Guide to Preventing, Detecting and Responding to Ransomware Attacks
By Dr. Christine Izuakor - June 26, 2019
Despite a small decline in the total volume of ransomware attacks, assailants are increasingly leveraging the attack method as a targeted way to extort enterprises. This shift toward more selective targets is a typical trend within the Cyber Security industry. For example, at one point, mass phishing emails were all the rage. Attackers would send generic messages to hundreds or thousands of users, hoping that one naïve person would click on a link and help the attacker further their agenda. Today, cyber criminals prefer using spear phishing and whaling. These are more customized and targeted attacks that can help attackers achieve higher success rates.
A similar shift is happening with Ransomware. Attackers are transitioning from widespread attacks to more targeted efforts that offer the biggest bang for their buck. Companies who take these trends as a sign that they can relax about Ransomware and move on to the next threat are sadly mistaken. The threat of ransomware is still very much alive, and a good Cyber Security strategy should include the right people, processes, and technology to prevent, detect, and respond to ransomware attacks.
Combating Ransomware through PEOPLE
- Prevention: Most Ransomware attacks require human action to execute. Whether through malicious email messages or infected pop-up windows, there are immediate implications as soon as the user clicks.
- Like most prevention strategies, the best way to reduce human error is to make users aware of what they should and shouldn’t be doing. It’s essential to educate employees on what Ransomware is and how it works. Help them understand how they might be targeted and what they can do to help protect themselves and the company.
- Detection: Human interaction can be an efficient way to learn about attacks in your environment. Though technology should be the first line of defense, having a method for employees to report these types of attacks can help where technology is lacking.
- Response: Depending on the type of attack, employees may feel embarrassed, ashamed, or afraid to share the event with their employer (especially in the case of blackmail). They may choose to take matters into their own hands. Having a clear direction on what employees should do in response to a ransomware attack is important. There should be a way for them to report incidents to a technical or Cyber Security resource without being ridiculed or punished for common human error.
Combating Ransomware through TECHNOLOGY
- Prevention: From a technology standpoint, Ransomware attacks can be prevented by having a robust security technology stack that includes adequate email, network, and device security controls. For example, since email is a primary delivery vector for Ransomware, blocking these emails before they make it into the user’s inbox can help prevent successful attacks. Having up to date devices and software can also ensure that exploitation of known vulnerabilities is avoided.
- Detection: Through advances in technology and Artificial Intelligence integration, detection and response to Ransomware attacks can be automated. Ransomware detection solutions can screen files for known Ransomware variants and set up honeypot files that can uncover unknown attacks.
- Response: Backups are a critical part of Ransomware response strategies, and technology exists to help with this process. Veriato RansomSafe, for example, can intercept the Ransomware command to lock your files, make a clean copy, and safely store it in a different location. This kind of technology can also block accounts attempting to encrypt the data and alert the targeted organization immediately. It’s important to note that in blackmail-based cases, backups may not be as helpful. Other actions may be considered, such as risking disclosure of information, paying the ransom, or choosing to get ahead of the issue by self-publishing.
Responding to Ransomware through PROCESS
The process for responding to a Ransomware attack will differ based on each scenario. Several variables must be considered, such as criticality of assets impacted, the scope of the attack, ransom amount, and more. On top of this, the type of attack (encryption, denial of service, blackmail) matters.
No matter which scenario is present, a reliable incident response process is critical to surviving all of them. Whether the incident involves ransomware or other attack methods, proactively establishing an incident response function can save a company tons of money and time, and can drastically reduce damages. Furthermore, the incident response plan should be tested periodically with realistic scenarios such as Ransomware to ensure it can carry the organization through a real-world attack.
When it comes to response, whether the requested ransom should be paid or not remains a constant debate. In a recent example, a ransomware attack against Baltimore’s government resulted in the disruption of important communication technology such as email and voicemail, as well as numerous citations, technology, and payment systems. The Mayor noted that the option to pay the ransom would be considered if absolutely necessary. A 2018 study reported that 45% of companies who suffer a Ransomware attack end up paying the attackers to regain access to their data. Unfortunately, only a quarter of those companies actually got what they paid for. The reality is that a majority of cyber criminals don’t follow through after receiving payment.
If you’re concerned about a potential Ransomware attack, check out Veriato RansomSafe™. RansomSafe acts as a vital layer in your ransomware defense, combining just-in-time data protection with multiple mechanisms to detect, and shut down attacks before they hold your business hostage.
If you’re Interested in learning from real victims of recent ransomware attacks? Check out our recap of notable ransomware attacks from 2019 and lessons learned here.