. However, bolstering these protections with a strong backup policy can help to reduce the impact of a ransomware attack if one occurs.
#2. Incident Response
Rapid response to a ransomware infection can help to reduce the impact and cost of a successful attack. A quick, effective response requires an organization to have an incident response team (IRT) and strategy in place before it is needed. When responding to a ransomware infection, incident responders should:
- Remain Calm: Ransomware infections can be stressful, but it’s important not to panic. Keep a cool head, follow the incident response plan, and save a picture of the ransom note to ensure that it is available in the future for law enforcement and further investigation.
- Contain the Infection: Some ransomware strains attempt to spread through enterprise networks, so disconnect infected systems from the network as soon as possible. Also, trace back the attack chain to ensure that the attacker does not have a presence on other systems.
- Maintain System Status: Ransomware may leave a system in an unstable state, and changes to the system may cause loss of data. Don’t reboot infected machines, install updates, or perform any other system maintenance.
- Don’t Touch Backups: Ransomware commonly attempts to infect backups to force organizations to pay the ransom. Don’t connect backups to infected machines until the ransomware infection has been eradicated and the integrity of backups has been verified.
- Coordinate with Stakeholders: Collaboration is vital to the fight against ransomware. Don’t be afraid to contact law enforcement or reach out to a reputable incident response provider for help in remediating the incident.
#3. Removal and Recovery
After halting the spread of the ransomware and investigating the incident, recovery is the next step in the process. After removing the ransomware, the crucial decision to make here is whether to pay the ransom or attempt to recover from backups.
While paying the ransom may seem like the easiest and cheapest way to address the issue, it should be a last resort. Paying the ransom provides no guarantee that data will be recovered and helps to fund future campaigns by the attackers. Explore whether data can be recovered from backups or if a decryptor exists for the ransomware before deciding to pay a ransom that could be in the hundreds of thousands or even millions of dollars.