Ransomware attacks are some of the most popular and devastating attacks in cybersecurity today. It seems like you can’t go online these days without hearing about a new security breach sweeping the country. This security epidemic is affecting businesses of all sizes and industries, and it shows no signs of slowing down. For these reasons, you should explore the top solutions that can help improve ransomware preparedness in your company.
What is Ransomware?
At its basics, ransomware is a type of malicious cyberattack that gains access to your computer or network, encrypts your data and then holds it for ransom in exchange for a decryption key you can use to recover your data. What makes ransomware so difficult is that each new strain targets your network and data differently. These cyberattacks continue to grow in scale, maturity and complexity.
Ransomware is a malware form of cyberattack, and there are many different types. Most often, ransomware is used to extort money from victims through holding secure data or network access hostage until the attackers receive payment. Recent examples of devastating ransomware attacks include Colonial Pipeline and Kaseya.
Cybercriminals target organizations with vulnerabilities and places their attacks will have the biggest impact. They also look for where they can deploy ransomware both within the organization itself and also the organization’s vendor/client list. Vendor-based cyberattacks are far more profitable and have an enormous return and impact. Cybercrime organizations are even starting to make ransomware a service that criminals can freely implement on their own. Now more than ever, organizations need to be proactive to protect their business from malicious intent, which requires comprehensive research into the most significant threats and the state of security systems that are currently in place.
How Can I Protect My Organization?
A good first step is to reference the United States Cybersecurity and Infrastructure Security Agency’s (CISA) Cyber Security Advisory Tool (CSET). CISA provides ten areas for assessment within your organization to review, prepare and protect yourself from a ransomware attack. The following outlines the CISA areas of assessment as well as what to consider when determining how prepared your organization is for a ransomware attack.
End User Awareness Training: Security and awareness training on current cybersecurity threats and attacks is an important first step for all organizations to take. Providing employees with tools and resources to protect themselves and the organization from malicious intent can save the organization hundreds of thousands of dollars in incident response. Cybersecurity protection starts with user training.
Phishing Prevention and Awareness: As part of user training, organizations should have ongoing phishing and social engineering campaigns set up to simulate phishing emails sent to staff and personnel. As time progresses, the campaigns need to become harder as the user becomes more educated. It was recently cited that 90% of cyberattacks are caused by human vulnerabilities, so testing and educating employees on phishing schemes has never been more important. An attack against your system can start out simply by an employee inadvertently giving out domain credentials or using weak passwords. Security best practices training should always cover email security and educate users not to open links or attachments from unknown sources and to be cautious of any attachments asking to enable macros.
Data Backup: Regular backups are an essential part of any business continuity plan. Should you be breached by ransomware, you can rest assured that your data can be restored with little disruption to your day-to-day operations. The key is automatic and continuous backups of your data, and all users should back up critical data on all devices. There are numerous backup options including:
- Remote Backup: Cloud Storage
This is the safest method. Cloud software and services often have built-in backups that will allow you to revert back to previous versions before you were infected. Plus, these backups aren’t stored on a physical device that could get damaged or stolen.
- Internal Hard Disk Drives
- Removeable Storage Media
Asset and Patch Management: A cohesive patch management plan is an important part of understanding vulnerabilities. Knowing an organization’s network, risk areas, current patches and patch deployment is critical. Oftentimes the biggest areas for concern are abandoned and/or unmaintained software and hardware. There is a reason software companies push out updates: to give you the latest patches and protections. Running on old software makes you more susceptible to breaches, so be sure everything, including your operating system, is running the latest software. And if you’re putting off upgrading your OS because of compatibility or system integrations, you have much larger vulnerability concerns on your hands.
Tracking existing assets and patches is the key to continued security. Consider implementing the following:
- Software library
- Hardware inventory
- Network map
- Configuration documentation
- Archive list
- Policies and procedures for how patches happen and how assets are handled
Browser Management & DNS Filtering: It’s important to secure your web browser as they are used so frequently within an organization. Without browser management, you run the risk of spyware being installed or intruders taking control of your computer. Exploiting vulnerabilities in web browsers is an effortless way for cybercriminals to compromise computer systems. DNS filtering, which blocks access to malicious websites, is often seen as an additional security layer against malware.
Network Monitoring and End Point Protection (EPP): Organizations should have a Next Generational Antiviral (NGAV) End Point Protection in place. NGAV can identify zero-day threats, which means it uses AI to determine what cybercriminals may do next even though the threats have not been released into the world yet. NGAC helps identify these attacks before they happen and protects your organization from them. Traditional, signature-based antiviral software is broken and does not protect your organization as it should because there is too much that needs to happen to identify malware.
User Access Management: Managing and limiting access to physical and logical assets and associated facilities to authorized users, processes and devising will keep organizations more secure.
Application Integrity & Whitelisting: Protecting your systems requires knowing which devices are connected to your network, which applications are in use, who has access and what security measure are in place. It’s important to know what’s on your network and have automatic updates. You’ll also want to implement secure configurations, remove unsupported hardware and software, leverage email and web browser security settings, create application integrity and allow list policies.
Incident Response: Every organization should have an incident response plan developed. When an incident occurs — and yes, it’s a matter of when, not if — what will happen? A plan helps outline next steps to identify and limit current damage and protect the organization while experiencing an attack.
