Ransomware attacks brought Australian industries to a standstill in 2020. Focused on the agriculture industry – our beef, wool and dairy lines were crippled through failure to prepare and prevent these immediate and extensive strikes.
“Ransomware is one of cybercrime’s strongest business models today, pushing aside long-held staples like banking Trojans, phishing, DDoS, and crypto-jacking. Ransomware has crippled organisations across the globe carrying with it a cumulative price tag well into the billions of dollars. In an even darker twist, ransomware has even begun reaping a toll on human life itself,”reports IBM Security.
Attacks have only continued to increase since the start of 2021; APAC organisation attacks have increased 14% already to 51 times per week, reports Check Point Research.
While the outcome can weaken many at the knees, the good news is successful prevention and recovery comes down to sensible IT practices.
On average, 66% of businesses reported it would take five or more days to fully recover from a ransomware attack if they didn’t pay the ransom.
All it takes is a prepare, protect, respond and repair action plan to put your business in an offensive attack position.
PREPARE + PROTECT
Assess your current position
Audit your current security methods and actions to highlight any gaping vulnerabilities. Understand your critical data, identify what it is, where it is stored and whom has access to it. From this position an organisation can then prioritise protection and detection measures. Need assistance, undertake a free cybersecurity health check, book now.
Plan, practice and prioritise
Create an incident response plan that includes a data backup and disaster recovery strategy, plus a list of all necessary contacts. Don’t set and forget; ensure you run through your plan regularly and prioritise refinements and improvements.
Training against human error
Knowledge is power when it comes to cybersecurity. Educate your team to understand how innocent malware can look from an email attachment to legitimate file name structure. Ransomware only requires basic access levels to launch an attack, do not discredit anyone’s position in the company to open the door to a potential threat.
Implementing multi factor authentication is a simple step that can have a profound effect on protection. By verifying every user and device, you amplify your control over access. This should also extend to application logins such as social media accounts.
Fight against infection
Address antivirus hygiene ensures policies and settings include the automatic scanning and real time protection of all items, including removable devices. Run regular penetration tests and keep all devices fully patched.
Monitor unusual behaviour
Track outgoing traffic; this will help detect potential malicious connections. Malware will make requests you don’t recognize. It will likely send encrypted system information to a C&C server.
EMAIL IS THE MOST COMMON CHANNEL FOR AN ATTACK
You have recognized an attack; the speed of a response will be the difference between a swift recovery or saturated damages. If you have an IT or Security Operations team, the response starts with them; if you don’t have a team onsite, contact your provider immediately.
Isolate the Threat
Ransomware attacks move laterally once it infiltrates a network. Start by isolating the infected systems from the network to address the spread.
Secure your assets
Your backups are key to recovery. Ensure your backup storage is available and isolated from the attack.
Halt all maintenance
Your business is likely to have automated tasks that take place every day, like temporary file removal. Pause all of these, as this could remove critical insights to assist with your incident response and recovery operations.
Inspect patient zero
Trace the source of the threat to understand how access was enabled. Digital forensics can involve speaking with staff involved, walking through all action taken that day and reviewing all available logs. This can happen in parallel with the response but should be a continued effort to understand and quarantine the malware; as well as protect your business from future attacks.
Call it in
Reporting the attack to authorities is necessary. They can assist in handling any ransom demands and support your documentation for insurance and legal claims.
Hold your line
Never pay the ransom. It is easy to panic and transfer the money as a knee-jerk reaction. However, it does not guarantee the safe return of your data. Plus, it opens the door for future exploits of an abiding, easy target (your business).
DISABLE ADOBE FLASH AS DEFAULT WITHIN YOUR BUSINESS
The initial crisis response is activated, and you are now ready to enact restoration of data.
Wipe and refresh
Removing the malware from the system and addressing any back doors, this may include wiping all devices and reimaging the original services, virtual machines, and/or applications. This can involve purging all emails, blocking websites, changing company credentials. The root cause of the attack will determine the focus of removal.
Restore from your backup
Recover using your most recent (clean) backup files. Attackers can lurk within your backup files for some time before the threat is known, don’t just assume your most recent backup is the safest. While ransomware has financial gain, not all attacks are financially motivated; they can be to render the business inoperable. Therefore, ensuring you have a recent clean backup will also prepare you for such motivated attacks.
A WELL REHEARSED ACTION AND RESPONSE PLAN WILL SAVE YOUR MONEY AND TIME
Attacks can happen to any business at any time; the best course of protection is to assume it will happen to you and act.
Every 11 seconds, a company is attacked by ransomware. Secure your most important assets. Implement a multi-layered approach now with a complete turn-key solution from leading cybersecurity provider Secure ISS.