Five steps to protect against and recover from ransomware attacks

Ransomware attacks are on the rise and organisations of all sizes are falling victim. The attacks involve cybercriminals infecting a target’s IT infrastructure, encrypting vital data, and then demanding a ransom payment in exchange for the keys. Right now, they top the list of concerns for IT security teams around the world and are poised to become even worse during 2022.

Industry research¹ shows there was a staggering 1318% year-on-year increase in ransomware attacks in the first half of 2021. Interestingly, 94% of the associated malware was delivered by email while 54% of malicious apps impersonated social media platform TikTok.

Very concerningly, the research also found that 77% of organisations do not have a cybersecurity incident response plan, and so clearly there is work to be done. Five key steps that can be taken to ward off ransomware attacks or recover should one occur are:

1. Preparation:
   The number of ransomware attacks is continuing to climb at an alarming rate. Organisations cannot afford to ignore this trend and must have in place detailed plans covering how they would respond should an attack occur.
   
   A key part of preparation is the optimisation and protection of data backups. Ensure there are recent copies stored in different locations which can be used quickly should an attack disable core systems.
   
   Also, your organisation should deploy a least-privileges strategy which ensures each staff member only has access to the resources they require to carry out their role. This means that, should an attacker obtain a staff-member’s credentials, they won’t automatically have access to the organisation’s entire IT infrastructure.
   
   Other measures to consider include conducting regular user training that alerts them to potential threats, and the purchase of suitable insurance policies.
   
   

2. Detection:
   A key capability needed to avoid the expense and disruption that ransomware can cause is the ability to detect an attack early. This can be achieved by having in place tools that monitor for unusual network activity and alert IT security teams that can then take a closer look. All incoming email should also be automatically scanned to detect malicious links and payloads before being delivered to user inboxes.
   
   Security teams should also constantly monitor for early signs of encryption. These can include unusual file name changes or large numbers of files being copied or moved to a different location within the infrastructure.
   
   

3. Containment:
   Should a ransomware attack take place it might be possible to contain the fallout to a limited number of systems within your organisation’s infrastructure. By taking steps to ringfence the attack, it can be prevented from escalating further and potentially encrypting other valuable core applications and databases.
   
   Here, having pre-designed playbooks available is important. These will guide the security team and ensure that all required steps are undertaken. These steps will include the lockdown and quarantine of any infected endpoints and the killing of any unauthorised processes that might be running.
   
   

4. Eradication:
   Once an attack has been detected and contained, the next step is to eradicate the associated malware from all infected systems. Security teams need to undertake this step carefully and thoroughly as any code that remains could allow a cybercriminal to mount a fresh attack in the future.
   
   

5. Recovery:
   The final step involves following your organisation’s disaster recovery plan and getting all systems fully operational once more. To achieve this, all infected servers and endpoints should be wiped and rebuilt.
   
   Once this has been completed, data can be copied from secure backups to allow normal operation to begin. It’s also important to check that all scheduled data backups are again occurring as these will be the best defence against subsequent attacks.
   
   If appropriate, law enforcement authorities should be alerted about the attack. Customers and partners should also be informed if it is likely that sensitive data may have been compromised. Finally, all staff should be informed about what has occurred and the steps that have been taken to aid recovery.

The threats posed by ransomware are going to continue to increase in the months and years ahead. By having detailed plans in place that cover protective measures and responses, organisations can be best placed to avoid significant fallout.

• Prev
• Next