Ilia Sotnikov security strategist & VP of user experience, Netwrix gives us insight into how to deal with a ransomware attack.
According to the National Cyber Security Centre (NCSC), cyber attacks are at an all-time high and it has recorded increased ransomware attacks in the UK during 2021. The NCSC has dealt with a 7.5% increase in cases up to August 2021 and they are advising companies not to pay up. The head UK spy agency GCHQ says the number of ransomware attacks on British institutions has doubled in the past year.
With attacks like this rapidly increasing, what should organizations do if they fall prey? Should they pay up and hope for the best, or refuse and risk further attacks? One could only hope to avoid making this choice. Here are some do’s and one don’t to manage the risk of almost inevitable ransomware.
Don’t pay the ransom
The FBI offers three reasons to never pay a ransom. Firstly, there is no guarantee the victim will get the decryption key once the money has been paid. Moreover, even if you receive the key, there is no guarantee you will restore operations overnight.
Secondly, if companies do pay, there’s nothing to stop hackers from attacking them repeatedly, and each ransom demand could be higher than the last. In the NCSC’s Weekly Threat Report (Dec 3rd), a further trend report from Group IB shows a 935% increase in double-extortion ransomware attacks since 2020.
Thirdly, by paying a ransom companies encourage the ransomware business model and put other organizations at increased risk. That is why the idea of making paying a ransom illegal gains momentum.
How to handle the risk of ransomware attacks
There are two sides to this coin: you want to reduce the chance of a successful attack, and you have to minimize possible damage if it happens. The key concepts thus are layered security and defense in-depth approach. We will talk about some of its components below.
But to make any security program work, the employees should be aware of at least the security essentials. Therefore investing in education and training is vital and cybersecurity awareness among personnel should be one of the top priorities of an organization.
However, even the most comprehensive training cannot guarantee that employees will always follow the best security practices. Just a single careless click on a link in a phishing email can unleash ransomware across an entire IT environment. Every organization should assume it will suffer a ransomware infection and be prepared to react. An effective plan requires fast detection, response, and data recovery.
To reduce the risk of losing access to sensitive data, such as the personally identifiable information of employees and citizens, organizations must know exactly what types of data they store. They must secure the data according to its value. Automated data classification helps deliver better awareness of the existing data, who has access to it, and how sensitive it is. This means the organization can put measures in place, protecting key assets. Simply put, you can’t protect all the data, so concentrate on what is really important.
Since ransomware often relies on the access rights of the user account it has compromised, continuously enforcing least-privilege principles will minimize the amount of data that can be encrypted in an attack.
Organizations must monitor user behavior across all critical systems and data, on-premises and in the cloud. Timely discovered unusual activity might point to an attack. Changes to the list of restricted file extensions or an increased frequency in file modifications are the reason to get worried. Data exfiltration or encryption doesn’t happen immediately; both take time, particularly in distributed heterogeneous environments with large amounts of data.
Timely detection and counter-action at the early stage of cyberattacks are essential to keep the damage to a minimum.
Incident Response Plan
Organizations need to document the steps for responding to signs of an attack, including who is responsible for what and at what level. Since the staff, the IT environment, and the threat landscape are always changing, the plan needs to be tested regularly and updated as required.
Align backup and recovery
Organizations need to optimize their backups to ensure that the most crucial data and services can be restored quickly. After this, with the detailed information on which files were modified or deleted during a ransomware attack, IT teams should only restore what suffered. This reduces the scope of efforts needed, accelerates the recovery process, and minimizes service disruptions.
- Azure Active Directory Recycle Bin Won’t Save You in a Cyber Disaster
- Ransomware, the biggest threat to businesses in 2022
- Protect your data with a multi-tiered approach
- Cyberattack wave hits SPAR Stores; who is responsible?
No organization wants to choose between paying a ransom or suffering serious damage after refusing to pay. Instead, companies can prevent as many ransomware infections as possible through user education and preparing for the worst-case scenario. Confident in their ability to quickly restore access to systems and data, organizations won’t ever need to consider paying a ransom again.