By Stuart Davis, Director of Incident Response Services, CrowdStrike
It’s happened. Intruders have broken through your defences into your organization’s cyber environment. The dreaded ransomware note is glaring at your IT manager. Panic ensues. The note is not only demanding a large crypto payment, but it is also threatening to leak your sensitive customer information and destroy your organization’s reputation. This is your short window to rescue your company. A well-formulated ransomware recovery plan can save enterprises time and money and help them prepare for and respond to the next attempt.
When a ransomware disaster beckons, every detail is critical in protecting the business’ reputation and preserving the customer’s trust. There is a small window of opportunity to react during a breach, and it requires coordinated internal response efforts and swift decision making.
After a ransomware attack, every instinct and fibre in an IT manager’s body might be saying to disconnect the whole system, but in this case, the classic IT ‘fix’ of switching it off and on again can be incredibly counterproductive. Shutting down the network will alert the threat actor that they have been detected. So, to prevent a game of “whack-a-mole” from ensuing, best practice states that all systems should be kept online. The attacker will probably compromise additional systems to establish new forms of persistence that may go undetected or have already prepared backdoors for these situations.
Many targeted data breaches first occur months before threat actors demand any payment. This is why log data is often crucial in determining how the incident started. Without understanding how the event happened, a double ransom situation may likely take place. For example, an organization that did not identify the rotten roots of a previous attack experienced ransomware re-deployment and paid another ransom just two weeks later. So, it is vital that logs are preserved and that critical server backups are available for inspection.
In a time of cyber crisis, it is even more important that internal communications are well-established. IT, security, legal, management and public relations must be kept informed of the status of the data breach to allow the formulation of a response and the communication with regulatory agencies as well as customers. But it is also important to note that threat actors are skilled in espionage and it is likely that internal communication channels may be compromised. So, additional out-of-band communications should be established.
Call in forensics
Sophisticated threats require next-generation antivirus responses. Long gone are the days of legacy signature-based antiviruses. Deploying a cloud-based EDR solution is essential to enabling security staff to detect, prevent, record, search in real-time and accelerate ransomware recovery time.
Businesses need to begin looking at a ransomware incident like a crime scene. Endpoint forensic investigations can help enterprises determine key insights such as how many systems have been accessed or compromised, what data may have been accessed, how long the incident has been occurring, the initial attack vector, persistence mechanisms in your environment and exfiltrated data.
This data is imperative to preventing another attack. It also gives businesses the opportunity to re-evaluate their security infrastructure and policies, identify weak points and determine which data requires the most amount of protection going forwards.
Remediate the attack
The key goal of remediation is to completely remove the threat actor’s presence from the environment and limit their ability to return in another way. Remediation techniques can include isolating critical systems from the broader network, blocking access to the adversary’s command and control infrastructure, removing and completely refreshing infected hosts and performing credential resets.
A key aspect of remediation and an effective incident response plan is partnering with a proficient cybersecurity provider. Experienced cyber intelligence professionals can provide a comprehensive approach that ensures no threat goes undetected in the environment, accelerate time-to-visibility and remediation, reduce business interruption losses and minimize cyberattack impact.
Ransomware preparation and cybersecurity awareness has become as necessary as marketing or sales to businesses. It is important to note that companies should also evaluate their long-term cybersecurity goals along with immediate incident actions and responses. Preparing to prevent the next attack by having immaculate cybersecurity hygiene, carrying out ransomware tabletop training exercises and understanding threat intelligence is as important as the incident response.
Following these steps may be the only way you can mitigate the bleeding of valuable data and company assets. You need to fight fire with fire. Don’t bring a legacy antivirus to a sophisticated ransomware fight. Investing wisely and early will ensure that your company makes it through this ransomware pandemic.