The do's and don’ts of responding to ransomware
FYI, this story is more than a year old
Ransomware may have had a killer 2016, but according to some cybersecurity researchers, encryption malware is just getting started. This year, ransomware is expected to increase both in volume and variety as hackers continue churning sophisticated new strains of encryption malware. And while you might not be able to prevent every single one from slithering through the cracks, a smart incident response strategy for ransomware can help prevent significant loss and business downtime.
To that end, here are the dos and don’t of ransomware incident response (IR):
Abide by the principle of least privilege: Before there is ever even a need for IR, we recommend applying the principle of least privilege (POLP). In other words, limit end-user admin rights to local drives, or remove them altogether. This can help preclude more widespread infections throughout the network, and reduces the likelihood of an unauthorized executable running in the first place. With cloud computing coming to the fore, this is becoming an increasingly viable option.
Quarantine infected machines: Traditionally, ransomware needed to call home to a command and control server in order to get the encryption key. However, some strains of ransomware now come preloaded with a public encryption key. This makes it more difficult to intercept these attacks early, and increases the likelihood of successful data encryption. Once encryption malware is successfully executed, infected systems must be quarantined to prevent lateral movement on the network.
Execute your premeditated IR plan: First and foremost, hopefully you have an IR plan for ransomware. If you don’t, take this as your wake-up call to create one. Make sure that every person, from the intern to the CEO, knows his or her role in this plan – there is strength in numbers, but only if everyone works in harmony. Remember, the only way to ensure adequate data protection in a ransomware intrusion is to have a clear pathway to remediation.
Pay the ransom: Last year, a Kansas hospital paid a ransom only for the criminals to come back and demand a second. This institution was hardly the only organization to pay up in vain – it’s to be expected of cybercriminals. And yet, a study from IBM revealed that 70 percent of businesses that get hit with ransomware end up paying. Our advice? Do not pay. Take that money you might lose, and instead invest into IR that will preclude you from having to fork over hundreds, if not thousands, of dollars.
Make DR your IR: Last but not least, do not make your disaster recovery plan your IR plan. DR plays a role in data protection, but it is not the be-all end-all of IR because it does not guarantee business continuity. Rather, DR is a sort of last resort in the event that there is no quicker path to recovery (and there almost always is).
Article by Matt Williams, Faronics.