For the uninitiated, ransomware is an online cyber threat executed through the means of extortion. As the name suggests, malicious online entities demand ransom to release the hold on data they have stolen from businesses or companies. It is one of the strongest and most prevalent cybersecurity threats today.
Contrary to popular belief, ransomware attacks aren’t exclusive to big corporations. No industry or business scale is immune to these kinds of activities. SEC cybersecurity needs to be taken seriously to avoid damage to finance and assets.
Over the years, criminals have become more demanding. Every year, their ransom requests have become more scrupulous with some demands amounting to eight figures.
6-Step Ransomware Response Plan
As with most cybersecurity threats, the sooner the attack is discovered, the less damage a company incurs. Every second counts as uninterrupted time is a great ally for the attacker. Every minute that passes means more data and files can be encrypted and more devices are infected which can ultimately drive more damage.
To truly protect your business, it is vital to understand SEC cybersecurity disclosure requirements and SEC cybersecurity disclosure rules. Different rules and regulations apply to different geographic areas.
More than making sense of the regulations, preparing a ransomware response plan is your company’s best bet in circumventing the damaging effects of a successful ransomware attack. When it comes to attack protocols, there is no one size fits all. Every business is different. Nevertheless, there are best practices that you should be wise to follow.
Below are six steps that you can take whenever your business or company hit ransomware to help you and the security teams to contain and mitigate the threat:
1. Disconnect the Network
First things first, check and isolate infected computers instantly from any network that it is connected to. Do not unplug storage devices if they’ve already been encrypted. Likewise, avoid erasing anything and cleaning up files as it might worsen the situation. Disabling the network is the best option as it can prevent the spread of the attack and doesn’t require physical visit of every affected device. Check properties of encrypted files to identify the computer that is first infected or what is usually called “patient zero”.
2. Identify the Scope of the Attack
The next step is to measure the scope of attack that has taken place. Review how much of your file is compromised and make sure that your “patient zero” does not have any access like network or cloud storage, external hard drives, and USBs. You can easily create and check which files are encrypted and which are not.
Keep in mind that ransomware can penetrate other computers on your network even if they have not been directly shared. If “patient zero” is connected to a shared folder, network or drive, ransomware can easily replicate and install itself on other machines.
It is important to monitor the shared network very closely after you take the infected host offline in case there are other infected hosts. In this way, you will be able to prevent the continuation of the encryption process.
3. Verify if Credentials were Stolen
Determine whether your data or login credentials have been compromised and identify how much of the data was encrypted. You can check your logs and data leakage prevention (DLP) software to find out what data were stolen. Look for large unauthorized archives (e.g., .zip, .arc.) that contain your data that might have been used as staging files.
Moreover, thoroughly check system records along with malware and scripts to determine whether the data are copied or not. Most ransomware infections display a notification if data have been successfully copied.
You can make a list or monitoring tool wherein you can list down copied or encrypted data and check them again once they are recovered.
4. Identify the Ransomware Version
There are many different ransomware strains out there. Knowing your opponent is a critical step in creating an effective response plan.
Each ransomware version has a typical pattern of encryption. After identifying which version penetrated into your network, it will be easier to take action. In some instances, others are costlier and some exfiltrate data, while others don’t.
You can consult a security professional for some help or spend some time going through system files to identify the ransomware version.
5. Consider and Evaluate Options
Once ransomware has been contained and its root cause has been identified there are several considerations that you can do when beginning the recovery phase. Let’s take a look at these options:
a.) Patch Vulnerabilities
If the ransomware attack was made possible by vulnerable systems, those need to be patched to avoid re-exploitation in the future. If patching is not applicable, place compensating controls, and make sure the exposure to risk was lessened.
b.) Restoring from a Recent Backup
This option requires a backup process already existing for the affected data. An analysis should be done regularly to ensure completeness of the backups and data.
It is vital to authenticate the status of backups at the time of required recovery. In incidents where attackers have been in the network for quite some time and backup files are also encrypted, this might not be a viable option.
c.) Third-Party Decryptor
One of the older ransomware strains has a decryptor available online which you can easily download. Despite the advantage, make sure to verify that it is from a reputable source. It’s always a wise choice to check with a professional before using anything.
6. Beware of Future Attacks
Protecting your business or company from attacks requires a lot of effort and defense strategy. It is also important to learn and understand SEC cybersecurity disclosure guidance and SEC cybersecurity disclosure.
Tackling any form of cybersecurity measure can be daunting especially if you intend to do it on your own. Partnering with cybersecurity experts can ease the burden of ensuring your company’s data is protected from malicious threats.
If you are in the market for supplementary cybersecurity tools, we at SecureBrain offer a wide array of security solutions that fit every need. Reach out to us today to learn more about what we have to offer.