Ransomware Mitigation: Here’s How
Ransomware attacks have been on the rise, and they’re not going away anytime soon.
What is Ransomware, and what does it look like?
- Ransomware is a type of malware that infects computers or other devices with an unbreakable encryption code until the user pays ransom to decrypt it; once infected, your data can no longer be accessed because all files are encrypted by a powerful algorithm – even if you know what password was used to encrypt them in the first place.
- Ransomware typically appears as spam links or attachments disguised as email messages from people you may know (i.e., “firstname.lastname@example.org”). You might also get ransomware through fake websites/apps which use familiar logos or names of trusted organizations like banks or government agencies to trick users into thinking they’re legitimate.
- Ransomware can also be transmitted via infected downloads, which are often fake versions of popular programs like Adobe Flash Player or Microsoft Office that have been altered to include the ransomware code.
How to prevent ransomware attacks?
The best way to avoid being trapped by this cybercrime phenomenon is to keep up with good cybersecurity habits:
- Use antivirus software on your devices and desktop computers (keep these updated for when new threats appear). You should enable Windows Defender on your computer(s) as well.
- Render your sensitive data and files using a secure cloud storage service.
- Train employees to avoid clicking on links in emails or opening attachments from unknown sources.
- Encrypt all devices, not just computers – smartphones and tablets should be encrypted as well!
- Consider investing in cyber liability insurance (for those at risk of being targeted by ransomware attacks.)
- Routinely check for suspicious events with log monitoring software that alerts companies of unauthorized activity through logs generated by computers’ operating systems and applications.
- Regularly back up data, files, and system configurations.
- Keep backups offline on disconnected networks (i.e., external hard drives), if possible, to prevent ransomware infection from propagating across both the production network and backup media.
Ransomware attacks are rising!
In the last few months, we’ve seen a major U.S. oil pipeline shut down due to an attack, and also one of the world’s largest meat processing companies whose data was taken hostage in a collective hacking incident that demands “ransom” to regain access to their internal systems.
In his recent talks with the Russian President, Joe Biden urged Vladimir Putin to take more decisive action against ransomware campaigns to avoid “unnecessary” conflicts.
Cybercriminals usually target large businesses and governments, hoping they’ll pay a bounty for files to be released or perhaps avoid public relations disaster. But even regular computer users are often targeted for extortion if the opportunity arises.
Ransomware can be very disruptive and costly for companies of all sizes – from individual users who have their personal data stolen and held hostage by hackers demanding payment for its release to large corporations with thousands or tens of thousands of employees whose networks are crippled when they encounter ransomware on the corporate network.
What can you do about it?
On September 30, 2020, the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) released a joint report on ransomware prevention.
The report includes a guide along with a checklist to reduce the risk of being hacked and prevent damages if your company becomes infected with malware from an external source.
We believe that the ransomware response checklist is an invaluable addition to organizations’ incident response plans.
With more and more organizations hit by ransomware attacks, crippling their day-to-day operations, cybersecurity has become an absolute priority.
Ransomware Response Check-list
So, let’s take a look at the checklist step-by-step, focusing specifically on the very first things you should do:
- Determine which systems have been impacted and isolate them as quickly as possible.
When multiple systems or subnets appear to be impacted, take the network offline at the switch level. Disconnecting systems individually during an incident usually isn’t as effective as network take-downs at the switch level. When it comes to ransomware, it’s always better to nip the problem in the bud.
If you can’t take the network offline immediately, find any cables that may be plugged into a device to which the malware is spreading and unplug them or remove those devices from Wi-Fi.
If the ransomware has infected just one or two computers, you may be able to disconnect these PCs and deal with them individually. However, keep in mind that time is of the essence, and your response must be swift and precise to mitigate the damage effectively.
Determining how serious a problem is as soon as possible can help you strategize your way to a solution more quickly and efficiently.
It’s also important to recognize that malicious actors may monitor an organization’s activity or communications after their initial compromise to see if they were detected. But do not let them know that you are aware, and avoid using traditional electronic communication channels that could tip them off to your mitigation actions.
