(November 2020) When it comes to ransomware attacks, Benjamin Franklin’s old adage that an ounce of prevention is worth a pound of cure is remarkably precise. According to a Ponemon Institute study, ransomware preventive measures cost an average of $125 per employee per year. In contrast, the cost of recovery after a ransomware attack can be 16 times that amount or more per employee.
Although preventive measures are critical for enhancing network defenses and reducing exposure to ransomware, the unfortunate reality is that highly sophisticated and extremely persistent attacks can occasionally slip past baseline safeguards. With ransomware campaigns up seven-fold in 2020, organizations must take steps to ensure they can remain operational in the event of such an attack.
A detailed incident response plan is essential for providing guidance once an attack is in progress. The plan should outline the processes and procedures your team will follow to detect, investigate, mitigate, and recover from an attack. Such a plan ensures you can act quickly and decisively to minimize the attack’s impact.
The Cybersecurity and Infrastructure Security Agency (CISA) and other industry analysts say a robust incident response plan should include these steps:
Be Prepared
· Perform frequent backups and verify they are working properly to ensure data and applications can be reliably accessed in the event of an attack that encrypts your files. Make sure at least one copy of your backup is isolated or immutable so that it can’t be compromised. This can be done with an “air-gapped” environment, cloud backups, or by physically storing backup data offline.
· Keep an updated inventory of the hardware and software assets connected to your network. Prioritize systems and resources to facilitate restoration processes.
· Create an incident response team. This should include technical specialists who can collect and analyze evidence, determine the root cause and implement recovery processes, as well as operational specialists who can document all aspects of the investigation and communicate with the rest of the organization.
Identify and Isolate
· Early detection is critical. Once a computer or another endpoint is infected, ransomware can propagate itself throughout the network very quickly. Unusual CPU, file system, and disk activity are common signs of an attack, indicating that ransomware is accessing, encrypting, or relocating files. Intrusion detection and prevention systems can identify and record suspicious activity.
· Disable Internet connections in the early stages of an attack. This can help prevent ransomware from establishing a connection with command and control (C&C) servers and potentially mitigate further damage.
· Isolate infected computers or endpoints as soon as possible to protect networked and shared resources. Change all network passwords and online account passwords as soon as possible. Work with a forensics expert to learn as much as possible about the source of the infection before wiping and reimaging the machine.
Investigate and Eradicate
· Conduct a memory dump that saves all contents of system memory. This can help you create a full record of any malicious processes that are running. The memory dump may contain key material that was used to encrypt the files
· Quarantine the malware so that forensics experts can analyze it and identify which strain of ransomware was used.
· You may be able to remove ransomware with antivirus and endpoint detection and response (EDR) software. However, sometimes this process will only remove pieces of the malware. If newer, more sophisticated malware was used, the better approach may be to rebuild or reimage the compromised system and restore data from a known good backup.
Ransomware attacks are on the rise as cybercriminals seek to exploit anxiety about the ongoing pandemic. Mainstream Technologies can help you protect your company and your users with our Managed Services and Managed Cybersecurity offerings. Call us to learn more about how we can help support and enhance the cybersecurity posture of your business and workforce.
Jeff Pracht
IT Business Development Manager
(479) 715-8629 Office
(501) 529-0008 Mobile