Business Daily Media

Men's Weekly

.

Five steps to protect against and recover from ransomware attacks

  • Written by Michael Bovalino, ANZ Country Manager, LogRhythm

Ransomware attacks are on the rise and organisations of all sizes are falling victim. The attacks involve cybercriminals infecting a target’s IT infrastructure, encrypting vital data, and then demanding a ransom payment in exchange for the keys. Right now, they top the list of concerns for IT security teams around the world and are poised to become even worse during 2022.

Industry research1 shows there was a staggering 1318% year-on-year increase in ransomware attacks in the first half of 2021. Interestingly, 94% of the associated malware was delivered by email while 54% of malicious apps impersonated social media platform TikTok.

Very concerningly, the research also found that 77% of organisations do not have a cybersecurity incident response plan, and so clearly there is work to be done. Five key steps that can be taken to ward off ransomware attacks or recover should one occur are:

  1. Preparation:
    The number of ransomware attacks is continuing to climb at an alarming rate. Organisations cannot afford to ignore this trend and must have in place detailed plans covering how they would respond should an attack occur.

    A key part of preparation is the optimisation and protection of data backups. Ensure there are recent copies stored in different locations which can be used quickly should an attack disable core systems.

    Also, your organisation should deploy a least-privileges strategy which ensures each staff member only has access to the resources they require to carry out their role. This means that, should an attacker obtain a staff-member’s credentials, they won’t automatically have access to the organisation’s entire IT infrastructure.

    Other measures to consider include conducting regular user training that alerts them to potential threats, and the purchase of suitable insurance policies.

  2. Detection:
    A key capability needed to avoid the expense and disruption that ransomware can cause is the ability to detect an attack early. This can be achieved by having in place tools that monitor for unusual network activity and alert IT security teams that can then take a closer look. All incoming email should also be automatically scanned to detect malicious links and payloads before being delivered to user inboxes.

    Security teams should also constantly monitor for early signs of encryption. These can include unusual file name changes or large numbers of files being copied or moved to a different location within the infrastructure.

  3. Containment:
    Should a ransomware attack take place it might be possible to contain the fallout to a limited number of systems within your organisation’s infrastructure. By taking steps to ringfence the attack, it can be prevented from escalating further and potentially encrypting other valuable core applications and databases.

    Here, having pre-designed playbooks available is important. These will guide the security team and ensure that all required steps are undertaken. These steps will include the lockdown and quarantine of any infected endpoints and the killing of any unauthorised processes that might be running.

  4. Eradication:
    Once an attack has been detected and contained, the next step is to eradicate the associated malware from all infected systems. Security teams need to undertake this step carefully and thoroughly as any code that remains could allow a cybercriminal to mount a fresh attack in the future.

  5. Recovery:
    The final step involves following your organisation’s disaster recovery plan and getting all systems fully operational once more. To achieve this, all infected servers and endpoints should be wiped and rebuilt.

    Once this has been completed, data can be copied from secure backups to allow normal operation to begin. It’s also important to check that all scheduled data backups are again occurring as these will be the best defence against subsequent attacks.

    If appropriate, law enforcement authorities should be alerted about the attack. Customers and partners should also be informed if it is likely that sensitive data may have been compromised. Finally, all staff should be informed about what has occurred and the steps that have been taken to aid recovery.

The threats posed by ransomware are going to continue to increase in the months and years ahead. By having detailed plans in place that cover protective measures and responses, organisations can be best placed to avoid significant fallout.

1 Source: Trend Micro, IBM, CSO (2021)

Minns Labor Government shutting down the Business Connect program

The NSW Opposition is concerned that the Labor government will shut down a support program that has assisted New South Wales businesses. In a media ...

Samsara Eco appoints Dr. Lars Kissau as General Manager for Asia

Australian biotech innovator Samsara Eco has announced the appointment of Dr Lars Kissau as its first General Manager of Asia. Based in Singapore...

From the first bounce to the final siren - small business lessons from the AFL Grand Final

The AFL Grand Final is one of the most anticipated days on the sporting calendar. This Saturday, the Geelong Cats and Brisbane Lions will battle i...

Australia’s top finance leaders recognised as CFO role expands

Amid surging regulatory demands and rapidly evolving industry, Australia’s most influential Chief Financial Officers will be honoured at the inaug...

Why outdated security leaves small businesses exposed to crime

Small and medium businesses in Australia are under increasing pressure to address security gaps that criminals readily exploit. An unlocked door, an...

Why it’s time telcos rethink location and put customer experience first

Maurice Zicman, Vice President - CX Strategy at TP in Australia unpacks why the telco industry must rethink old assumptions and focus on digital-f...