Aftermath Of A Ransomware Attack

Detection, Prevention, Negotiation, And Recovering Your Information Assets Safely

Malicious actors infiltrate information systems and networks having vulnerabilities, lurk in the dark, and attack when these vulnerabilities can be exploited the most. It may cause massive damage to organizational information infrastructure. With incidents like ransomware attacks, organizations must be well-informed about what to do in the aftermath when it fails to prevent an attack by all means.

Ransomware attacks keep making headlines repeatedly, proving that despite implementing all control measures, ransomware is not going to go away and will keep causing massive financial and reputational losses. Ransomware is an evolving malware primarily designed to encrypt existing data on the targeted victim's device, render it inaccessible, and infect other devices on the same network. The attackers hold the data hostage, and they may or may not keep their word of reinstating it even after paying the ransom. Ransomware attacks take advantage of any network, information system, or software vulnerabilities to infect the potential victim's devices. Therefore, ransomware attacks can be detected by continuously monitoring the information system for suspicious activities and scanning these for vulnerabilities.

Ransomware: Understanding The Modus Operandi

The modern cybercrime scene has evolved enormously over the past years. The most commonly reported cybercrime in the year 2020 was phishing. Phishing, again, is the most common delivery method of infections in ransomware attacks. The services industry is the most affected by ransomware attacks, and this pattern has also been apparent in the recent history of such attacks.

Furthermore, the RaaS (Ransomware-as-a-Service) business boom has been evident in one of the most notable ransomware instances of the year. Entities lend their tools and expertise to carry out ransomware attacks. The massive success of these attacks encourages other cyber adversaries to enter the criminal marketplace. The remote work model has increased the enterprise’s attack surface, which acts as green pasture land for such malicious actors. It results in a further increase in ransomware attacks, for threat actors continue to adapt by exploiting organizations' negligence to not provide adequate training and resources to employees working from home.

How Can Enterprises Prevent A Ransomware Attack?

As ransomware attacks are anticipated to be the primary risks in 2021, organizations need to be educated on preventing them at any cost. Prevention is always better than becoming a victim and landing in a situation necessitating recovery. The following controls can help organizations in detecting and preventing a potential ransomware attack on the organizational information infrastructure:

● Performing And Testing Regular Data Backups: The data is what malicious actors use to meet their criminal intentions, data is what organizations should strive to protect! One way to keep information secure is to perform regular and secure data backups to avoid giving malicious actors undue control over any crucial data. Most importantly, do you have a process in place to regularly test the backup that it works?

● Keeping The Information Systems Updated: Keeping the applications, Operating Systems, Servers, networks, etc., up-to-date is one of the most crucial steps to protecting an organization from any cyber threats. Cyber threats and attack landscapes are regularly evolving, and updating the IT systems helps in preventing adversaries from advancing further.

● Employees Awareness, Training, And Education: According to a survey, only 31% of organizations invest in training their employees on cyberattacks and potential threats. Educating employees and stakeholders eliminates threats arising from human factors such as ignorant behavior and negligence. It also builds a culture of security awareness and creates a human firewall to fix the vulnerabilities from within an organization.

How To Recover From A Ransomware Attack?

An organization must be well-informed of the steps to recover from a ransomware attack once it has tightened its grip. Below are a few actions that can help in swift recovery after the attack.

● Identify and isolate infected information systems from the network to prevent the ransomware from communicating laterally to other areas.

● Report the incident to authorities immediately to allow them to act promptly and prevent further ransomware attacks.

● Consult a ransomware expert before moving on with other actions on how to recover rapidly without further downtime.

● Ensure a cyber-incident response strategy in force that has been well-practiced, taking help from the legal and management teams.

● Conduct an impact assessment to identify the attack surface and take appropriate steps.

● Maintain a system recovery strategy that would include getting rid of the infection or conduct a complete wipe of the system.

