Over the last few years, news headlines have been rife with announcements of ransomware attacks. While not new, ransomware has become the dark specter hovering over security teams as the rise of Ransomware-as-a-Service (RaaS) makes deploying attacks easier. In addition, cybercriminals launching these attacks no longer simply encrypt data; they now engage in double-extortion attacks where they steal sensitive information and hold it hostage.
According to the 5,600 IT professionals interviewed in The State of Ransomware Report 2022:
- 90% replied that a ransomware attack impacted their ability to operate
- 86% replied that a ransomware attack caused loss of business/revenue
- 72% replied that they put faith in approaches that don’t prevent an attack
With the increased number and severity of ransomware attacks, companies should put processes in place for how to respond in the event of a successful ransomware attack.
How does ransomware work?
Today, most organizations have robust business continuity and disaster recovery programs that include regular data backups. These backup practices mitigated the impact of encryption-only ransomware attacks. In response, cybercriminals incorporated additional steps into their attacks so they could ensure persistence and steal data.
Ransomware, like most malware, starts by compromising a network connected device. Often, cybercriminals start with a phishing attack, hoping that someone will click a malicious link or download a malicious file.
Most ransomware attacks follow a similar pattern:
- A network-connected device is infected with the malware
- That device spreads the ransomware to other devices connected to the same network
- Malware creates a point of entry called a “backdoor”
- Attackers steal credentials with privileged access
- Attackers use those credentials to gain access to additional resources so they can steal sensitive data
- Attackers download the data
What do you do in the event of a ransomware attack?
Cybercriminals continue to evolve ransomware, with one article noting that 34 different ransomware variants were detected between October and December 2021. To protect themselves, organizations need an incident response plan that incorporates ransomware attacks. Understanding the best practices can help assign the right people to the right roles.
Before doing anything else, organizations need to investigate the attack quickly so that they can determine what systems were impacted. The faster they investigate the attack, the less damage the ransomware can do.
Isolate affected systems
To prevent the attack from spreading, organizations need to power down the affected system or disable the system’s network connectivity. This prevents the ransomware from spreading to additional devices since malware uses networks to propagate the infection.
Employees need to know the ransomware attack has occurred. If a phishing attack was involved, cybercriminals will send the same message to as many employees as possible. By contacting employees, the organization can limit the number of devices used by the cybercriminals.
Cybercriminals will try to target backups because organizations can limit the ransomware attacks impact if they can rapidly restore their systems using a recent image.
Turn off automated maintenance
Digital forensics is part of tracing the attack and documenting the recovery process. Turning off automated maintenance helps protect important information that may be needed during the investigation and after the organization recovers from the incident.
For example, many companies automate their log rotation, but the log data shows all the activity within the system.
Backup the affected systems
While it might seem counterintuitive to backup a system infected with malware, this is another important step, as long as the backup has no network connectivity.
Organizations need to backup these systems for two reasons:
- Mitigate data loss that can happen during the decryption process
- Ensure forensic data integrity
Investigate the ransomware variant
Cybercriminals use different ransomware variants. By investigating the ransomware variant, organizations can more rapidly recover from the attack.
Identify the ransomware variant
In some cases, an organization may be able to use a tool that helps identify the variant or cybercriminal by uploading the ransom note, sharing a sample file, or providing attacker contact information.
Quarantine the malware
While it might be tempting to remove, delete, reformat, or reimage impacted systems, this can impact the integrity of digital forensic data. Quarantining the malware ensures that a ransomware specialist can properly collect and maintain forensic data’s integrity if the organization needs to provide it to law enforcement or in court.
Organizations need to find the initial point of entry, the user or device infected first. This is fundamental to complete recovery and important for addressing vulnerabilities that led to the attack.
Newer ransomware variants use credentials in two ways. First, they use them during the attack’s lateral movement phase so that they can gain persistence within the system. Second, cybercriminals may steal credentials and hold them hostage until the organization pays the ransom.
Contact law enforcement
Organizations need to contact law enforcement as part of the compliance programs. Additionally, attackers are engaging in illegal behavior when they deploy ransomware attacks. Organizations should have processes for contacting law enforcement that meet regulation-mandated timeframes.
Modern ransomware attacks include data theft, which means they also constitute a data breach. If the attack compromised sensitive information covered by a privacy law, the organization needs to notify all potentially impacted customers within the required time frame.
Ransomware Response and Prevention with Alert Logic
Even organizations with the most robust security programs can fall victim to ransomware. The increased sophistication and severity of ransomware attacks means that organizations need to have a holistic approach to security that includes protection both pre- and post-breach.
Alert Logic’s Managed Detection and Response (MDR) solution gives customers the visibility needed to detect and respond to threats coupled with the experienced professionals to ensure timely incident response. Our team of security experts work with customers to gain an intimate understanding of their business and security needs, providing them the tools, knowledge, and expertise to establish an effective risk mitigation strategy.
With our Security Operations Center (SOC) as a service, customers gain access to on-demand experts. With an assigned SOC analyst, customers have someone who gets in the “trenches” with them to help respond to incidents so they can reduce the time it takes to investigate, contain, remediate, and respond to a ransomware attack.