Ransomware continues to be one of the most disruptive cyber threats facing organizations today and has been further underscored by the COVID-19 pandemic. Our Hackbusters™ were recently asked to respond to a ransomware attack. Their speed to the scene and expertise helped our client avoid a million-dollar incident.
In this latest blog, we’ve invited Jack Brooks, Head of BOXX Hackbusters™ to share some insights.
1. What immediate steps should a firm take if they were victim to a ransomware attack?
“Who you going to call…?”
If you have access to I.T. security experts, call them immediately. They are the experts and will give you the best chance to respond and recover from the attack. I’ve heard Vishal say before that “it’s not the incident that may kill your business but how you respond to it,” and he’s quite right.
Gather the team and scope the incident
Gather the incident response team and make sure they are ready to tackle their roles in the response efforts. Identify which applications, networks and systems were affected, and determine how actively the malware is spreading.
Contain the incident
First, disconnect (wired and WIFI) the infected system(s) from the network to ensure the attack does not spread to other computers and devices. Then, ensure backups are secured and free of malware. Every incident will generate some evidence, such as log files. Document this evidence as soon as possible and check it regularly. In some cases, if the incident is detected quickly enough, the encryption can be stopped. Some ransomware varieties use weak encryption that has a publicly available decryption mechanism provided by a security vendor or researcher.
Eradicate malware and recover from the incident
This involves wiping infected systems and restoring lost data from backups. Be sure to change all account, network and system passwords after removing a device or system from the network. Change passwords again once the malware is removed completely from the network.
Perform post-incident activities
Engage specialist data privacy lawyers to assess possible regulatory and breach notification requirements, if applicable.
2. What vital steps do some firms miss out?
We unfortunately see a number of firms face a second ransom attack soon after their first one. It’s vital that firms invest the time and resources to analyze how the attack happened and apply appropriate actions to ensure the same vulnerability is not compromised in the future and the systems are thoroughly checked for residual malware.
Employee education is also vital. For example, if the ransomware was the result of an employee clicking on a malicious link, the company should perform additional security awareness training.
Also, revise security policies if necessary. I.T. teams should also analyze how the ransomware incident response plan performed. If certain steps did not go as planned, review the plan, and update where needed to improve efficiency.
3. What simple measures can firms take to reduce their risk of being ransomed?
There are three key things that every size of business can take to keep themselves safe:
• Invest in good quality Malware Protection that does more than just virus scanning. Ensure that the software is maintained with all up to date patches. Make sure it also protects your cloud services; they are just as vulnerable as your computers.
• Ensure your operating system is patched with all security and high priority patches on at least a monthly basis, weekly would be best.
• Educate your employees how to recognize threats. Keep up with that training as the threats get more sophisticated every day. Knowing how to spot yesterday’s threats is no guarantee you will be able to spot today’s new threat. You cannot always expect your software to catch the latest threats coming out from cyber criminals. We, the user, must also play an important role.