Ransomware Preparedness and Recovery - Before, During and After

According to IDC’s 2021 Ransomware Study, approximately 37% of global organizations said they were victims of a ransomware attack in 2021. Responding to ransomware requires a combination of people-process-technology that includes the vigilance of trained staff, a structured incident response, and up-to-date security products. In this blog post, we will look at some best practices before, during and after a ransomware attack.

Before the attack:

• Backup and restore: The importance of backup and restore can’t be stressed enough. In the Ponemon State of SMB Cybersecurity Report, 73% of companies hit by ransomware that did NOT pay the ransom attributed their decision to have a full backup. Most companies do backups but surprisingly, only a few run regular backup and restore drills.  Restore drills are the only way to know whether your backup plan is working ahead of time. 

• Patching: Most ransomware targets are known vulnerabilities, which are well documented. Therefore, keeping operating systems, security software, applications, and network hardware patched and up to date is the most effective way to minimize the threat of ransomware.

• Employee Security Awareness Training: Ransomware is a people issue, from phishing, social engineering, insider threats to configuration errors that create security gaps. In a recent Webroot study, it was found that 67% of employees received at least one phishing email at work; and 49% of employees admitted they clicked links in messages from unknown senders. By providing interactive and ongoing training programs to your employees, they will have the knowledge to spot phishing emails and avoid risks online, and eventually will become your first layer of protection to reduce the number of security incidents.

During the attack:

• Assess the current situation: When you’re hit by ransomware, the first thing to do is to disconnect the infected machine from the network. Your IT team should determine the scope of the problem using threat intelligence and plan for remediation tasks.  They should investigate the following areas:

  • What type of attack is it? Did it come from a downloaded file, remote access Trojans, or other malware?

  • Which user accounts were compromised? How widespread are the infections?

  • Which devices are affected? Which applications are affected?

• Containment: Containment involves quick decision making and actions that include but are not limited to immediately shutting down a system, disconnecting it from a network or disabling certain functions. Ransomware never happens at a convenient time; it is good practice to build predetermined strategies and containment procedures.

  After containment, further eradication efforts are often required to remove any underlying components and mitigate any identified vulnerabilities exposed during the incident.

• Get systems back online - In the recovery process, any compromised hosts, applications, or networks are returned to normal operations. This may involve actions such as restoring systems from clean backups, rebuilding systems from scratch, replacing compromised files with clean versions, installing patches, changing passwords.

After the attack:

After the ransomware attack, a debrief meeting to review and document the entire incident, perform a root cause analysis, and identify lessons learned to better respond to future security events and incidents, are extremely helpful and yet often overlooked. Some best practices and recommendations include:

• Provide Security Awareness Training to your employees to strengthen the weakest link in your cybersecurity chain

• Perform periodic risk assessments as reducing the identified risks to an acceptable level is essential in reducing the number of incidents

• Adopt a Zero Trust security model to help prevent unauthorized access to sensitive data

• Invest in security monitoring and automation tools which may help improve detection and response times

• Profile networks and systems to understand the normal behaviours of networks, systems, and applications

• Stress test your incident response plan to increase cyber resilience

Blair Technology Solutions is at the forefront of this security-first digital transformation movement. With over 25 years of experience, Blair can help you identify existing security threats, how to mitigate them and work with you to build a proactive IT security strategy. Contact us to schedule a discovery call!