What businesses do the moment ransomware is detected makes a huge difference to the impact the attack can have on the organisation. Failure to act fast can mean that more files are locked, more devices are penetrated and more money is lost. What organisations do in the ‘golden hour’ following an attack is crucial, and what they achieve in this ‘golden hour’ is dependent on how well trained and prepared they are beforehand.
As cybercriminals evolve their techniques and technologies, ransomware is only becoming more infectious and harmful. The average attack costs businesses more than £100,000 and does lasting reputational damage. Indeed, 40% of consumers consider CEOs to be personally liable for ransomware breaches, and 44% would stop using a company’s services if it fell victim to an attack. Compounding the risks, 20 per cent of paying victims never have their stolen data returned.
Since time is of the essence, organisations must ensure they have the capabilities and processes in place to rapidly detect and contain ransomware. This requires careful preparation, proper training and total data visibility.
Preparation makes perfect
Much of the most important work that goes into resolving a ransomware attack happens long before it’s first detected. You can’t treat a patient without the right medical kit, and a company can’t fight a ransomware infection without detection capabilities and a strong data backup and recovery strategy.
Mission-critical data is the chief target of any attack. As a company’s most precious asset, its loss or theft can bring operations to a shuddering halt. To avoid this, organisations must bring their data estate under control.
Performing or commissioning a data audit will give a business a much better idea of what data it holds and where it is located within its infrastructure. Yet it can only be a first step. To guard from ransomware, employees need to be able to spot the symptoms, but this is only possible when they have constant visibility over company data.
In modern organisations, data is spread out over multiple – often disconnected – on-premise systems and cloud environments. Ransomware attacks thrive in fragmented systems, where security policies are inconsistent and the initial attack vector often goes unnoticed. Harmful malware can spread unimpeded, capturing crucial data before it’s eventually detected.
Organisations should leverage tools that help connect their dispersed data assets and ensure security policies can be rolled out across all environments. At all times, employees should be able to tell what data the company has, what environment it is being held in, and know what measures are protecting it.
Alongside a strong and secure data foundation, a ransomware defence strategy must deliver protection at all levels. You should have a strategy to proactively search for and fix system vulnerabilities, and deploy solutions for network monitoring, threat intelligence and endpoint detection.
Crucially, businesses should also have a backup strategy in place, to ensure encrypted data isn’t lost forever. Needs will differ between organisations, but the 3-2-1 rule is a useful guideline. This means keeping at least three copies of data, on at least two devices, with at least one copy offsite. It’s important to ensure these copies are sufficiently isolated so that invasive ransomware can’t jump between them, rendering them redundant. It is also important that the recovery is regularly rehearsed and tested so that you know you can recover your critical data, and you can respond quickly and efficiently when disaster strikes.
Ensuring a rapid recovery
When the right steps have been taken in preparation, it’s much easier for a business to respond quickly and effectively to a ransomware attack. However, organisations still need to have a response plan in place to contain the infection once contact has been made.
Once an attack has been reported or detected, the security team should move in to ensure the affected end users and systems are isolated from the wider network. The end users should then be interviewed for their insight into the attack, but data management tools can also quickly help understand what data these users normally access. This information should then be scanned to determine what has been infected and lost. So long as the company’s data backups have been properly protected, this data can be restored without causing disruption or having to pay the ransom.
Proper education is crucial for this system to run smoothly. Ransomware awareness training is doing much to help staff recognise social engineering attempts and prevent potential attacks. However, organisations now need to take education a step further.
It’s no longer enough simply to recognise ransomware; employees have to be able to respond once an attack has, inevitably, succeeded. For a strong response during the first hour of an attack, employees should be educated to disconnect their machine from the network and any external drives. Going offline helps stop the ransomware from spreading. Then they should use a phone or camera to take a picture of the ransom message received before shutting down their machine. The final step should be to notify their IT department and share any information they have about the attack.
A great deal of ransomware training tends to lead with the fear factor and present worst-case scenarios. Yet, there’s a danger this could make staff less likely to come forward if they’re afraid they may have caused great damage. It’s important for companies to create an environment where no one is afraid to raise the red flag when ransomware is detected.
Of course, the first time you run these procedures shouldn’t be in the middle of an ongoing attack. Regular recovery and response drills should be carried out to ensure all systems and employees are working together as they should. Any weaknesses can be identified and ironed out early and in a controlled situation rather than a high pressure scenario. Doing so gives you the peace of mind to know your business can survive an attack when it hits.
A successful ransomware attack is a question of when, not if. Attacker capabilities are advancing all the time and you can’t expect staff to spot every hacking attempt. All it takes is one slip-up. Therefore, a good defence isn’t just based on your ability to prevent an attack, it’s whether you can weather the storm and, crucially, contain the attack before it grows into a business-destroying crisis. True ransomware resilience requires a combination of careful preparation, well-drilled processes, and capabilities that empower staff with complete data visibility and control.
Author: Simon Jelley, VP, Product Management at Veritas Technologies