Preparing to Survive a Ransomware Incident If you are reading this, it is not news to you that ransomware is a real and increasing threat to business operations, the financial bottom line, reputation, and in some cases, the very existence of businesses throughout the United States and the world. The summary below from an FBI report released in May of this year speaks about just one of the eight or more active ransomware variants in the world today:

The FBI identified at least 16 Conti ransomware attacks (this is a single ransomware variant) targeting U.S. healthcare and first responder networks, including law enforcement agencies, emergency medical services, 9-1-1 dispatch centers, and municipalities within the last year. These healthcare and first responder networks are among the more than 400 organizations worldwide victimized by Conti, over 290 in the U.S.

Ransom amounts vary widely, and we assess are tailored to the victim. Recent ransom demands have been as high as $25 million .   

With ransom demands in the MILLIONS of dollars, all should take notice.  Ransomware attackers could intentionally target an organization, but the vast majority will fall victim to bots that mindlessly crawl the internet searching for known vulnerabilities to exploit. With so many cases reported publicly and countless more that go unreported, it is unwise and negligent not to prepare. Prepare for attempts to compromise your systems and data by reducing your risk.  Prepare to respond to and recover from an attack with as little negative impact as possible. 

Reduce your Risk

Let’s focus on these most common ways ransomware actors gain access, which is sad, the usual suspects. From the same FBI report about the Conti ransomware variant, this is how they get you:

(Ransomware) actors gain unauthorized access to victim networks through weaponized malicious email links, attachments, or stolen Remote Desktop Protocol (RDP) credentials.

Minimize the likelihood these known risks and vulnerabilities can be exploited by efforts to prevent the effectiveness of weaponized links and attachments.

Inform and Train Employees

Your well-intentioned, non-malicious, uninformed, and untrained insider threat, otherwise known as employees, should also be your first line of defense.  Your workforce means well and does not generally intentionally cause harm to their companies, the company’s clients, or their livelihoods. Inform them, train them, and co-opt them as adjunct members of your cybersecurity team. 

Know and Manage your Vulnerabilities

If a password or remote desktop credential is still compromised, ensure additional technical safeguards to render those compromised credentials much less helpful to the malicious actors.  

  • Use multi-factor authentication where possible. 
  • Use strong passwords and regularly change passwords to network systems and accounts, implementing the shortest acceptable timeframe for password changes. 
  • Avoid reusing passwords for multiple accounts. 
  • Disable unused remote access/RDP ports and monitor remote access/RDP logs. 
  • Require administrator credentials to install the software. 
  • Audit user accounts with administrative privileges and configures access controls with the least privilege in mind.

Be Ready to Recover

Should these efforts eliminate access to your networks, systems, and data still not prove completely impermeable, which is likely, the more efficiently you can recover your data and systems after ANY interruption, the less impact a ransomware attack will have. 

To minimize and quickly recover from the impact of a ransomware event, should one occur, put into practice solid resiliency measures. Resilience consists of your business continuity, disaster recovery, and incident response planning and efforts. Everything you do to ensure you continue to deliver on your Service Level Agreements and mission falls under this category.  

Begin any resilience planning by identifying your critical processes and assets and defining how those impact your business or mission. Data backups are certainly a part of resilience and disaster recovery. Still, your backup copies aren’t much more than historical records without an effective and tested plan to recover operations from those backups.  

Some questions you should ask of your backup and recovery plan are: 

  • Does your data backup process lead to periodic recovery testing?  
  • Can you recover a single database, an entire system, or even your whole operational infrastructure and production/delivery capability from backups?  
  • How much might data be lost if you have to restore from your backups due to a ransomware event? 
  • How much data loss is acceptable?  

With this understanding, your disaster recovery, redundancy, and failover planning will be informed by a risk-based approach to business continuity. 

Some more detailed recovery planning measures you should incorporate:

  • Regularly back up data, air gap, and password-protect backup copies offline. 
  • Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides. 
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (i.e., hard drive, storage device, the cloud). 
  • Install updates/patch operating systems, software, and firmware as soon as they are released. 
  • Install and regularly update anti-virus and anti-malware software on all hosts. 
  • Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a VPN. 
  • Consider adding an email banner to messages coming from outside your organization. 
  • Disable hyperlinks in received emails. 
  • Implement network segmentation. 

The PolicyCo platform is an ideal tool for creating, hosting and operationalizing your resilience plans and all of your Cyber Security and Compliance policies and procedures. 

Practice

Lastly, ensure your potential response to and recovery from ransomware or any cybersecurity event goes as smoothly as possible by practicing and continuously improving your plans. Develop and execute incident response and disaster recovery drills and exercises that are as realistic as possible to find the gaps and inefficiencies in your project.  Always record and act on lessons learned from any activity or actual events.  

There are many resources for keeping up to date on the threat and best practices for responding to this growing threat.  Below is a link to a Ransomware Fact Sheet developed by the FBI and hosted on their Internet Crime Complaint Center (IC3) website. 

Internet Crime Complaint Center

Ransomware Fact Sheet