Ensure all systems are backed up. It includes examining organizational detection and prevention systems and logs. Many ransomware events result from existing malware infections that were not resolved.
Use backup technology that saves continuous incremental backups on a consistent schedule. It includes utilizing physical write-once-read-many (WORM) storage or virtual equivalents.
Preventing Ransomware
Data backups are among the most essential infrastructure components in an organization. They provide a means to recover deleted or overwritten files and can help mitigate the impact of a ransomware attack. They also play a critical role in recovery from more significant data loss catastrophes such as a fire or data center crash.
Cybercriminals use ransomware to encrypt and lock up data on a network. They then demand a payment to restore access to the data. Dealing with ransomware is like playing Russian roulette, as the malware continues to evolve and cybercriminals adopt new techniques to infiltrate networks and extort funds.
The best way to protect against ransomware is to prevent it from entering a network in the first place. It requires a layered security model encompassing network, endpoint, and edge controls powered by actionable threat intelligence.
Understanding what hardware and software are connected to a network is also essential. It is critical for preventing ransomware attacks that use a technique called “active discovery” to identify vulnerabilities in the network. This method can be hampered by software deployed by personnel and not managed centrally.
Finally, a well-defined incident response plan must be created and tested to limit the impact of ransomware and expedite recovery. It should include steps such as disconnecting infected systems from the internet and core network connections, resetting credentials, including passwords and applying the principle of least privilege where possible.
Detecting Ransomware
Detecting ransomware requires a compelling mix of tools and processes. It starts with an enterprise-wide survey of systems and data, which can uncover things that shouldn’t be stored there. It is typically run concurrently with a backup project to protect those areas.
After an infected company, isolating the systems is crucial to keep the attack from spreading. That’s why it’s critical to have the ability to monitor system and device activity — including file transfer traffic to suspicious file-sharing sites, which attackers use to communicate with their command and control servers.
Companies should also have access to continuous, incremental backups and ransomware solutions that automatically revert changes executed by malware or suspicious programs. It is called XDR, or extended detection and recovery. It can prevent an organization from restoring from external backup solutions or re-imaging affected systems, which would cost time and money.
It’s also essential to set up centralized log management through security information and event management (SIEM) tools that can correlate data from multiple sources. It helps a team analyze suspicious events and identify patterns that could indicate an attack. For example, abnormal file executions, such as hundreds of files being renamed with increasing entropy or high-volume data transfers, can be ransomware indicators.
Isolating Ransomware
The success of a ransomware recovery plan relies heavily on how quickly the infection can be isolated. Some simple attacks (such as phishing) are quick and easy to stop because they only work locally or on a single machine. Other attacks may only launch after gaining significant penetration into an environment, accessing many different systems, and downloading large amounts of data. These more extensive attacks require the support of an incident response team with specialized skills and familiarity with this type of attack.
To prevent a ransomware attack from spreading, use firewalls to filter out malicious traffic. Firewalls use pre-defined rules and threat information to block potentially risky network activity. They can also help to protect against vulnerabilities by blocking exploits and identifying ransomware signatures in files before they get downloaded and executed.
Other defenses include implementing software that detects and analyzes specific malware’s behavior, such as ransomware. These solutions typically look at malware file dates, messages, and other characteristics to determine when an infection happened. They also use machine learning to identify patterns in binary files and other signs of ransomware and can kill the process if it exhibits suspicious behaviors.
Keeping backups offline is also vital. The best backup solutions use air-gapped locations, such as disconnected external storage drives or the cloud, which infected machines can’t access. Additionally, backup technology that saves continuous incremental changes to files ensures that the backups can be restored without any loss when an attack happens.
Restoring Ransomware
According to a survey released in June, 49% of companies hit with ransomware paid the ransom. But there are ways to avoid falling into that trap. First, it’s critical to have reliable backups, not just files and databases. Backups should be stored on physically write-once hardware, read-many (WORM), or virtual equivalents so attackers can’t overwrite backup data with malware. The best backup solutions also save continuous incremental versions of files, ensuring no data is lost during an attack.
Deploying centralized log management using a security information and event management (SIEM) solution is also essential. It helps to correlate data from the network and host security devices across an extended network to quickly identify impacted systems, determine their reach, and assess the direct damage of an attack. Finally, it’s crucial to isolate compromised systems in a coordinated manner, not just for rapid restoration of data but to prevent tipping off actors that have been discovered.
Decryption tools are also available to break the encryption many ransomware variants place on files and systems. They are typically free and require a little technical know-how, but they can be invaluable to organizations that have been victimized. Consider upgrading legacy disaster recovery solutions to all-flash storage technology to reduce recovery times. It enables faster recovery times without the need to change backup software.
