Building a Threat-Ready Ransomware Response Plan

Across the globe, ransomware continues to be one of the top threats facing modern organisations. This evolving high-risk threat uses malicious software to restrict access to an individual’s or company’s vital information, and then demands some form of payment to lift the restriction.

Ransomware attacks are rapidly growing in popularity as more organisations rely on digital infrastructure to run their networks.

In the early days of ransomware, attacks were largely opportunistic, affecting individual users’ or small businesses’ computers. Today, criminals are setting their sights on larger organisations with more frequent attacks. According to Statista, organisations have been hit with a staggering 236.1 million global ransomware attacks in the first half of 2022.

Consequently, this is leading to bigger losses for organisations, with the damage from an attack costing more than ever before. The ramifications of a successful attack are far more extensive than just the cost of the ransom -  lost productivity, loss of business, reputational damage, inconvenience to customers and potentially the permanent loss of data can all result from a ransomware attack.

To overcome the challenges associated with ransomware attacks, organisations need to ensure they have an end-to-end plan in place to get their services up and running in the quickest time possible to avoid large scale disruption.

A Proactive Response

Ransomware attacks are increasing in sophistication and seriousness. Despite this, research from UpCity has revealed that only 50% of small and medium-sized businesses (SMBs) have a cybersecurity plan in place to combat attacks.

Organisations of all sizes need to take proactive action to protect their businesses from the potential of a devastating attack. There are 5 crucial steps they can take to ensure future business continuity and tackle the risk of ransomware.

1.    Preparation

As ransomware grows in sophistication, organisations need to be prepared for the very real risk of falling victim to a targeted attack.

The malware often enters systems through known vulnerabilities, the best step organisations can take to strengthen defences is to aggressively patch their systems. 

At the same time, they need to ensure they are frequently backing up all documents in a secure location that can’t be affected by an attack, whilst educating users on how to recognise signs of a potential attack.  

2.    Detection

In the unfortunate event of an attack, organisations need to ensure they have the measures in place to quickly identify the threat, and therefore minimise the damage to their network.

Rapid threat detection involves having the right security tools, such as Network Detection and Response (NDR) solutions, in place to identify any suspicious activity and bring this to the attention of an organisation’s security operations centre (SOC).  

3.    Containment

Once the ransomware has already infected one device, there are several measures an organisation can take to contain it locally so the attack doesn’t spread to the rest of its network.

The successful containment of a threat involves disabling network connectivity to stop ransomware from encrypting files on the network. To truly contain the threat, organisations need to consider rebuilding their systems.

There can be latent tools the attackers have put in place that you may not catch if you try to clean the system. By rebuilding, organisations have a much better chance of starting fresh and completely remediating the attack.

4.    Eradication

After a ransomware incident has occurred, and it has been contained, the threat needs to be successfully eradicated from the network.

As with any type of malware, it’s difficult to know if residual files are hidden on the system and able to re-infect devices. Due to this, the most effective way to remove the threat is to replace the compromised devices rather than clean the network.

However, for network locations such as mailboxes or file shares, sometimes it is more relevant to clean those locations, remove the malicious email message from the mailbox, or remove the ransomware instructions from the file share.

5.    Recovery

For recovery, the number one task is restoring from backup. Organisations that have comprehensive, verified backups can quickly bounce back from any ransomware event by simply replacing or cleaning infected systems and recovering from backups.

For a complete ransomware investigation, organisations should complete their recovery phase by doing a full investigation into what specific infection source was used against the system, for example whether the threat originated from a phishing email, or a web-based attack kit etc. 

Fighting Future Threats

No organisation is safe from the imminent threat of ransomware, with attacks on an organisation now being a matter of ‘when’ rather than ‘if’.

An organisation’s success in defending against a ransomware attack relies on their level of preparation and the tools used to monitor their systems. With the right measures in place, they can effectively detect, investigate and neutralise the emerging risks to their networks.

Kev Eley is VP of Sales, UK and Europe at LogRhythm

You Might Also Read: 

Negotiating Ransom: To Pay Or Not?:

 

« Update: British NHS Confirms A Damaging Software Attack
Mercenary Cyber Spies For Hire »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Radware

Radware

Radware is a global leader of application delivery and cyber security solutions for virtual, cloud and software defined data centers.

Illumio

Illumio

Illumio delivers adaptive security for every computing environment, protecting the 80% of data center and cloud traffic missed by the perimeter.

DG Technology

DG Technology

DG Technology is a customer-centric technology expert and business consultant that delivers services and products to minimize your information security, compliance, and business risks.

Managed Security Solutions (MSS)

Managed Security Solutions (MSS)

MSS deliver consultancy services and managed security services for IT departments who may lack the time, resources, or expertise themselves.

ERNW

ERNW

ERNW is an independent IT Security service provider with a focus on consulting and testing in all areas of IT security.

Cybertech

Cybertech

Cybertech Conference & Exhibition presents commercial problem solving strategies and solutions for the global cyber threat that meet the diverse challenges for a wide range of sectors.

GreyCortex

GreyCortex

GreyCortex uses advanced artificial intelligence, machine learning, and data mining methods to help organizations make their IT operations secure and reliable.

Clari5

Clari5

Clari5 redefines real-time, cross channel banking Enterprise Fraud Management using a central nervous system approach to fight financial crime.

Maven Technologies

Maven Technologies

Maven Technologies specialize in secure data destruction, electronics recycling, asset management, and highly detailed reporting.

Infosec Train

Infosec Train

Infosec Train provide professional training, certifications & professional services related to all spheres of Information Technology and Cyber Security.

Rule4

Rule4

Rule4 is a global professional services firm that provides practical, real-world knowledge and solutions in areas including cybersecurity, AI, Machine Learning and industrial control systems.

Electric Power Research Institute (EPRI)

Electric Power Research Institute (EPRI)

The Electric Power Research Institute’s Cyber Security Research Laboratory (CSRL) addresses the security issues of critical functions of electric utilities.

Focal Point

Focal Point

We aspire to be the focal point for Medium and Small size companies providing 24/7 cyber security advice, services and solutions.

QuantiCor Security

QuantiCor Security

QuantiCor Security is one of the world’s leading developers and manufacturers of quantum computer resistant security solutions for IT infrastructures and the Internet of Things (IoT).

Navisite

Navisite

Navisite is a combination of eight respected IT consulting and managed service providers that were brought together under the Navisite brand.

The Hacking Games

The Hacking Games

The Hacking Games' Mission is to inspire, educate and mobilise a generation of ethical hackers to make the world a safer place.