With digital extortion on the rise, organizations should develop detailed incident response plans.
In just a few short years, ransomware has progressed from a digital nuisance to a full-blown global crisis. Federal authorities say more than 4,000 ransomware attacks have occurred every day for the past five years, resulting in billions of dollars in damages to the global economy.
Less than a decade ago, ransomware attacks were largely perpetrated by lone-wolf hackers looking to extort a few hundred dollars from random victims. Today, well-funded criminal organizations and State-supported actors are using ransomware to score multimillion-dollar payouts while targeting critical infrastructure, energy and utility companies, healthcare organizations, and government agencies.
The stakes are now so high that the FBI and the Department of Justice recently announced they will begin treating ransomware attacks as a form of terrorism. Deputy Attorney General Lisa Monaco said digital extortion now poses “a national security and economic security threat to the United States.”
Hidden Costs
The cost of ransomware attacks — including ransom payments, downtime, remediation, data loss and insurance premiums — is expected to exceed $20 billion this year. Cybersecurity Ventures predicts cost will increase more than tenfold to $265 billion over the next 10 years.
What’s worse, paying the ransom almost never fully resolves the problem. New research finds that 80 percent of businesses that pay a ransom suffer a second ransomware attack — often at the hands of the same threat actor. The study from Censuswide also found that nearly half of those paying a ransom reported that some or all of their data was unrecoverable due to corruption during the recovery process.
“Recovering from a ransomware attack can take years and is about so much more than just decrypting and restoring data,” said Chester Wisniewski, principal research scientist, Sophos. “Whole systems need to be rebuilt from the ground up and then there is the operational downtime and customer impact to consider, and much more.”
What’s the Plan?
Preventive measures play an essential role in reducing exposure to ransomware. In reality, however, today’s highly sophisticated attacks may be able to get past baseline security controls. Organizations should take steps to ensure that they can sustain operations in the event of such a ransomware attack.
The key is to develop an incident response plan that provides detailed guidance when an attack is in progress. The plan should outline the processes and procedures your team will follow to detect, investigate, mitigate and recover from an attack. The Cybersecurity and Infrastructure Security Agency (CISA) says a robust incident response plan should include these steps:
BE PREPARED
- Create an incident response team. This should include technical specialists who can collect and analyze evidence, determine the root cause and implement recovery processes, as well as operational specialists who can document all aspects of the investigation and communicate with the rest of the organization.
- Perform frequent backups and verify they are working properly to ensure data, files, applications and other resources can be reliably accessed in the event of an attack that encrypts your files. Make sure at least one copy is isolated to ensure it can’t be compromised. This can be done with an “air-gapped” environment, immutable storage, cloud backups or by physically storing backup data offline.
- Keep an updated inventory of the hardware and software assets connected to your network. Prioritize systems and resources to facilitate restoration processes.
IDENTIFY & ISOLATE
- Early detection is critical. Once a computer or another endpoint is infected, ransomware can propagate itself throughout the network very quickly. Unusual CPU, file system and disk activity are common signs of an attack, indicating that ransomware is accessing, encrypting or relocating files. Intrusion detection and prevention systems can identify and record suspicious activity.
- Disable Internet connections in the early stages of an attack. This can prevent ransomware variants from establishing a connection with their command and control (C&C) servers in order to complete their encryption routine. This may give you time to remove the malware before any damage is done. Take the network offline at the switch level if several systems or subnets appear impacted.
- Isolate infected computers or endpoints as soon as possible to protect networked and shared resources. Change all network passwords and online account passwords as soon as possible. Work with a forensics expert to learn as much as possible about the source of the infection before wiping and reimaging the machine.
INVESTIGATE & ERADICATE
- Conduct a memory dump that saves all contents of system memory. This can help you create a full record of any malicious processes that are running. The memory dump may contain key material that was used to encrypt the files.
- Quarantine the malware so that forensics experts can analyze it and identify which strain of ransomware was used. You can also upload an encrypted file to an online service such as ID-Ransomware or VirusTotal to learn about the strain. If you know which strain was used, you may be able to find a free decryptor so you can restore data without paying the ransom.
- You may be able to remove ransomware with antivirus and endpoint detection and response (EDR) software. However, sometimes this process will only remove pieces of the malware. If newer, more sophisticated malware was used, the better approach may be to rebuild or reimage the compromised system and restore data from a known good backup.
