Ransomware attacks are some of the most popular and devastating attacks in cybersecurity today. It seems like you can’t go online these days without hearing about a new security breach sweeping the country. This security epidemic is affecting businesses of all sizes and industries, and it shows no signs of slowing down.
At its basics, ransomware is a type of malicious cyberattack that gains access to your computer or network, encrypts your data and then holds it for ransom in exchange for a decryption key. What makes ransomware so difficult is that each new strain targets your network and data differently. These cyberattacks continue to grow in scale, maturity and complexity.
Ransomware is a malware form of cyberattack, and there are many different types. Most often, ransomware is used to extort money from victims through holding secure data or network access hostage until the attackers receive payment. Recent examples of devastating ransomware attacks include Colonial Pipeline and Kaseya.
Cybercriminals target organizations with vulnerabilities and places their attacks will have the biggest impact. They also look for where they can deploy ransomware both within the organization itself and also the organization’s vendor/client list. Vendor-based cyberattacks are far more profitable and have an enormous return and impact. Cybercrime organizations are even starting to make ransomware a service that criminals can freely implement on their own. Now more than ever, organizations need to be proactive to protect their business from malicious intent.
A good first step is to reference the United States Cybersecurity and Infrastructure Security Agency’s (CISA) Cyber Security Advisory Tool (CSET). CISA provides ten areas for assessment within your organization to review, prepare and protect yourself from a ransomware attack. The following outlines the CISA areas of assessment as well as what to consider when determining how prepared your organization is for a ransomware attack.
End User Awareness Training: Security and awareness training on current cybersecurity threats and attacks is an important first step for all organizations to take. Providing employees with tools and resources to protect themselves and the organization from malicious intent can save the organization hundreds of thousands of dollars in incident response. Cybersecurity protection starts with user training.
Phishing Prevention and Awareness: As part of user training, organizations should have ongoing phishing and social engineering campaigns set up to simulate phishing emails sent to staff and personnel. As time progresses, the campaigns need to become harder as the user becomes more educated. It was recently cited that 90% of cyberattacks are caused by human vulnerabilities, so testing and educating employees on phishing schemes has never been more important. An attack against your system can start out simply by an employee inadvertently giving out domain credentials or using weak passwords. Security best practices training should always cover email security and educate users not to open links or attachments from unknown sources and to be cautious of any attachments asking to enable macros.
Data Backup: Regular backups are an essential part of any business continuity plan. Should you be breached by ransomware, you can rest assured that your data can be restored with little disruption to your day-to-day operations. The key is automatic and continuous backups of your data, and all users should back up critical data on all devices. There are numerous backup options including:
Asset and Patch Management: A cohesive patch management plan is an important part of understanding vulnerabilities. Knowing an organization’s network, risk areas, current patches and patch deployment is critical. Oftentimes the biggest areas for concern are abandoned and/or unmaintained software and hardware. There is a reason software companies push out updates: to give you the latest patches and protections. Running on old software makes you more susceptible to breaches, so be sure everything, including your operating system, is running the latest software. And if you’re putting off upgrading your OS because of compatibility or system integrations, you have much larger vulnerability concerns on your hands.
Tracking existing assets and patches is the key to continued security. Consider implementing the following:
Browser Management & DNS Filtering: It’s important to secure your web browser as they are used so frequently within an organization. Without browser management, you run the risk of spyware being installed or intruders taking control of your computer. Exploiting vulnerabilities in web browsers is an effortless way for cybercriminals to compromise computer systems. DNS filtering, which blocks access to malicious websites, is often seen as an additional security layer against malware.
Network Monitoring and End Point Protection (EPP): Organizations should have a Next Generational Antiviral (NGAV) End Point Protection in place. NGAV can identify zero-day threats, which means it uses AI to determine what cybercriminals may do next even though the threats have not been released into the world yet. NGAC helps identify these attacks before they happen and protects your organization from them. Traditional, signature-based antiviral software is broken and does not protect your organization as it should because there is too much that needs to happen to identify malware.
User Access Management: Managing and limiting access to physical and logical assets and associated facilities to authorized users, processes and devising will keep organizations more secure.
