How to recover from a ransomware attack

| October 20, 2021

Next week’s Australian Cyber Week 25-29 October 2021 is  designed to help Australians raise their awareness of and improve their online security. Awareness and resilience have never been more important as the cyberthreat landscape continues to evolve, according to Glenn Maiden from Fortinet.

Ransomware has emerged as one of the defining cybersecurity threats of 2021. Attacks have increased tenfold over the past year and this trend is set to continue as cyberattackers see lucrative paydays from ransomware operations.

While expert advice is to avoid paying the ransom, many organisations have done so to avoid having their operations shut down for an extended period. The only way to avoid this is to have a strong ransomware strategy, get prepared early, and understand where the threats are coming from.

Analysis of our global telemetry has revealed that ransomware attacks have increased 10.7 times over the past 12 months. The recent Australian Cyber Security Centre (ACSC) reporting has shown similar increases. Ransomware threats are playing out across the board in all industries from healthcare organisations to education, government, technology, and critical infrastructure. Threats to operational technology (OT) are increasing and ransomware gangs are very aware that OT offers the opportunity to inflict maximum damage and demand the highest ransom.”

While ransomware is increasing in velocity and sophistication, novel attacks are rare, and most organisations can be protected with proven techniques and tools. The significant impacts seen recently as a result of high-profile ransomware attacks aren’t a foregone conclusion. With the right measures in place, organisations can reduce the impact of a ransomware attack.

Sometimes, the organisations that have been targeted in the past are the best prepared for a future attack. They understand the risks and have their defences ready and their incident response plan well thought out and rehearsed.

The ACSC Essential 8 advice around prevent, limit, and recover should be fundamental to response planning. There are plenty of techniques and technologies available to reduce the risk such as access management, multifactor authentication, proactive patching, application control, segmentation, zero trust policies, and offline backups.

It is critical to note that while these help to reduce the risk of getting hit in the first place; if ransomware does get in, it needs to be contained to do the least amount of damage, and good backups should be in place to bring the organisation back online as soon as possible.

The best incident response plan (IRP) is the one that is tailor made for each organisation taking into account individual business context. This might include attack service, stakeholders, and customers as well as specific assets, business, and operational requirements. The IRP should be well thought out and realistic; it can’t be shelf ware written to get a tick for compliance.

Glenn Maiden and FortiGuard have identified 12 steps to take during a ransomware attack. This is a great example of an operational plan that could help an organisation plan what to do if a ransomware attack occurs:

1. Stay calm and execute the incident response plan. Consider the IT response and the public relations response and establish a communications and update protocol. The business’s security vendor and insurance company can potentially provide expert assistance.

2. Isolate systems and stop the spread. Implement blocks, temporarily take down the internet connection, or isolate the attack at the device level. If endpoint detection and response tools are in place, use these to minimise business disruption.

3. Identify the ransomware variant. Determining which attack the business is dealing with can help the organisation respond appropriately. Some decryption tools may already be available.

4. Identify initial access. Determining the initiation access point will help organisations identify and remediate the security gap, whether it’s phishing, exploits on edge services, unauthorised use of credentials, or another vector.

5. Identify all infected systems and accounts. Even after an attack is over, the attackers could still have a foothold in the network so it’s important to prevent persistent threats. Taking action could alert attackers so it’s important to document findings first.

6. Determine if data was exfiltrated. If data is exfiltrated, attackers can threaten to expose it online. Signs of exfiltration include large data transfers or communication from servers to cloud storage applications.

7. Locate backups and determine availability. Ransomware attacks attempt to wipe online backups so it’s important to ensure backups weren’t affected by the incident.

8. Verify the integrity of backups and restore appropriately. Attackers have likely been in the network for days or weeks before launching the attack so it’s important to understand when the initial access occurred then restore from backups made before this time.

9. Sanitise systems or create new builds. While not rebuilding can save time, it may be necessary to create new, clean systems. Whether rebuilding or sanitising, it’s essential to install security controls to avoid reinfection.

10. Report the incident. It’s essential to report the incident to the legal team and insurance company, then determine whether additional reporting is required. Contacting law enforcement may also be advisable.

11. Negotiate before paying the ransom. An experienced security company can help negotiate the ransom down; however, it’s important to remember that paying the ransom doesn’t guarantee the data will be decrypted nor will it remediate security gaps. Also, paying the ransom can mark a company as a lucrative target, resulting in subsequent attacks.

12. Conduct a post-incident review. Reviewing the incident response can help the business understand how to improve its response mechanisms and reassess the attack surface to identify any missing controls.

It’s important to remember that a ransomware attack doesn’t have to cripple a business. If an organisation doesn’t have the right expertise in-house there are highly skilled professionals and experts that can work with an organisation to build its defences and IRP.

With the right systems and processes in place beforehand, it is possible to drastically reduce the chance of being affected, and even if ransomware does get through, damage is minimised; however, advance preparation is key.