Ransomware attacks are on the rise. In 2021 alone, businesses around the world were victims of a 105% increase in attacks. Sonicwall’s 2022 Cyber Threat Report also notes a 755% increase in the healthcare industry and a 1,885% increase in attacks on governments worldwide.
One result of the COVID19 pandemic is that businesses around the world are utilizing remote workers, creating a bevy of new opportunities for cybercriminals to exploit digital information. Ransoms are high – JBS USA, the world’s largest meat supplier, paid an $11 million fee in Bitcoin to end their digital hijacking for instance – and even the average setback in 2021 was $1.85 million.
We put together this list of ways your business can fight back against the surge in ransomware attacks. We developed this acronym – Determent, Planning, Action, and Recover or DPAR* – as a way that you can always remember the steps to fighting back against ransomware:
- Determent – Working to prevent ransomware attacks on your business in the first place.
- Planning – Understanding what your business specifically needs to do after a breach.
- Action – The all-hands moment immediately following a ransomware attack.
- Recovery – Minimizing data losses to avoid major delays in productivity.
*Our acronym team is currently on a sabbatical performing a one-person show about the life and times of the French chef of the Duke de Richelieu.
Determent | How to Prevent Ransomware in the First Place
The most important step you can take toward fighting back against the surge in ransomware attacks is to deter cyber criminals from targeting your organization in the first place. And while it’s not always the case that you can fully prevent attempts, there are ways to help keep your team from becoming a target.
No matter the stakes or the sport, the best offense is a good defense, and your entire team needs to be on the same page when it comes to developing that defense. Your entire C-suite team needs to sit down and discuss the entirety of your digital portfolio – including how to apply your own internal ethos to your approach.
Approximately 75% of all Ransomware attacks begin with either a phishing email or a Remote Desktop Protocol (RDP) compromise, meaning absolutely anyone from third-party vendors and freelancers to remote employees and beyond are all capable of being an accidental source of compromise for your organization.
Here are six ways businesses are proactively deterring ransomware attacks in the first place:
- Securing all Remote Data Protocols
The pandemic caused major shifts in trends for working from home, and no matter how much their local ISP might boast high-security, the reality is home networks are often rife with poor security. Best practices include mandating strong passwords, multifactor authentication, software updates, restricted access, and network-level authentication.
- Multifactor Authentication (MFA)
MFA isn’t just a good idea, it should be absolutely mandatory at your organization as it stops 99.9% of certain attacks.
- Patch Management
Securing communication channels and other old software your team utilizes and patching Windows operating system exploits remain vital elements to keeping your network safe.
- Disabling User-Level Command-Line Capabilities & Blocking Transmission Control Protocol (TCP) Port 445
Ransomware threat actors run free or low-cost software and scanning tools, searching for things like credential harvesting and internal unsecured port discovery from command-line prompts. If command-line capabilities end up disabled, the company becomes a more difficult target. Additionally, blocking port TCP 445 on external-facing infrastructure and internal firewalls also helps reduce the attack surface.
- Protect Active Directory
Active Directory is a database and set of digital services that connect your users with the network resources they need to get their work done. Your database/directory holds critical information, including your network allowances.
- Education and Training
This is a big one for us: Cyber awareness training and education should be mandatory for anyone using your network. Basic changes in behavior, like turning on MFA, can help your organization reduce future risks.
Planning | How to Design a Response to Ransomware
Understanding where your major risks are – and how to keep them safe – should be your number one priority. Create a tactical team, starting with senior leadership, that can prepare your organization for any kind of eventuality. Greg Hughes, the CEO of Veritas, said recently, “The threat has really evolved from targeting big business to also targeting small and medium-sized businesses,” meaning anyone anywhere can end up as the target of an attack.
To avoid reaching the point of paying a ransom of any amount, it’s critical your team be aware of the critical assets that could be the target of a breach. Additionally, consider elements like what the plan is for your backups, and detail what that means for a full-fledged recovery effort including how long your team would be down without the ability to work.
As a part of your plan, devise a way to test your recovery efforts as well. Just like the fire drills you did when you were younger, testing is the best way to develop muscle memory in the event of a disaster. Practice this plan, noting how long each process takes and whether or not your ideas were successful or struggled to get off the ground.
Ask your current IT if they offer tabletop exercises that can run you through hypothetical breach scenarios. This is an extremely useful way to see exactly how your team would handle the real deal.
Make sure that any plan you develop answers these four questions as well:
- Who is in charge?
When the proverbial crap hits the metaphorical fan, someone has to be in charge. Make sure the line of direction is clear so no problems arise along the way.
- How much can you pay?
The reality of ransomware is that you might have to pay the ransom. While the whole point of this article is to avoid that altogether, whoever is in charge of the response should be well aware of your negotiation constraints.
- How do you generate buy-in?
Make sure everyone is aware of the realities and has a clear understanding of what kind of prevention and post-breach action is necessary.
- How do you enhance resilience?
Instead of only asking how to work around problems, discover ways to work through disruptions without missing a beat.
Action | What To Do If You Are Breached
Even as you discover a digital break-in, the clock has already been ticking. No matter how the breach occurred, time is now of the essence so your team must be well aware of the plan we discussed above.
The quicker you act, the quicker your business is back to normal, but the situation isn’t always black and white. In the unfortunate situation that you fall victim to a ransomware attack, here are the four steps we believe are critical to getting back to business:
- Find and stop the infection
Just like any viral attack, detection and isolation is the critical first step to combatting an infection to your system. In the case of connected networks and devices, this means unplugging them manually and digitally from any possible source. It may seem primitive, but the logic is straightforward: A device that isn’t connected can’t be utilized in the breach.
- Identify the Ransomware
Most of the time ransomware will identify itself through a digital display, informing the infected party of what’s to come. To properly identify the ransomware, there are numerous sites you can turn to like ID Ransomware and the No More Ransom! Project (who provides the Crypto Sheriff to help identify your attackers).
- Report the Attack
No matter what the cyber criminals say, the authorities should be contacted to report the breach, and there are many ways to disclose a ransomware attack. Because digital crimes are seemingly invisible to the community at large, reporting digital crimes helps watch groups in painting a picture of the threat at large.
- Stick to Your Plan
You have three options: Pay the ransom, try to remove the malware, or wipe your system and reinstall from your most recent backup. (If you need more info on backing up your company's data, click here.) Whatever your plan is, get rolling because the longer you wait the longer it will take to get back to work.
Recovery | How to Get Back to Work Quickly
Regardless of your plan of action, recovering from a ransomware attack can be a slog.
On the one hand, if you decide to pay and get a decryption key – and that decryption key actually works! – there is usually a considerable amount of work to be done thanks to the attackers turning off servers that aren't designed to be shut down that way.
Additionally, if you pay your ransomer, the attacker essentially becomes a sort of business partner, something most businesses on the up-and-up would like to avoid.
If you don’t pay, and instead you’ve kept all the proper backups, rebuilding networks from backups is still time-consuming – the average downtime a company experiences following a ransomware attack is 21 days.
The good news is prevention isn’t just possible, it’s entirely effective. Cyber security takes time, knowledge, and effort to implement correctly. The time spent on implementation is a far cry from how much time and money you will spend recovering from a data breach.
For more information on what your small business can do to remain vigilant in today's environment give us a call at (864) 552-1291 and we'll help you evaluate capabilities and options. Also, sign up for PTG Tech Talk and consider following us on LinkedIn, Facebook, and Twitter!