For any organisation whether large or small, defending against a cyber-attack has never been a simple task. However, as of late, there is an added level of urgency with ransomware starting to take an ugly turn. Any organisation can be a target, or simply collateral damage from an attack targeting someone else. Threat actors are seeking to cause maximum impact and all it takes is a quick glance at the headlines to see that the threat is greater than ever before. Whether we look at the Colonial Pipeline attack, JBS or Kaseya, the debate on how to turn the tide against ransomware rages on. But one thing that we can all agree on, is that organisations need to act now.
As many IT leaders start to think ahead for next year and evaluate and plan, the question we should be asking is: if your organisation suffered a ransomware attack would you be prepared? It is a question of when a ransomware attack will strike, not if, for many organisations. According to Gartner, the threat of new ransomware models emerged to be the top risk facing businesses today and by 2025, it is predicted that threat actors will have used cyber-attacks to cause human casualties.
The problem is that ransomware is evolving and wreaking havoc, it can bring down multiple organisations through one attack, leak sensitive data across the web and disrupt critical infrastructure services. It’s all well and good to talk abstractly about strategies for recovering from a ransomware attack, but there’s nothing like learning from real-world experiences and we have plenty to choose from. So how can businesses build a robust plan and what can we learn?
To pay or not to pay
First and foremost, we need to get away from the conversation of whether to pay a ransom or not. Being prepared to pay is not a viable strategy, and it is only adding fuel to the fire, providing threat actors with further motivation and showing their tactics will work. If we take a look at the recent Colonial Pipeline attack, the company admitted to paying almost $4.5million to DarkSide. This is a hefty amount, but only a small portion of the funds that DarkSide has been making, with reports suggesting the group has made over $90million. If we continue to pay such demands as an industry, this is only encouraging and enticing more acts. In addition, there is also no guarantee that paying will work, so while the Colonial Pipeline might be one of the lucky few, there are far more organisations who pay but don’t see their data again.
Going beyond a first line of defence
One of the challenges is just how dominate ransomware is in the industry. While having intrusion detection and cyber security software is essential – in order to be alerted as early as possible to activity, it is also fundamental to support this with a robust recovery strategy, to help you restore the files that ransomware holds hostage. This type of approach will not only mean businesses are implementing preventive measures, but if an attack takes place, you can limit the impact and recover. Active Directory (AD) really is the key corner stone to a comprehensive recovery plan. Since most organisations use AD to manage identities and provide access to business resources, such as databases, files, applications and endpoints, AD is the keystone to rapid recovery from ransomware.
Avoiding corrupt backups
While recovering from backups might sound like simple notion, one trick that many organisations are missing is ensuring that AD backups are air-gapped. Businesses can have the most extensive backup information on file, but you can’t restore from it if it has been corrupted. Many ransomware attacks today, actively seek out and destroy any network-connected backups for this very reason, to try and maximise the chances that you will pay the fine. Therefore, it is essential to not just make regular and trustworthy backups of your Active Directory but to keep them air-gapped, which means inaccessible from the internet. So that if ransomware does sweep through the system these will stay hidden away and secure.
Busting the myth of speed
It hardly comes as a surprise that if ransomware does strike, the first thing on everyone’s mind will be how to get up and running again as quickly as possible, and rightly so. It can be the moments after a cyber-attack and how the business handles this that can have a rememberable impact. The way to do this, however, is to consider a phased recovery. By identifying which domain controls are absolutely essential, you can start recovery there, getting the most business critical applications up and running again as soon as possible.
However, contrary to what many might think and despite how you might feel in the moment, ransomware recovery is not about speed alone. It is equally important to ensure that recovery is done correctly, and that entry points and vulnerabilities are addressed to ensure you don’t get reinfected. A prime example of this, is a blog posted by the NCSC this year which highlighted how they saw one company pay just under £6.5 million in ransom for their data. However, as they didn’t treat the vulnerability the hackers came back again less than two weeks later using the same tactic – don’t make the same mistake.
In the end, even the most prepared of organisations can’t completely eradicate the threat of ransomware, but you can limit the risks. Every organisation needs to have a comprehensive ransomware strategy that will not only identify threats, but one that will also protect backup data, focus on Active Directory recovery and also consider the impact of other essential functions to the business such as the network or routers. In addition, organisations need to make sure any plan is accessible, with clear roles and responsibilities. Only with a well thought out plan, comprehensive technology in place, and a clear point person, will businesses be able to forge a new path.
By Bryan Patton, Principal Strategic Systems Consultant at Quest