● Comply with the local cybersecurity regulations to avoid any legal complications for the organization.

How To Negotiate In Case Of A Ransomware Attack?

Malicious actors often demand ransom in exchange for reinstating the encrypted data. Negotiations to pay the malicious actor should be treated as the last resort, and here's how organizations should negotiate with them if there ever arises such a need.

● Engage Without Any Delay: The earlier one engages with the attackers, the more time one gets, which means gaining more insight into the scope of the attack, the authenticity of the attack, and the attackers themselves. It is advised not to reveal too much while engaging with the attackers to avoid any further targeting.

● Verify The Authenticity Of The Ransomware Attack: Before one moves into negotiating with the attacker, it is essential to ascertain whether the attacker has the data with them, as they claim. It would not be much to ask them for a sample of the data to verify the claims and even gain more information from them. This sample will also allow one to understand what data is captive and could even provide information about the attacker.

● Establish Strategies, And Communicate: Once the authenticity of the attack is verified, a technical and collaborative negotiation strategy should be established by the organization. At the same time, a business continuity plan will help navigate the initial actions around business and compliance. A strong communication strategy will help the organization come clean to stakeholders (including regulators), and instill confidence in them.

Final Words

There is no one-time all-powerful tool to defend an organization against ransomware attacks. Organizations must adapt to a defense-in-depth or layered approach to security, in order to protect their valuable information assets at multiple levels to mitigate ransomware attacks. Conducting regular security assessments or audits to find and fix the vulnerabilities from within and outside the organizational network periphery is a good practice to protect it from potential cyber-attacks. Organizations need to secure their information infrastructure by using a combination of secure firewall configuration, antivirus or antimalware solutions, IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) for an active threat-hunting framework. A comprehensive cybersecurity solution or approach can go a long way in protecting organizations from cyber calamities and help them spring back without excessive downtime or loss of assets, in case of an unfortunate event of a ransomware attack.

References

1. Tidy, J. (May 10). Colonial Hack: How Did Cyber-attackers Shut Off The Pipeline? BBC News.
   https://www.bbc.com/news/technology-57063636
2. Cybersecurity And Infrastructure Security Agency. (2021, January 05). Joint Statement by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA).
   https://www.cisa.gov/news/2021/01/05/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure
3. Mandia, K. (2020, December 08). FireEye Shares Details Of Recent Cyber Attack, Actions To Protect Community. FireEye.
   https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html
4. Sophos. (2021, April). The State Of Ransomware 2021.
   https://secure2.sophos.com/en-us/medialibrary/pdfs/whitepaper/sophos-state-of-ransomware-2021-wp.pdf
5. Johnson, J. (2021, March 18). Most Commonly Reported Types Of Cyber Crime 2020. Statista.
   https://www.statista.com/statistics/184083/commonly-reported-types-of-cyber-crime/
6. Johnson, J. (2021, February 16). Leading Cause Of Ransomware Infection 2020. Statista.
   https://www.statista.com/statistics/700965/leading-cause-of-ransomware-infection/
7. Brewster, T. (2021, May 14). The Ransomware Group Behind The Colonial Pipeline Hack Says It Is Disbanding. Forbes.
   https://www.forbes.com/sites/thomasbrewster/2021/05/14/the-ransomware-group-behind-the-colonial-pipeline-hack-says-it-is-disbanding/?sh=632632bf7775
8. Lemos, R. (2021, February 25). Ransomware, Phishing Will Remain Primary Risks In 2021. DarkReading.
   https://www.darkreading.com/threat-intelligence/ransomware-phishing-will-remain-primary-risks-in-2021/d/d-id/1340256
9. Chubb. Chubb Cyber Risk Survey 2019 Executive Summary.
   https://www.chubb.com/content/dam/aem-chubb-global/static-pages/online-you-protected-default/pdf/Chubb_Cyber_Survey.pdf

(Cover Image Source - Pixabay.com)