Planning crucial to minimising and recovering from ransomware
When ransomware strikes, you have little time to decide what to do. Payments for some variants increase each day you wait.
If you have planned accordingly and are hit with ransomware, you’ll be able to block most of the attacks and will be able to recover quickly from those that aren’t blocked. If you are hit, you need to know what variant of ransomware you have been hit with and how that type of malware works. Some variants can be decrypted without paying the ransom or obtaining a key from the attacker. Others are extremely well-built and offer no recovery path other than paying the ransomware fee for the key. Finding the key or its hash somewhere in your system is ultra-time sensitive, so you will need to have the malware analysed quickly to decide how best to respond.
Protecting Your Clients’ Data
Your CISO, compliance office and IT team will all have thoughts on the best ways to handle the incident. It’s critical to discuss what to do if you have contractual obligations to deliver vendor or client data but can’t do so because the data has been encrypted. Compliance requirements and the contracts you have with vendors, partners and clients may dictate what you can and cannot do. Present your cyber insurance policy along with the issues and recommendations to your attorney who can advise whether or not your organisation has the legal authority to pay the ransom and whether your company could be found guilty of being an accomplice to a crime. If you can’t get back your data without paying the ransom and still decide not to pay it, discuss whether there could be legal ramifications for not paying if your client contracts say you will “protect and recover their data by any means possible.”
Will Paying the Ransom Really Pay Off?
Although ransomware attackers claim they will give you the key to decrypt your files if you pay, they don’t always deliver. You could end up losing your files and your money. Even if you pay and the attacker had planned on returning your files, if the variant of ransomware you have gets shut down by authorities, you may never be able to obtain the key. If you decide to pay the ransom, seek guidance from your local law enforcement agency to see if it has any middle-man options for payment or payment recovery. Often ransomware payment may only be made via Bitcoin, Paycards or gift cards. Your organization could set up its own Bitcoin account or it could use a third-party service. Setting up a Bitcoin account, transferring funds to it and making payment to your attacker can be time consuming, so research in advance on how to do that in case you ever decide to pay. Your cyber insurance carrier may also provide policy guidelines or recommendations.
Recovery from Ransomware
First and foremost, have a backup and recovery strategy for all your critical files – ideally you should have more than one method – if you use the cloud or remote services, also have a copy that is not connected to the infected systems. If you don’t have an Incident Response (IR) plan in place that directs you in putting which systems back online first, meet with your business teams to create an action plan. Our analysts have responded to numerous ransomware attacks and have multitudes of data on the latest variants that may help you develop your plan to prevent future incidents.
SecureWorks can help you prevent a ransomware infection and can discover a threat inside your network before the attacker has a chance to drop the ransomware. SecureWorks has numerous signatures in place to protect its Managed Security Services clients from ransomware. In February alone, we pushed out 14 new ransomware malware signatures to our clients and we continue to push out new signatures for each ransomware variant we see.
Ransomware Security Tips
· Be sure to back up your data on a regular basis. Diversify your back-up storage – for example, keep one copy in the cloud and one copy offline and keep both updated.
· Exercise caution when it comes to links and attachments in your email and sent through social media sites. Even if it comes from someone you trust, if it looks suspicious, don’t open it. Ensure your employees know the risks and provide awareness training to reduce the risk.
· Keep all software up-to-date. Apply security patches as they become available.
· Familiarize yourself with and get alerts regarding known Ransomware file extensions.
· Establish a back-up strategy that will allow you to recover quickly and prevent the backup data from getting encrypted.
· Create and rehearse annually an IR plan that includes a scenario for being hit with ransomware. If you don’t have an IR plan, we can help you create an incident response plan and can conduct table top exercises with you.
Article by Alan White, Secure Works.