How to be Ransomware Ready in Four Steps
2021 was a breakthrough year for ransomware, with growth of 105% and more than 623.3 million attacks, according to SonicWall’s 2022 Cyber Threat Report. Additional research by Sophos showed that ransom payments increased to an average of $812,360 in 2021, while the average cost to remediate an attack was $1.4 million. For nearly all (90%) organizations affected by a ransomware attack, the attack impacted their ability to operate and caused a loss of business or revenue for 86% of ransomware victims.
With attacks coming from both experienced attackers and script kiddies hitting random targets, preparation and response will become increasingly important – and complicated – as ransomware tactics continue to rapidly evolve. While historically, ransomware primarily encrypted data, double-ransomware attacks encrypt and steal that data by exfiltrating a copy of the data. Cyber criminals use this data as a second way to extort money from victims or increase influence in paying the ransom.
Unfortunately, even organizations that paid the ransom can still see their data publicly leaked. Triple ransom ransomware attacks also occur; In this scenario, the attackers demand payment from the original victim, but also from anyone who might be affected by this leak – such as partners, patients, and customers.
To be prepared for this type of ransomware attack, we need to be prepared for every aspect of it. Here are four key steps companies can take before a ransomware attack occurs:
1. Collect and store relevant forensic data
Forensic data is essential for investigating a cyberattack, which is why this data is essential for responding to both aspects of the dual ransomware attack:
● Data recovery – Forensic data allows you to understand how the attacker gained access and what malicious activities they performed. This is crucial so that you can back up the system before restoring your data.
● Data Theft/Leak – Forensic data will help you better understand what data was (or was not) leaked. Sometimes attackers claim to have data they don’t have, and investigation can prove it. Even if the attackers have sensitive data, knowing exactly what they have and how they obtained it, including aspects such as ransom negotiations, legal notifications, and identifying and implementing other compensating controls, can help your organization weather the crisis.
To investigate and respond to ransomware incidents, you need to collect and store relevant forensic data. Launch an analysis to identify the digital assets that would have a significant negative impact on your business if compromised. Next, find the pathways and digital assets that a cyber attacker is likely to compromise in their efforts to access those assets. You can do this by simulating a critical incident and using your analysis to verify that you are collecting the right data.
2. Test and maintain data recovery and incident response plans
By testing backups with a tested and efficient recovery plan, the first aspect of ransomware (data encryption) is completely negated, making it easier to recover lost data and allowing you to focus on the second aspect of ransomware (potential data leaks). Sometimes this focus allows you to completely avoid or significantly reduce a ransomware payment.
An Incident Response Plan (IRP) creates a set of tools you can use and processes you can follow if a ransomware attack occurs. Many organizations do not regularly review their response plan to ensure it aligns with their business, compliance, and regulatory requirements. Testing and maintaining an IRP will help you prepare for some of the most stressful aspects of ransomware, such as:
● How will you negotiate with an attacker? Need an experienced ransomware negotiator?
● How do you pay a ransom? Do you have the funds? Do you know how to complete the payment (often required in Bitcoin)?
● Which external stakeholders need to be involved in decision-making? Common stakeholders in ransomware attacks include ransomware negotiators, internal and external legal and communications teams, regulatory compliance agencies, and cyber insurance providers.
3. Conduct preparedness drills and functional drills
It’s important to make sure your on-call activities are actually working. You have to do drills and exercises to test the overall response, the investigative phase, the recovery process, and so on. To do this, make sure your technical and senior stakeholders conduct preparedness drills and functional drills. When these teams are well trained and practiced running through attack scenarios, it reduces the stress of a ransomware attack and allows you to make more relaxed and informed decisions. This, in turn, will help you get back to business as usual faster.
Remember that attack groups, technologies, teams and requirements are constantly changing. Regular drills will help ensure your organization is prepared for ransomware and other cyberattacks, regardless of these changes.
4. Conduct proactive threat hunts
The previous steps all help you increase your ransomware preparedness, but hunts can help you avoid a ransomware attack entirely by identifying it before it is triggered. Proactive threat hunting identifies initial attacks or dormant threats before the actual ransomware attack takes place. Additionally, proactive threat hunts exercise the system as recommended, providing another level of readiness. Regularly conduct hunts based on new tactics and technologies for ransomware attacks, then update your hypotheses. This also helps you adapt to changing threats and changes in your own environment.
Building ransomware readiness
Ransomware attacks are likely to continue because they are simple, the risk to attackers is low, and the reward is high. Securing increasingly complex on-premises, hybrid and cloud environments is an ongoing challenge, and attackers only need one entry point. Keeping them all out is virtually impossible, even for the best security team with the best technology.
A proactive approach by building ransomware readiness through these steps can help your organization manage risk and quickly get back to business as usual, even after a critical ransomware incident.