In some cases, organizations use personally-held email accounts or instant messaging services like WhatsApp to communicate if they fear attackers are monitoring corporate communications systems.
Response teams should carefully verify the legitimacy of out-of-band communications they receive to identify whether or not it is coming from a fellow worker.
Not doing so could enable malicious actors to move laterally, ensuring the preservation of their access before network take-downs.
But what can you do if your organization cannot afford to shut down the network?
In such a case, the response guide offers the following advice:
- If you cannot disconnect the affected devices from your network, immediately turn them off instead to prevent the ransomware infection from spreading.
Doing this, however, may also result in losing any potential evidence about the attack that would be helpful to law enforcement.
In addition to collecting identifying information and evidence, law enforcement agencies and CISA will want other relevant data. This includes, but is not limited to, the following:
Relevant Information for Law Enforcement
- Recovered executable file
- Copies of any readme file (Do not remove these as they often assist in decryption)
- Live memory (RAM) capture from systems with additional signs of compromise (use of exploit toolkits, RDP activity, additional files found locally)
- Images of infected systems with additional signs of compromise (use of exploit toolkits, RDP activity, additional files found locally)
- Malware samples
- Names of any other malware identified on systems
- Encrypted file samples
- Log files (Windows Event Logs from compromised systems, Firewall logs, etc.)
- Any PowerShell scripts found having been executed on the systems.
- Any user accounts created in the Active Directory or machines added to the network during the exploitation.
- Email addresses used by the attackers and any associated phishing emails
- A copy of the ransom note itself
- Ransom amount
- Whether or not you’ve paid the ransom
- Bitcoin wallets used by the attackers
- Bitcoin wallets used to pay the ransom (if applicable)
- Copies of any communications with attackers
Although the probability of identifying and catching an attacker is very low, sharing details like those shown above with other companies could help them avoid being the next victim of ransomware.
The guide recommends that victims only attempt to restore critical systems after the first two steps.
- Triage impacted systems for restoration and recovery.
Determine which essential systems need to be restored after the ransomware attack, and determine the nature of the data on those systems.
Prioritize data restoration and recovery based on a predefined critical asset list. Priority should be given to those assets that are needed for health and safety, revenue generation, or other critical services, as well as any systems they depend upon.
Track the systems and devices that are not perceived to be impacted so they can be deprioritized for recovery and restoration. This will enable your organization to get back up to speed more quickly and efficiently.
It’s important to consider the aforementioned steps in order, but additional work can be done in parallel.
- After an initial analysis, consult with your team to determine what took place and put it in a document.
Update this document as you discover more details of the attack, including the type of ransomware, the systems that have been compromised, and the nature of the data stored on affected systems. This document may also include the information relevant for Law Enforcement and any other details regarding the data breach.
- Engage with stakeholders and internal and external teams to get a better perspective on your situation and better mitigate, respond to, and recover from the incident.
The guide provides contact information for CISA, the MS-ISAC, the FBI, and the US Secret Service. These organizations can help provide valuable insights into your situation and help guide you throughout the mitigation and recovery process.
Keep management, and senior leaders informed of any updates to the situation as it develops. Relevant stakeholders include IT departments, managed security service providers, cyber insurance companies, and departmental or elected leaders.
The guide also mentions the “Public Power Cyber Incident Response Playbook.” This playbook is targeted at power utilities, but it applies to any organization that needs step-by-step guidance on engaging teams and coordinating messaging.
The complete MS-ISAC Ransomware Guide is much more comprehensive, so we urge all individuals on the front lines of data protection to read it.
Ransomware attacks are on the rise, and it pays to be proactive. We’ve already provided you with a quick checklist for ransomware response along with a more comprehensive guide. Still, you should also have an emergency strategy in place before this type of cyberattack happens to your business.
What does your company do when they’re dealing with an attack? What steps have you taken to protect against these types of threats? Your company does have a cyber incident response plan, right? If not, feel free to contact us, and we’ll help you formulate a comprehensive cybersecurity plan for your business.
At Mpire Solutions, we offer services that can make handling any kind of data breach easier for businesses like yours. Talk to us today about how we can help!