Your organization gets hit by ransomware. Immediately, a million questions come to mind: What is ransomware? What machines are infected? What is the root cause? What is the recovery plan? How do we prevent this from happening in the future?
This was the case for many security professionals when the WannaCry ransomware hit in May 2017. If your organization had strong endpoint management and appropriately patched and updated your endpoints, WannaCry was largely a nonevent. However, if your machines were not updated, questions like these became very real, very quickly as the attack circled the globe bringing companies to their knees.
It’s not just WannaCry; ransomware attacks were the most prevalent variety of malware last year, according to Verizon’s “2018 Data Breach Investigations Report.” Meanwhile, Malwarebytes Labs tracked a 90 percent increase in detected ransomware attacks for business customers in 2017 and noted that “the monthly rate of ransomware attacks against businesses increased up to 10 times the rate of 2016.” Clearly, it’s time for companies to stop thinking it won’t happen to them — and get ready for when it does.
What Is Ransomware?
Before we get into what you can do to prepare for the inevitable, let’s clarify what ransomware actually is and how it works. Ransomware is malware that holds your data hostage and demands payment for its release. It typically infiltrates a system with a phishing email or website infection and exploits an existing endpoint vulnerability.
Ransomware then establishes a foothold, expands to other endpoints, and moves to discover, collect, stage and encrypt target data. Once the damage is done, it covers its tracks and exfiltrates data for use or sale on the dark web. Ransomware is unique because once it is in your environment, there are very few remedies available — all recourse is costly and business interruption is inevitable.
How to Protect Your Business From Ransomware
The good news is that many flaws exploited in ransomware attacks are known vulnerabilities. This means that organizations have the opportunity to prevent most ransomware from being successful before an attack is ever launched.
It is important to prepare your defense so you can respond quickly and effectively during an attack, and remediate and restore where necessary after an attack. The first and most cost-effective remedy is prevention.
Prior to an Attack
As the saying goes, “An ounce of prevention is worth a pound of cure.” Develop an incident response plan and practice executing it. Instead of waiting for an attack to occur, educate your employees proactively to help them recognize ransomware threats and their various infection vectors, including email, macros and compromised websites.
From an administrative perspective, understand what is on your network at all times and maintain a live inventory of these devices. This lets you know where and to what degree you are at risk from various vulnerabilities and helps streamline remediation efforts by knowing which devices to remediate first.
To minimize attack vectors from known vulnerabilities, establish an aggressive and current patch management policy for updating endpoints, operating systems and applications. Focus on achieving high, first-pass patch success rates to minimize the amount of time you have to spend determining root causes for multiple patch failures. Consider using an automated patch management tool to reduce your patch times from days or weeks to hours or minutes, increasing productivity and freeing resources to address other security concerns.
Additionally, you should establish and maintain a minimum security baseline. Incorporate security best practices into all endpoint builds and ensure a consistent “golden image” that adheres to your security policy. Enforce these configuration controls and security baselines on all endpoints. This will help eliminate configuration and compliance drift with protection that travels with the machine.
Next, ensure that your desired controls are in place and operational. Leverage antivirus, endpoint protection platforms (EPPs) and endpoint detection and response (EDR) tools to improve security and automate restart if services are stopped for any reason. Restrict execution of programs from temporary folders and confirm that only authorized executables are running on your devices. Consider prohibiting attachments with executables from email to reduce the number of potential attack agents that can infect your environment. You should also enforce least privilege methodology and restrict user accounts and applications to only those necessary to perform job functions; this will help minimize the impact a ransomware attack can have on other accounts and applications.
Finally, limit common attack vectors by disabling Flash and Windows Script Host (WSH). The more prepared you are in advance, the better your chances of avoiding (or surviving) a ransomware attack.
During an Attack
In the event that ransomware is successful in gaining a foothold in your organization, having a response plan and the right tools in place is vital to limiting the potential damage. Organizations must be able to identify the scope of the attack, contain the event quickly, protect machines that have not been affected, isolate machines that have, restore from backup where appropriate, and update and patch machines where vulnerable.
Start by knowing how to recognize a ransomware event. Look for pop-up messages that demand payment to provide access to data. See if your users are attempting to access a file on the network or on a local device and find out if it is encrypted. Then, determine if any endpoints are making connections that are out of character.
If you are experiencing an active attack, follow your response/remediation plan and decide if you can restore from backup or pay the ransom. Make sure you engage law enforcement — it’s worth noting that the FBI advises against paying a ransom fee. After all, there is no guarantee that paying a ransom will result in the restoration of your data. It’s a good idea to use a smartphone or camera to take a photograph of the ransom note and provide that to law enforcement.
Next, identify the type of ransomware variant. Sometimes you can find the name in the ransom note. Otherwise, you can share copies of the ransom note and/or an encrypted data file with ransomware experts who can evaluate it against known attacks and signatures. Knowing the type of ransomware will help you determine the best recovery option.
To limit damage, turn off all potentially infected endpoints and disconnect them from the network. It’s a good idea to also turn off any other devices (including external drives) for the duration of the attack until you know they are fully cleaned. Also, work offline while cleaning/checking machines and cut connectivity to local networks and file-syncing services to avoid ransomware spreading to other devices.
Many forms of encrypting ransomware copy your files, scramble the copies and delete the originals. Try to restore lost or damaged files by using data recovery tools to see if you can restore the files on your own. If this doesn’t work, continue to execute the restoration plan that was defined prior to the attack and see if you can restore your files from a backup. Before you do this, you should check to make sure ransomware is not part of the backup process and that your backup data is not encrypted.
Next, remove the ransomware from the infected device(s). Use antivirus or anti-malware software to clean the infected machine, but remember that simply removing the ransomware will not decrypt your files, and it may impact your ability to get your files back should you choose to pay the ransom. You might also consider wiping your entire hard drive and reinstalling your operating system and applications.
After an Attack
To prevent reinfection, apply all critical patches to your operating systems and applications. Start with patching the vulnerability that was exploited across your environment and validate that the malware was removed successfully and completely.
Finally, file a police report. This is an important legal step that is often required if you are filing an insurance claim or considering a lawsuit related to your infection. This also helps law enforcement monitor ransomware activity, growth and other trends.
Keep Ransomware Off Your Network
Most successful ransomware attacks gain access to your environment through a known vulnerability on a compromised endpoint. The best way to avoid this is by inoculating your endpoints against ransomware. Endpoint hygiene should ensure that patches are up to date and applications are on the most secure version. You also need visibility into what is happening on the endpoint and across the network so you can contain attacks quickly.
Use an endpoint management solution that provides the real-time visibility and control you need to fight back. It should enable you to discover, patch and report on all endpoints regardless of location, connectivity or bandwidth. The platform should also provide software inventory and asset capabilities that enable you to quickly see all patch levels, software versions and configurations on all endpoints — regardless of operating system or network connectivity. It should do all this securely, with minimal firewall changes and a rock-solid architecture.
You should also consider solutions that integrate with other key security applications you use, such as your security information and event management (SIEM), incident response (IR), EDR, network access control (NAC) and vulnerability management solutions. This will further improve your overall security posture while optimizing your time and resource investments. Most importantly, always remember that the best way to combat ransomware is to keep it off your network altogether.
To learn more, register and watch the on-demand webinar, “The Life and Times of Ransomware: Before, During and After.”