Ransomware Attacks: How to Prepare, Prevent, and Respond

Ransomware attacks are increasing in volume and complexity and are mutating in the scope of the attacks. Recently we have seen many highly publicized and disruptive attacks against corporations and government entities. In our work responding to these types of incidents, we have found a direct correlation between the time it takes to respond to a Ransomware attack and the cost associated with recovering from one. Are you prepared to respond quickly to one of these attacks?

Ransomware is an immediate threat to the continued operation of an organizational entity through the actions of a bad actor to seize and encrypt a company’s data, rendering the data unusable by the company until a ransom has been paid or another action has been performed as demanded by the perpetrator. The Department of Homeland Security (DHS) has issued a warning about the increasing frequency of these attacks and a more diverse group of targets ranging from individuals to small businesses to large organizations and government entities.  

Ransomware Attacks typically occur in two forms:

1. The bad actor has demanded a ransom in return for decrypting or returning your data.
2. The bad actor has demanded a ransom in return for not releasing your confidential data to the public.

Ransomware exploits the path of least resistance and relies on taking advantage of individuals within an organization to perform certain actions like clicking on a link, opening up an email attachment, or adding a rogue program. Or through an exposure resulting from maintenance actions like patching or upgrades not being performed.   

While some organizations have robust Incident Response programs that address Ransomware and are better prepared to recover and sustain business operations, many companies do not. A documented and thorough Incident Response program covering Ransomware helps organizations respond and rebound quickly from these events. In fact, many organizations we see are preparing specific plans which focus exclusively on ransomware response.

A well-documented plan should cover how to prepare for, prevent, respond to and recover from these events. A comprehensive plan can also serve as the foundation for building Business Continuity and Disaster Recovery programs (BCDR). Organizations should focus on having a program in place and vendors selected with contracts in place before a ransomware event occurs.

Some common defenses to prevent or mitigate Ransomware incidents include:

1. Mitigate social engineering. Develop social engineering awareness. 
2. Patch software or operating systems frequently.
3. Harden system configurations and security settings. 
4. Use Multi-Factor Authentication and strong passwords for any internet-facing authentication. 
5. Recognize rogue URLs by naming structure or spelling errors.
6. Use least permissive permissions. Systems should be configured to “Deny ALL or Protect ALL”.
7. Implement Anti-Phishing Measures (e.g., spam filters).
8. Get Cyber Security Insurance (Note what is being covered) 
9. Test backups and data restoration processes before you actually need them.
10. Implement good endpoint protection (AV Software).
11. Implement Data Loss Prevention Controls.
12. Implement Whitelisting of programs vs. Blacklisting.
13. Perform an annual risk assessment, or more frequently, depending on change in environment or actual incident occurrence.  

The best protection against Ransomware is preventing it from occurring in the first place by utilizing the incident prevention measures covered above. If you become the victim of a successful Ransomware attack, the options are more limited and require some difficult decisions but can succeed. CompliancePoint is frequently involved in helping our customers respond to Ransomware incidents, and we have staff standing by. If you have questions or need assistance, please email us at connect@compliancepoint.com