Building a Threat-Ready Ransomware Response Plan

Across the globe, ransomware continues to be one of the top threats facing modern organisations. This evolving high-risk threat uses malicious software to restrict access to an individual’s or company’s vital information, and then demands some form of payment to lift the restriction.

Ransomware attacks are rapidly growing in popularity as more organisations rely on digital infrastructure to run their networks.

In the early days of ransomware, attacks were largely opportunistic, affecting individual users’ or small businesses’ computers. Today, criminals are setting their sights on larger organisations with more frequent attacks. According to Statista, organisations have been hit with a staggering 236.1 million global ransomware attacks in the first half of 2022.

Consequently, this is leading to bigger losses for organisations, with the damage from an attack costing more than ever before. The ramifications of a successful attack are far more extensive than just the cost of the ransom -  lost productivity, loss of business, reputational damage, inconvenience to customers and potentially the permanent loss of data can all result from a ransomware attack.

To overcome the challenges associated with ransomware attacks, organisations need to ensure they have an end-to-end plan in place to get their services up and running in the quickest time possible to avoid large scale disruption.

A Proactive Response

Ransomware attacks are increasing in sophistication and seriousness. Despite this, research from UpCity has revealed that only 50% of small and medium-sized businesses (SMBs) have a cybersecurity plan in place to combat attacks.

Organisations of all sizes need to take proactive action to protect their businesses from the potential of a devastating attack. There are 5 crucial steps they can take to ensure future business continuity and tackle the risk of ransomware.

1.    Preparation

As ransomware grows in sophistication, organisations need to be prepared for the very real risk of falling victim to a targeted attack.

The malware often enters systems through known vulnerabilities, the best step organisations can take to strengthen defences is to aggressively patch their systems. 

At the same time, they need to ensure they are frequently backing up all documents in a secure location that can’t be affected by an attack, whilst educating users on how to recognise signs of a potential attack.  

2.    Detection

In the unfortunate event of an attack, organisations need to ensure they have the measures in place to quickly identify the threat, and therefore minimise the damage to their network.

Rapid threat detection involves having the right security tools, such as Network Detection and Response (NDR) solutions, in place to identify any suspicious activity and bring this to the attention of an organisation’s security operations centre (SOC).  

3.    Containment

Once the ransomware has already infected one device, there are several measures an organisation can take to contain it locally so the attack doesn’t spread to the rest of its network.

The successful containment of a threat involves disabling network connectivity to stop ransomware from encrypting files on the network. To truly contain the threat, organisations need to consider rebuilding their systems.

There can be latent tools the attackers have put in place that you may not catch if you try to clean the system. By rebuilding, organisations have a much better chance of starting fresh and completely remediating the attack.

4.    Eradication

After a ransomware incident has occurred, and it has been contained, the threat needs to be successfully eradicated from the network.

As with any type of malware, it’s difficult to know if residual files are hidden on the system and able to re-infect devices. Due to this, the most effective way to remove the threat is to replace the compromised devices rather than clean the network.

However, for network locations such as mailboxes or file shares, sometimes it is more relevant to clean those locations, remove the malicious email message from the mailbox, or remove the ransomware instructions from the file share.

5.    Recovery

For recovery, the number one task is restoring from backup. Organisations that have comprehensive, verified backups can quickly bounce back from any ransomware event by simply replacing or cleaning infected systems and recovering from backups.

For a complete ransomware investigation, organisations should complete their recovery phase by doing a full investigation into what specific infection source was used against the system, for example whether the threat originated from a phishing email, or a web-based attack kit etc. 

Fighting Future Threats

No organisation is safe from the imminent threat of ransomware, with attacks on an organisation now being a matter of ‘when’ rather than ‘if’.

An organisation’s success in defending against a ransomware attack relies on their level of preparation and the tools used to monitor their systems. With the right measures in place, they can effectively detect, investigate and neutralise the emerging risks to their networks.

Kev Eley is VP of Sales, UK and Europe at LogRhythm

You Might Also Read: 

Negotiating Ransom: To Pay Or Not?:

 

« Update: British NHS Confirms A Damaging Software Attack
Mercenary Cyber Spies For Hire »

Quartz Conference
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Information Technology Association of Canada (ITAC)

Information Technology Association of Canada (ITAC)

ITAC is the voice of the Canadian ICT industry and are dedicated to making Canada a world class, cutting-edge digital society.

Defence IQ

Defence IQ

Defence IQ is an authoritative news source for commentary and analysis on global defence and military-related topics including cyber security.

Copper Horse Solutions

Copper Horse Solutions

Copper Horse specialises in mobile and IoT security, engineering solutions throughout the product lifecycle from requirements to product security investigations.

Zerocopter

Zerocopter

Zerocopter enables you to confidently leverage the skills of the world's most knowledgable ethical hackers to secure your applications.

Cyber Craft

Cyber Craft

CyberCraft is an innovative and dynamic software development, outsourcing and consulting company. Services offered include penetration testing.

Linksoft Integrated Services

Linksoft Integrated Services

Linksoft provides consulting and customized solutions and services to help our clients make informed decisions for their Cyber Security and Managed Services needs.

Greenetics Solutions

Greenetics Solutions

Greenetics Solutions is a company focused on providing solutions for information security.

Matrix42

Matrix42

Matrix42 software for digital workspace experience manages devices, applications, processes and services simple, secure and compliant.

OutThink

OutThink

OutThink is a web-based platform (SaaS) that has been developed specifically to identify and reduce risky workforce behaviours and build a risk aware culture.

Forum of Incident Response & Security Teams (FIRST)

Forum of Incident Response & Security Teams (FIRST)

FIRST is the global Forum of Incident Response and Security Teams.

CyberASAP

CyberASAP

CyberASAP provides expertise, knowledge and support to convert academic ideas into commercial products in the cyber security space.

Infosec Cloud

Infosec Cloud

Infosec Cloud is a specialist Cyber Security company offering fully managed Training & Testing Services in addition to market leading Cyber Security technology and accredited professional services.

BOXX Insurance

BOXX Insurance

BOXX Insurance Inc. is a new type of insurance company for a new type of risk. Cyberboxx is the first fully-integrated cybersecurity and insurance solution for small-to-medium-sized businesses.

Sevco Security

Sevco Security

Sevco Delivers Real-time Asset Intelligence to Identify and Close Unknown Security Gaps.

LBMC

LBMC

LBMC is a professional services solutions provider in accounting and finance, human resources, technology, risk and information security, and wealth advisory services.

BaXian Group

BaXian Group

BaXian AG is an international consulting company specializing in IT security, data analytics, risk management and compliance.