Application Integrity & Whitelisting: Protecting your systems requires knowing which devices are connected to your network, which applications are in use, who has access and what security measure are in place. It’s important to know what’s on your network and have automatic updates. You’ll also want to implement secure configurations, remove unsupported hardware and software, leverage email and web browser security settings, create application integrity and allow list policies.
Incident Response: Every organization should have an incident response plan developed. When an incident occurs — and yes, it’s a matter of when, not if — what will happen? A plan helps outline next steps to identify and limit current damage and protect the organization while experiencing an attack.
Risk Management: CISA’s recommendation for risk management boils down to five actions:
Eide Bailly understands not only the concerns of our clients with these attacks, but the in-depth details surrounding the methods and tools used by attackers. Protecting your organization doesn’t have to be complicated.
No matter how prepared you are, cybersecurity incidents happen. Here are a few immediate steps you can take.
If you even suspect a virus or ransomware attack, disconnect your computer from your network and internet immediately. This will help to contain the threat and will prevent the malware from spreading to other devices in your environment.
Remove the Malware
Your first step will be to remove the malicious software from your system. This is often relatively simple since the nature of a ransomware attack is to target your data, not your device.
Check Your Backup
Ransomware uses advanced cryptography to hold your data hostage, rendering it unusable. The good news is that, if you are regularly performing network backups, you’ll be able to restore your system with little loss of data — often just a day or two. The bad news, however, is that if you do not have a current or complete backup to restore, it won’t be so easy.
Call In Backup
The help of an incident response professional can be invaluable in the midst of an attack. Digital forensics and investigative skills can help uncover the facts to identify, document and summarize an incident with the same level of urgency you need. They provide answers when you need them the most and help you create a path to resolution.
Eide Bailly’s Data Breach Hotline is available 24/7, so you’re never alone during a crisis.
While we typically do not recommend paying for your encrypted data, this is not a simple yes or no answer. Even law enforcement agencies have changed their tune in recent years on this topic. The interesting trend in ransomware is that some of these cybercriminals almost operate like a merchant. Some even have reviews proving that they delivered the decryption key after payment and tout their customer service!
This question is really becoming more case-by-case. A lot of it boils down to the quality of your backups and the impact of lost data. In these situations, it’s important to ask yourself the following questions:
Just like in poker, it’s good to“know when to hold ‘em and know when to fold ‘em.”
So how do you get your data back if you don’t pay up? Your best bet is to look for remediation help. Experienced security engineers will be able to recover your system and patch the network vulnerability that allowed for the cyberattack in the first place. When looking for an IT service provider, look for experience in system patches, endpoint protection, email and firewall security, as well as disaster recovery. There are a number of IT service providers out there, so be sure to do your homework; ask for their stats and client referrals.
Eide Bailly’s Ransomware Readiness Assessment starts with a few exploratory questions. This helps our team gain a better understanding of your current cybersecurity posture level. Based on those answers, we will be able to provide the best recommendations to improve your organization’s ability to respond to ransomware attacks. For example, how would you respond to the following?
With cyberattacks becoming more sophisticated, and the complexities of the fast-paced ever-changing environment, the world of cybersecurity can be incredibly overwhelming. Organizations tend to know what they need to do, but not necessarily how to implement their plans into action. Instead, they sit vulnerable.
It’s at inopportune times — vacation, holidays, conferences, etc. — when the worst often happens. Organizations want to take the jump and start making these changes but often find they don’t have time, don’t know what to do or don’t have the right resources to make it happen.
We find the following to be the biggest areas where organizations get stuck:
Eide Bailly utilizes CISA’s CSET tool as a baseline for our discussions. We utilize our decades of cybersecurity experience to compliment and modify the tool to apply to a specific client while also bearing in mind their industry, culture and technology stack.
As part of this assessment, Eide Bailly will conduct interviews with key personnel, run an inventory scanner tool on the environment, and conduct high-level, minimally invasive tests to validate suspected weaknesses. As an output of this assessment, Eide Bailly will provide clients with:
The ransomware readiness assessment will help organizations create a culture of security by prioritizing security planning for a ransomware attack. In addition, Eide Bailly will provide an Incident Response Playbook to be utilized in the event an incident occurs.
Ready to get started?