A Guide to Ransomware Preparedness : From Vigilance to Resilience

By 2031, ransomware attacks will cost businesses $265 billion annually, with an attack happening every 2 seconds—up from every 11 seconds in 2021. That the global footprint of ransomware is rapidly on the rise, is no longer up for debate. Along with this, the damage a single attack can cause is also growing. In some cases, attackers demand as much as $40 million or more. In addition to monetary losses, damage to business operations, and loss of customers and reputation, these attacks can even cost human life, when targeted against hospitals or medical devices. 

As ransomware attack techniques get more sophisticated and targeted, security and risk management leaders must not only secure their endpoints but also build resilience. This blog is designed as a primer on ransomware, protecting your business before an attack, and ensuring minimal damage and maximum recovery in case a breach does happen. 

Types of Ransomware 

Ransomware can be broadly classified into four types.

Locker Ransomware: Lockers are used by criminals to restrict user access to systems. In such attacks, users are able to view or interact with a locked screen displaying a ransom demand. As a rule, locker attacks are not aimed at destroying the data, only at preventing users from accessing it. Upon payment, the data is released back to the organization.

Crypto Ransomware: This type of ransomware encrypts the target data, information, and files on the device. In these types of attacks, the user can still use their system and view the data, but the data cannot be accessed or used due to encryption. Criminals use such an attack to demand ransom, and if it is not paid, the encrypted data is permanently deleted.

Digital Extortion, a.k.a Doxware: In the last few years, a new model of ransomware has emerged—the digital extortion business model. Instead of a binary dilemma between paying ransom and losing critical data, companies now have to contend with threats of confidential data being released to the public or auctioned off on the dark web. For example, “REvil,” an aggressive ransomware gang, has leak and auction sites on the dark web, where they publish stolen data, if victims don't pay their desired extortion fee. 

Triple Extortion Ransomware: A concerning extortion trend observed by IBM X-Force in 2021 is the “triple extortion” tactic—encrypting and stealing data, and also threatening to engage in a DDoS attack. In such an attack, a company network is held hostage by two malicious attacks at the same time. 

Extortion-based attacks can be especially devastating for organizations. They not only cost data, money, and trust but also render backup safety measures useless.

Critical Components of Incident Response 

According to the National Institute of Standards and Technology (NIST), an active ransomware attack requires the following steps as part of the incident response.

‍Preparation

Given the continuous evolution of ransomware attack types and tactics, prevention remains the best safety measure. Once an attack has occurred, it is often too late to prevent it from moving forward, since the data has already been compromised. 

In the preparation phase of the attack lifecycle, the organization should keep the following elements in mind:

• The industry-specific types of events and incidents 
• The systems commonly used
• Key risk indicators 

Since end-user negligence is often the top culprit in facilitating attacks, the organization must ensure:

• Educating users about the risks of macros in email attachments 
• Ensuring that group policies are up to date
• Setting up measures that block macros from running in documents sent via the internet.

In the event of an attack, the responsibility of communication falls on the management. This is critical to maintain company reputation and keep customers assured. Management should be:

• Trained to respond to media and stakeholder questions
• Aware of regulatory communication requirements and timelines
• Keep all relevant teams informed and minimize panic

Detection and Analysis

The detection phase is when an employee finds that they are unable to access certain files or services, or when they encounter a ransom note. At this point, the infected device should be isolated—ideally, by hibernating and disconnecting from the network—and the IT security staff notified.

Once the IT team takes over, the analysis phase kicks in. Broadly, the team will attempt to:

• Identify the type of ransomware
• Conduct root cause analysis

Containment, Eradication, Recovery 

The containment phase is a critical part of the response plan as it is geared towards reducing the risk to the organization. Efforts must be made to isolate the system and terminate any encryption processes initiated by the attacker, to minimize not only the damage done but also the effort needed in restoration and recovery. This is usually done by hibernating the system, which further assists in forensic and sample analysis later. Failure to contain the attack almost always leads to rapid increase in the damage on the organization, as the malware continues to encrypt more files on the local system or through the network.

Remember: Never reboot or restart an infected system.

In some cases, the IT team is not able to detect the source of the ransomware infection quickly, which leads to delay in identifying where the encryption process originated. Such a scenario requires that the file share or shares be taken offline to minimize impact to the business. While the servers don’t need to be shut down, it is important to terminate all access to the file shares.

