In the article below, Check Point Software shares a guide for enterprises on how to prevent and deal with ransomware attacks in seven steps, followed by seven tips to minimise the risk of being the next victim of ransomware.
Ransomware attacks are growing in number. Why? Because hackers are getting paid. And the increasing uptake of cyber risk insurance is only making the problem worse.
The average weekly number of ransomware attacks has increased 93% over the past 12 months, according to Check Point Research. More than 1,200 organisations worldwide are attacked a week.
The increase in attacks is also related to the availability of threats. Many hacker groups offer ransomware as a service, so anyone can rent this type of threat, including infrastructure, negotiating with victims or extortion websites where stolen information can be posted. The ransom is then split between the “partners”.
Yet, a ransomware attack often does not start with ransomware. It often starts with a “simple” phishing email. In addition, hacker groups often work together. For example, in the Ryuk ransomware attacks, the Emotet malware was used to infiltrate the network, then the network was infected with Trickbot, and finally the ransomware encrypted the data.
How can enterprises even know if they have fallen victim to a ransomware attack and how should they react? If not caught in time, it's relatively easy to find out, as organisations will get a message asking for a ransom and won’t be able to access the company’s data.
In addition, cybercriminals are constantly refining their techniques to increase the pressure to pay. Originally, ransomware "just" encrypted data and demanded a ransom to unlock it. The attackers soon added a second phase and stole valuable information before encryption, threatening to make it public if the ransom was not paid. About 40% of all new ransomware families use data theft in some way in addition to encryption. In addition, we have recently seen a third phase where the attacked companies’ partners or customers are also contacted for a ransom, this is a new technique called triple extortion.
Check Point Software’s Incident Response Team, which has dealt with countless ransomware cases worldwide, recommends following these steps when a ransomware attack occurs:
- Keep a cool head: If your organisation falls victim to a ransomware attack, do not panic. Contact your security team immediately and take a photo of the ransom note for law enforcement and further investigation.
- Isolate the compromised systems: Disconnect infected systems from the rest of the network immediately to prevent further damage. At the same time, identify the source of the infection. Of course, as mentioned, a ransomware attack usually starts with another threat, and hackers may have been in the system for a long time, gradually covering their tracks, so detecting "patient zero" may not be something most companies can handle without outside help.
- Beware of backups: Attackers know that organisations will try to recover their data from backups to avoid paying the ransom. That's why one of the phases of the attack is often an attempt to locate and encrypt or delete backups. Also, never connect external devices to infected devices. Recovering encrypted data may cause corruption, for example, due to a faulty key. Therefore, it may be useful to make copies of the encrypted data. Decryption tools are also gradually being developed that can help to crack previously unknown code. If you did have backups that haven’t been encrypted, check the integrity of the data before fully restoring.
- No reboots or system maintenance: Turn off automatic updates and other maintenance tasks on infected systems. Deleting temporary files or making other changes could unnecessarily complicate investigations and remediation. At the same time, do not reboot systems, as some threats may then start deleting files.
- Cooperate: In the fight against cybercrime, and ransomware in particular, collaboration is key. So contact law enforcement and national cyber authorities, and don't hesitate to contact the dedicated incident response team of a reputable cybersecurity company. Inform employees of the incident, including instructions on how to proceed in the event of any suspicious behaviour.
- Identify the type of ransomware: If the message from the attackers does not directly state what type of ransomware it is, then you can use one of the free tools and visit the No More Ransom Project website, you may find a decryption tool just for your ransomware there.
- To pay or not to pay?: If the ransomware attack is successful, the organisation is faced with the choice of whether to pay the ransom or not. Either way, companies must go back to the beginning and find out why the incident occurred. Whether it was human factors or technology that failed, go through all the processes again and rethink the entire strategy to ensure that a similar incident never happens again. Taking this step is necessary regardless of whether an organisation pays the ransom or not. One can never take comfort in the fact that somehow data recovery has occurred and consider the incident resolved.
So to pay or not to pay? The answer is not as simple as it first appears.
While the ransom amounts are sometimes in the hundreds of thousands or millions of dollars, outages of critical systems often surpass these amounts. However, enterprises must remember that even if the ransom is paid, it does not mean that the data, or even part of it, will actually be decrypted. There are even known cases where attackers have bugs in the codes so that the organisation cannot recover the data even if they wanted to.
Don't rush into a decision and consider all your options carefully. Paying the ransom should really be the last resort.
How can you minimise the risk of being the next victim of ransomware?
- Be extra vigilant on weekends and holidays: Most ransomware attacks over the past year have taken place on weekends or holidays, when organisations are more likely to be slower to respond to a threat.
- Install updates and patches regularly: WannaCry hit organisations around the world hard in May 2017, infecting more than 200,000 computers in three days. Yet a patch for the exploited EternalBlue vulnerability had been available for a month before the attack. Updates and patches need to be installed immediately and have an automatic setting.
- Install anti-ransomware: Anti-ransomware protection watches for any unusual activity, such as opening and encrypting large numbers of files, and if any suspicious behaviour is detected it can react immediately and prevent massive damage.
- Education is an essential part of protection: Many cyberattacks start with a targeted email that does not contain malware, but uses social engineering to try to lure the user into clicking on a dangerous link. User education is therefore one of the most important parts of protection.
- Ransomware attacks do not start with ransomware, so beware of other malicious codes, such as Trickbot or Dridex that infiltrate organisations and set the stage for a subsequent ransomware attack.
- Backing up and archiving data is essential: If something goes wrong, your data should be easily and quickly recoverable. It is imperative to back up consistently, including automatically on employee devices, and not rely on them to remember to turn on the backup themselves.
- Limit access to only necessary information and segment access: If you want to minimise the impact of a potentially successful attack, then it is important to ensure that users only have access to the information and resources they absolutely need to do their jobs. Segmentation minimises the risk of ransomware spreading uncontrollably across the network. Dealing with the aftermath of a ransomware attack on one system can be difficult but repairing the damage after a network-wide attack is much more challenging.