Ransomware: What to Know, What to Do and When to Do It
The recent, high profile targets that fell victim to ransomware attacks – Colonial Pipeline, meat processor JBS and a Martha's Vineyard Ferry Service -- are reminders of how prevalent the threat to businesses is. In fact, these recent attacks have thrust cybercrime into the national spotlight. Unfortunately, these three examples are just a small sample; more than 290 organizations were hit by six ransomware groups in 2021, which brought in more than $45 million this year alone. The US victims include governments, municipalities, hospitals, universities and small businesses. Despite the FBI’s amazing work to recover some of the Colonial Pipeline ransom, there is truly little deterrent for cybercriminals to slow down their assault. In fact, it’s so easy for cybercriminals today, they don’t need to write a single line of code; the encryption software is available for purchase or rent to anyone looking to start a criminal enterprise. The threat is well-known, but less understood are the actions small businesses can take right now to prevent, respond and react to the growing ransomware threat. Let’s face it, with the degree of profitability and the very unlikely chance of consequence, cybercriminals will only step up their efforts.
In simplest terms, here are the steps every small business should take.
Prevention at Every Level
Conduct cybersecurity awareness training and educate employees about ransomware attacks
Train employees to spot and report phishing emails, especially those with malicious attachments
System Work with your IT Service Provider to:
Ensure firewalls are always operational and up to date
Logically separate networks
Employ a strong email filtering system to block spam and phishing emails
Patch vulnerabilities and keep all software updated
Set up rigorous software restriction policies to block unauthorized programs from running
Keep antivirus fully operational and up to date
Conduct periodic security assessments to show security vulnerabilities
Enforce the principle of “least privilege”
Use a strong, real-time intrusion detection system to spot potential ransomware attacks
Back up files using a 3-2-1 backup rule: Keep at least 3 separate copies of data on 2 different storage types, with at least 1 of those stored online.
Ensure critical work is backed up regularly and periodically
Test backups! Enforce regular checks for data integrity and recovery of backups
Respond Immediately If You Suspect Ransomware
Shut down infected systems at once
Disconnect and isolate infected systems from the network
Immediately isolate backups
Disable all shared drives that hold critical information
Issue a company-wide alert about the attack
Contact your local law enforcement agency and report the attack
React to Ransomware with Measures That Help Recovery
Work with your IT Service Provider to:
Figure out the scope and size of an infection by finding the type and number of devices infected, as well as the kind of data encrypted
Figure out the type and version of the ransomware
Find the threat vector used to infiltrate the network
Conduct root cause analysis
Mitigate any identified vulnerabilities
Check if a decryption tool is available online
Restore your files from a backup
Prevent A Repeat Attack Ransomware attacks are phenomenally successful. Unprepared businesses and municipalities that pay the ransom could find themselves attacked again, if they don’t take the necessary steps to close the holes the criminals used. That’s why it’s important to put measures in place to help prevent a second attack. Once recovered from a breach, make sure it won’t happen again. Cleansing system of malicious files isn’t enough – identification of what caused the breach in the first place is essential.
Constant Education is one of the best defenses against social engineering attacks, and strong cybersecurity awareness training solutions can transform employees into a powerful line of defense. A good training solution allows simulated phishing emails to test resilience and show where the company can improve.
Spam Filters examine incoming and outgoing email communications to find threats and prevent them from delivery. This can stop ransomware from ever reaching its intended victim.
Web Filtering prevents employees from accessing malicious websites, such as phishing pages, and from downloading content from these websites.
Endpoint Detection and Response (EDR) solutions continuously check all incoming and outgoing traffic on a network for potential threats. If a threat is detected, the solution isolates the affected machine so that the malware can't spread. An EDR doesn't just keep a record of the incident itself, but of all the events that led up to the incident, too. This allows insight into which files, processes and registry keys the hacker accessed, and find where the attack started and how it progressed.
Antivirus software detects and blocks malicious files and warns employees when they visit suspicious websites. Today’s most advanced antivirus tools are cloud based, allowing them to use advanced machine learning technology to automate analytics and improve detection.
There is more than a good chance your business will face a ransomware attack at some point. The key is in making sure you know what to do when it happens and have an experienced IT partner to stand by your side.