Benjamin Franklin said, “An ounce of prevention is worth a pound of cure.” In the world of cyber security, it is indeed essential that organizations take steps to prevent ransomware from attacking their organizations and taking their data hostage. However, despite even the most extravagant and precautious preparations, some attacks may still get through. Knowing what to do, how to respond, in the event your organization becomes a victim of ransomware, and what tools to use to help identify and contain an attack can mean the difference between losing one computer and taking down your entire network for hours, days, or even weeks while you repair the damage.
The following best practices can help you efficiently address a ransomware attack against your organization, and return to normal business operations as quickly as possible.
1. Block Ransomware Communication
Many types of ransomware (but not all) require connecting with a command and control server (C&C server) to obtain an encryption key in order to function. Implementing Anti-Bot technology to block ransomware and other forms of malware from connecting and communicating with command and control servers can limit, and possibly eliminate the ability for the ransomware to function.
2. Contain Infections To Prevent It From Spreading, Minimizing Business Impact
While some ransomware requires communications with a C&C server to obtain an encryption key, other variants do not. Some are now bundling the public encryption key with the malware itself, encrypting files before they even reach out to their command and control networks. This makes it more difficult to prevent encryption, because these variants do not even need an initial connection to activate.
But, even if the ransomware manages to encrypt files on the infected device, all hope is not lost. Anti-Bot technology can identify and quarantine malicious process and communications, and automatically lock down the infected devices. Rapid containment can potentially prevent the spread of ransomware to network storage, file share locations, or other systems. This can dramatically reduce the damage caused by the ransomware and limit the impact on your business.
It is essential to deploy a strong approach to proactively prevent infection in the first place. Integrating tools like Anti-Bot into your security strategies can help detect and contain ransomware and other malware infections.
3. Don’t Panic, There May Be An Existing Solution
If you do become the victim of ransomware, do not panic. There may be an existing solution. Contact your IT professionals immediately, as they are best equipped to determine an appropriate response. In some cases, you may be left only with two options – restore encrypted files from back-up or pay the ransom. However, this is not always the case. Ransomware is rapidly evolving, and security professionals are in constant pursuit of attackers and ways to disable their attacks. In several instances, like TeslaCrypt and Shade ransomware for example, decryption keys may be available on the internet. A quick search might save your team significant time and money in dealing with the attack.
4. Analyze And Understand The Attack And Determine An Appropriate Response
Once you have managed to contain the ransomware, it is important to do the research necessary to fully understand it. What was the root cause? How did it get in? Was it user error? What actually happened? Doing the research is critical in order to fully understand the entire attack, so you can develop a plan to treat the whole infection and prevent it from happening again a week or months from now, or again in the distant future.
Your incident response team (IRT) needs to utilize forensic data to fully analyze all aspects of the attack, from the point of entry and path of travel, to the scope of the damage. This information would need to be compiled manually, or aggregated using automated tools. In the event of a ransomware attack, keep in mind that most incident response teams would need to pull all the information and build a report manually. This takes time.
In recent years, automated solutions have become available to enable organizations to address this limitation. Implementing automated forensic analysis tools greatly improves the ability of the incident response team to understand a comprehensive view of the attack, and some solutions even provide guidance for remediation. These tools dramatically reduce the time for event analysis, taking what previously took hours or days, and reducing it to minutes, enabling the information security staff to understand and respond to an attack much more efficiently and effectively.
Ransomware is unfortunately on the rise. Organizations must implement measures to proactively protect their files, data, and systems. It is equally critical that they implement tools that enable their response teams to quickly contain threats and thoroughly understand all aspects of an attack. It is through comprehensive analysis that organizations can develop an effective and efficient response to limit the scope of an attack and attempt to avoid paying the ransom, while retrieving any files that may have been encrypted.
To learn more about ransomware, download the Ransomware: Understand and Protect Against the Latest Threats and Tactics whitepaper and webinar.