What to do after a ransomware attack?

In the digital world, nobody's safe. Your organisation, sooner or later, will face a security incident.

It is a bold statement, but the reality shows it to be true. Companies are breached data is leaking, and business losses are growing - the pattern is repeatable.

What is ransomware and how does it work?

Ransomware is a category of malware designed to block access to a device, service or resources through data encryption until the appropriate ransom amount is paid to the hacker.

Ransomware can get into the systems through (most often) the following techniques:

• social engineering- manipulating users into giving confidential information, e.g. account credentials
• drive-by-download- malware downloading to users’ computers when they visit infected websites
• user-initiated malware installations- when a user installs infected software

If the attack is successful, the ransomware will start encrypting data on the system and the victim will be forced to pay ransom to get the decryption key and recover their data.

A ransomware attack might be staged in advance and executed at a later date. Days or weeks may pass between the infiltration of the network and the actual attack.

In many cases during this period, the attacker will take your data and move it out of the network to request additional ransom for not releasing it or to profit from its sale.

Ransomware - to pay or not to pay?

When you are hit by ransomware, you might think about solving the issue by paying the ransom. It is not what we recommend.

Paying does not always work out well. Besides the moral aspect, remember that you are dealing with criminals, and they might not keep the deal or still sell your data afterwards.

Paying the ransom also fuels the cybercrime industry (it IS an industry) even further. With Ransomware-as-a-Service (RaaS) solutions on the rise, attacks are so easy to launch that they should be considered a source of income.

According to the State of Ransomware 2023 report by Sophos, companies had to spend on average USD 1.82 million on recovery, including downtime, lost productivity, device and network cost. Another statistic from IBM says that the average loss resulting from a data breach amounted to USD 4.45 million in 2023.

What to do after a ransomware attack general rules

When the day comes and your business faces a ransomware attack, here are 7 points to follow:

1. Restrict outgoing and incoming connections from/to the corporate network, including all VPN and remote access services
2. Reset passwords to all high-privileged accounts for hybrid environments. Do this in Active Directory and Azure resources (or the equivalent in your cloud)
3. Reset root passwords of all managed network equipment and storage
4. If there is no password rotation solution in place (is there?), then reset all local administrator passwords on all servers, including domain joined and workgroup machines
5. Disconnect the affected device(s) from the network (make them go entirely offline). Do not turn them off.
   • Unplug machines from the network. Turn off the Wi-Fi or disconnect them via the managed network switches
   • Take snapshots and disconnect virtual adapters from virtual machines
   • Unplug virtualisation hosts from the network
   • Make sure infected systems are offline and cannot access the storage system
6. Check your offsite and online backups for damage and make them available (you do have them, right?)
7. Collect log information from the SIEM solution starting 15 days before the incident.

Now is an excellent time to check if you have procedures in place to follow these steps. It will be a great help when there is a need to react. Time is of the essence in moments like these.

Now, let's look at how you might prevent it from happening. Before a ransomware event happens to your network, the attacker needs to infiltrate it. Typically, it happens through phishing campaigns or targeted phishing attacks.

What is phishing?

Phishing is the No. 1 method for cybercriminals to gain access to organisations through business emails. Compromised mailboxes can leak credentials and help escalate incidents without the user even knowing what happened.

What to do after a ransomware attack caused by phishing

Our cybersecurity team helps customers to solve such problems daily. They created a guide highlighting the steps that should be taken in case of a mailbox breach.

Depending on the setup of your organisation, the team responsible for each action may vary but the process remains the same:

1. Locate all malicious mails and enforce their deletion
2. Block the affected end-user from sending mails
3. Perform remediation actions:
   • Block end user’s sign-in for the time of the investigation
   • Perform a password reset and share the temporary password with either IT security or the end user’s manager
4. Remove suspicious inbox rules/forms/forwarding addresses using PowerShell
5. Enforce MFA on end-user’s account on all devices and platforms
6. Remove assigned administrative roles for a grace period

Once the investigation is concluded:

7. Unblock sign-in
8. Scan end-user’s PC for malware
9. Unblock users from sending emails
10. Consult the IP list with IT security and block all suspicious addresses
11. Request mandatory security training for end-user to raise cybersecurity awareness.

How to prevent ransomware attacks?

Life writes surprising stories. Earlier this year, email addresses of 235 million Twitter (now X) users were leaked. The ransomware demand amounted to $200,000.

In June, the cybersecurity world was collectively mobilised due to an attack on the MOVEit vulnerability, with multiple organisations targeted worldwide, from the BBC to the U.S Department of Energy.

How can you counter such threats to your organisation? The answer is in 4 emerging security practices:

• Zero Trust security, where you enforce security practices constantly, not just for selected actions
• DevSecOps, a practice of protecting code at the source and checking it during writing for vulnerabilities
• The SOAR approach (security, orchestration, automation, response) that allows you to act fast in face of an incident
• Security consulting as a service, enabling you to leverage ready-made services to fortify your environment.