Risk Management: CISA’s recommendation for risk management boils down to five actions:
- Identify: Develop the organization’s understanding to manage cybersecurity risk to systems, assets, data and capabilities.
- Protect: Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
- Detect: Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
- Respond: Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
- Recover: Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
Eide Bailly understands not only the concerns of our clients with these attacks, but the in-depth details surrounding the methods and tools used by attackers. Protecting your organization doesn’t have to be complicated.
What can I do If My Organization is Hit with Ransomware?
No matter how prepared you are, cybersecurity incidents happen. Here are a few immediate steps you can take.
If you even suspect a virus or ransomware attack, disconnect your computer from your network and internet immediately. This will help to contain the threat and will prevent the malware from spreading to other devices in your environment.
Remove the Malware
Your first step will be to remove the malicious software from your system. This is often relatively simple since the nature of a ransomware attack is to target your data, not your device.
Check Your Backup
Ransomware uses advanced cryptography to hold your data hostage, rendering it unusable. The good news is that, if you are regularly performing network backups, you’ll be able to restore your system with little loss of data — often just a day or two. The bad news, however, is that if you do not have a current or complete backup to restore, it won’t be so easy.
Call In Backup
The help of an incident response professional can be invaluable in the midst of an attack. Digital forensics and investigative skills can help uncover the facts to identify, document and summarize an incident with the same level of urgency you need. They provide answers when you need them the most and help you create a path to resolution.
Eide Bailly’s Data Breach Hotline is available 24/7, so you’re never alone during a crisis.
Should I Pay the Ransom to Get My Data Back?
While we typically do not recommend paying for your encrypted data, this is not a simple yes or no answer. Even law enforcement agencies have changed their tune in recent years on this topic. The interesting trend in ransomware is that some of these cybercriminals almost operate like a merchant. Some even have reviews proving that they delivered the decryption key after payment and tout their customer service!
This question is really becoming more case-by-case. A lot of it boils down to the quality of your backups and the impact of lost data. In these situations, it’s important to ask yourself the following questions:
- Can you recover your data?
- What would the impact on your business be if you had to start over?
- What would the financial impact be if you didn’t pay up? Think about your lost data, productivity, etc.
Just like in poker, it’s good to“know when to hold ‘em and know when to fold ‘em.”
So how do you get your data back if you don’t pay up? Your best bet is to look for remediation help. Experienced security engineers will be able to recover your system and patch the network vulnerability that allowed for the cyberattack in the first place. When looking for an IT service provider, look for experience in system patches, endpoint protection, email and firewall security, as well as disaster recovery. There are a number of IT service providers out there, so be sure to do your homework; ask for their stats and client referrals.
How Eide Bailly Helps Clients Recover from Ransomware Attacks
Eide Bailly’s Ransomware Readiness Assessment starts with a few exploratory questions. This helps our team gain a better understanding of your current cybersecurity posture level. Based on those answers, we will be able to provide the best recommendations to improve your organization’s ability to respond to ransomware attacks. For example, how would you respond to the following?
- Are your data backups tested periodically?
- Is email automatically filtered to protect against malicious content?
- Are you monitoring your internal network traffic and threats?
- Is there an inventory of your hardware and software assets within your network environment?
- Are you conducting vulnerability scanning, software and hardware patching to mitigate risk?
- Is two-factor authentication implemented for your users?
- Does your organization conduct annual incident response tabletop exercises that include ransomware scenarios?
Where Organizations Get Stuck
With cyberattacks becoming more sophisticated, and the complexities of the fast-paced ever-changing environment, the world of cybersecurity can be incredibly overwhelming. Organizations tend to know what they need to do, but not necessarily how to implement their plans into action. Instead, they sit vulnerable.
It’s at inopportune times — vacation, holidays, conferences, etc. — when the worst often happens. Organizations want to take the jump and start making these changes but often find they don’t have time, don’t know what to do or don’t have the right resources to make it happen.
We find the following to be the biggest areas where organizations get stuck:
- Educational Gaps: Organizations don’t know what they need or how to make the leap.
- Cost: The cost to protect the organization and/or increase the organization’s cybersecurity posture seems too high.
- Staff: There is a lack of expertise and/or experience with technical ability. The IT department is often overwhelmed and burdened with other projects, making it difficult to find the time to dedicate to such a concentrated process.
Ransomware Readiness Assessment
Eide Bailly utilizes CISA’s CSET tool as a baseline for our discussions. We utilize our decades of cybersecurity experience to compliment and modify the tool to apply to a specific client while also bearing in mind their industry, culture and technology stack. It acts as a ransomware readiness assessment template that we use to evaluate the situation and perform an audit to assess what approach is needed in your case.
As part of this assessment, Eide Bailly will conduct interviews with key personnel, run an inventory scanner tool on the environment, and conduct high-level, minimally invasive tests to validate suspected weaknesses in your tech and processes. As an output of this assessment, Eide Bailly will provide clients with:
- A detailed Environment Score over nine areas
- A Gap Analysis
- A detailed recommended course of action to address weaknesses
The ransomware readiness assessment will help organizations create a culture of security by prioritizing security planning for a ransomware attack. In addition, Eide Bailly will provide an Incident Response Playbook to be utilized in the event an incident occurs.
Ready to get started?