The eradication phase involves removing the ransomware from infected systems across the organization. While this can be a time-consuming process, it is essential that all infected systems are rebuilt from trusted templates and settings. If the ransomware is found to have infiltrated the organization through a source that other users can still access, additional steps must be taken. For instance, if the attack originated through an email message, all messages pending within the mail store should be eliminated. Further investigation of all systems where the email had been viewed or opened should also be carried out, even if the attack was not executed on them. If the source is a web browser vulnerability, specific websites must be blacklisted and monitored and vulnerable browser components updated or removed. Finally, passwords for all affected users should be changed as a precaution without alerting the criminal, so as to revoke their access.

The response can now move to the recovery phase. This should focus on the following components:

• Patch Updates: Any system vulnerabilities detected must be patched to prevent future attacks. 
• Data Restoration: Internal backup must be checked to restore affected files, after verifying the status of backups at the time of required recovery. If the backup is not up to date or has also been encrypted, data can only be restored by breaking the encryption or by paying the ransom.
• Encryption Reversal: Undoing the attack by breaking the encryption or finding the decryption keys on the infected system is the best case scenario. This not only allows full data recovery but also eliminates the need to pay ransom. A good approach is to work with an expert who has knowledge of the particular ransomware variant.

Post-Incident Activity

Once the attack has been handled, it is important to go over the components of the attack as well as the response—to identify security gaps and areas of improvement. A “lessons learned” analysis can help strengthen your organization’s cybersecurity posture to prevent further attacks and improve response efficiency in the event of a breach.

Evren: Ensure Victory in the Battle Against Ransomware

Building a robust organization that can successfully combat the menace of ransomware requires a multilayered, comprehensive cybersecurity plan. Such a plan must incorporate both vigilance, to prevent an attack in the first place, and resilience, to be able to fight back and recover in case a breach does happen. In this day and age, security automation has become critical to achieving this. According to IBM, the growing ransomware threats have made endpoint detection and response (EDR) solution a necessity for businesses. 

Integrated with endpoint security, Evren is an enterprise OS that is purpose-built to protect your organization against all current and future cyber threats and attacks. It has a comprehensive approach to cybersecurity, which relies on multiple layers of protection:

Data Storage: The Evren OS operates on the Amazon Web Services (AWS) platform, and all data is stored encrypted at rest and continuously backed up securely. The AWS data centers employ a set of advanced physical, network, and software security measures to ensure integrity and safety of customers’ data. All data transferred between Evren servers on AWS and other facilities is secured via SSL endpoints using the HTTPS protocol. Multi-factor authentication is enforced for all critical services used by Evren, reducing the risk of unauthorized access. Finally, Evren does not store any sensitive customer or end-user data, and all user data across systems can be deleted upon request.

Data Transfer: Evren uses a secure channel using 256-bit SSL encryption, for secure internet connections for all the traffic between desktop clients, mobile devices, and Evren servers. All SSL termination points are hardened to provide the highest levels of security. The OS uses “Let’s Encrypt” certificates to ensure secure and short-lived certificates that are automatically renewed on a quarterly basis.

Patch Management: Evren leverages managed services to take care of all updates and security fixes automatically and in the most timely fashion possible. It has an internal Vulnerability Management Policy to ensure all un-managed systems are kept up-to-date and free of known vulnerabilities. 

Incident Response Plan: Evren has an internal Data Breach Response Policy and an Incident Response Plan to ensure timely action in the unlikely event of a breach.

Moreover, with Evren’s in-built security features, the employee is no longer the first line of defence, thus eliminating one of the biggest vulnerabilities against ransomware attacks.

Some of Evren’s most powerful security features include:

1. Full Disk Encryption to protect the entire volume and all files on the drive against unauthorized access.
2. Application Sandboxing to keep different apps/software on the company devices isolated from each other, minimizing security threats in the event of a breach.    
3. Privilege Access Management, disallowing end-users admin privileges. The admin password is only available to the IT administrator, is device specific, and is valid only for 24 hours.
4. URL Filtering, enabling admins to block and allow URLs. Evren also enables restricting Google accounts to certain domains that can be used on the browser.
5. Log Management, used for monitoring and security purposes.
6. Asset & Certificate Management for central tracking of all devices; deployment and removal of device certificates; and control over application and network authentication.
7. Remote Device Management, for remote and central management of USB and Bluetooth devices.

—

Don’t let cybercriminals take advantage of security vulnerabilities due to outdated security measures. Automate cybersecurity and keep your organization safe—on premises, in the cloud, and in hybrid environments. 

Contact our experts for a free security audit.

‍