Six Best Practices For Ransomware Recovery And Risk Mitigation
Stu Sjouwerman
Stu Sjouwerman is the Founder and CEO of KnowBe4 Inc., the world’s largest Security Awareness Training and Simulated Phishing platform.
Typical Root Causes Of Ransomware
While ransomware attacks are continuously evolving, the root causes of how they enter your network haven’t changed much. The twin culprits of phishing and social engineering continue to remain a top entry point while poor cyber hygiene and lack of cybersecurity training are also leading contributors to ransomware infections. The sudden surge in usage of Remote Desktop Protocol (RDP) owing to the pandemic is also leaving many loopholes that attackers are using to their advantage. Unpatched software is another leading vector of ransomware and is used sometimes in combination with social engineering.
Backups No Longer A Viable Option Against Ransomware
Traditional ransomware tricks users into running it and then it replicates itself on various endpoints across the network. It then encrypts those systems and demands a ransom — usually some type of cryptocurrency — in exchange for a decryption key to rescue data and files.
Backups used to be a feasible solution, but cybercriminals were quick to evolve their tactics and have moved on from just encrypting data. A Coveware study found that 70% of ransomware strains also exfiltrate data and threaten victims to release this data publicly instead of encrypting and offering a decrypting key. Backups don’t save you from public shame, and that’s why an increasing percentage of victims end up paying the ransom even when they have a backup. What’s more, many victims do not report ransomware attacks to the authorities due to the sensitivity of leaked data and associated risk of reputation or stock value.
Another thing that’s changing is that cybercriminals now conduct extensive reconnaissance to discover the crown jewels of the organization and how much they are worth.
Best Practices To Recover From A Ransomware Attack
If you’re hit by ransomware, ensure you follow these basic best practices:
1. Talk to an experienced advisor. Get help from an expert in ransomware. U.S. victims may contact CISA, FBI or Secret Service for help. Hiring a professional ransomware negotiator is a good move.
2. Contain and isolate infected machines. Cutting off the network will help in the majority of cases. However, some ransomware families can make things worse. Identifying the strain prior to network cutoff might be a good idea.
3. Execute a practiced incident response plan. Hopefully, your business has a well-documented and well-practiced incident response plan. Make sure you involve legal, management and other relevant teams. If you have cybersecurity insurance, call your carrier.
4. Review business connections. Take a comprehensive review of employees, customers, partners and vendors who touch your network. Conduct an impact assessment and implement a communications program to inform them of the incident.
5. Never pay all the money upfront. Ask for proof that the decryption key works, verify that they have access to the data and ensure that the data is deleted once the ransom is paid. Remember that the payment of ransom does not guarantee that the criminal will release your data unharmed.
6. Identify and close all loopholes. Repeat attacks are more common than you think simply because companies forget to plug the real vulnerabilities and loopholes that got ransomware in their network in the first place.
Best Practices For Effective Ransomware Mitigation
The only true defense against ransomware is making sure it doesn’t access your environment in the first place. Everything else (like backups) must come second. Here are some best practices that businesses can adopt to mitigate the risks of ransomware:
• Focus on mitigating social engineering. Ensure you have the right policies, controls and, most importantly, security training in place. Remember that no matter how great your policies and technical controls are, you’ll always have some phishing or social engineering attack that gets past your defenses.
• Patch your internet-accessible software. It’s extremely important that you patch your systems and software regularly because you don’t want to get buffer overflowed by someone remotely.
• Use strong, non-guessable passwords. Make sure end users follow best practices and limit password reuse. People tend to reuse passwords, and those credentials captured on one website can be used to compromise others.
• Teach users to spot rogue URLs. Many phishing attempts have awkward, mischievous, shortened URLs that look like they’re from companies like Microsoft, Facebook or Twitter, but they’re not. You need to train people to spot a legitimate URL versus a rogue one.
• Leverage application control on endpoints. Use application control in audit mode so that any changes to the baseline are immediately alerted to security teams.
• Grant the least permissive permissions possible. Create a safe, isolated environment that the attacker cannot take advantage of. Don’t grant admin access unless you really have to. For example, a single permission misconfiguration can jeopardize security on Amazon and Google Cloud buckets (which contain confidential files, databases, source code, credentials, etc.). Attackers can leverage this data to launch ransomware attacks easily.
Ultimately, an effective mitigation strategy is a combination of technological controls, user awareness training and a well-practiced incident response plan. As CISA rightly says: “Don’t let a bad day get worse.”
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?