How to prepare for and prevent a ransomware attack
There has been a lot of media attention lately in certain industries around a type of ransomware called DopplePaymer.
Using this ransomware, an adversary will gain access to an organization. From there, they will start infecting systems and will demand a payment and/or threaten to release the victim’s data if the ransom is not paid. This trend of additional extortion become increasingly common with ransomware operators in the past two years.
As more and more companies are being targeted by ransomware actors, here are some best practices to help you prepare for a ransomware event. While you may not be able to have total control over how or who infects your organization, you can control how prepared you.
Ransomware: is a simple but effective means for cybercriminals to make money from cyberattacks. It encrypts a user’s files once it is installed on a victim’s computer and then demands a ransom payment from the victim in exchange for the encryption key needed to restore their data.
DopplePaymer: has been active and affecting victims as early as June of 2019. Research shows that the most popular way victims are infected with DopplePaymer is by spam or phishing emails and through compromised websites.
11 Things to Think About When it Comes to Ransomware
- Know your threat landscape | Who might attack and how?
- Know your industry’s threat landscape | What type of threats are specific to your industry or what is happening to your industry’s threat landscape?
- Have a plan or playbook to handle ransomware | Do you have a documented plan so you know your next steps?
- Ensure you have a Vulnerability Management and Patching Plan | Do you have a plan to manage identified vulnerabilities and how often to patch them?
- Make sure your advanced EDR is in prevent mode | Are you using the tools you have to prevent attacks?
- Have a plan in place to hunt for Indicators of Compromise (IOCs) | Do you know what to do with relevant IOCs as they are published?
- Make sure you have backups of your critical data and systems | How and who manages your backups?
- Make sure your backups are available offline | Where are your backups?
- Ensure your service providers are prepared to support you |Do you know what role your providers play if you are infected with ransomware?
- Train staff to not click on links or open files in emails from unknown sources |Do you have regular training to educate staff on safe email use?
- Train staff to recognize phone calls from imposters or fraudsters. Is the caller really from IT? | Do you have regular training to educate staff on safe phone answering?
What do you do if you have a Ransomware Attack?
There are five important steps you should take to resolve an attack and restore any damage done to your organization in the fallout:
- If you have an incident response plan, refer to it.
- Check your backup data to make sure they are not affected.
- If you have cybersecurity insurance, contact your provider to understand your coverage and what they advise for your next steps.
- Contact your legal counsel and explain the situation to them so they can help you assess any risks to your business and clients.
- Call your Managed Security Services Provider (MSSP). They will have the expertise you need to scope, detect, isolate and prevent further infections.
Jerry Nguyen is Director of Threat Intelligence & Rapid Response at Nuspire. An accomplished leader, and innovator in cyber security, incident response and threat management with a proven track record of success. Jerry has performed executive consulting, breach investigations, and assessment work across the globe for in a wide variety of industries including finance, insurance, healthcare, education, intelligence community, retail, government and many other organizations in the fortune 500. Jerry has used his cyber security and business acumen to build industry respected consulting teams and offerings.