What to do after a ransomware attack? Cybersecurity guide for enterprises

Nobody’s safe. Your organization, sooner or later, will face a security incident.

I know it is a bold statement, but I have facts to cover it. Between NonPetya in 2017, when our team helped Maersk recover, and the last Solorigate incident, it is a repeatable pattern. Companies are breached, data is leaking, and business losses are growing.

What is ransomware?

Ransomware is a category of malware designed to block access to a device, a service, or resources through data encryption until the appropriate ransom amount is paid to the hacker. 

How does ransomware work?

Ransomware can get into our system using (most often) the following techniques:

• social engineering (manipulating users into giving confidential information, e.g. password)
• drive-by-download (malware downloading to users’ computers when they visit infected websites)
• user-initiated malware installations (when you install infected software)

If the attack is successful, the ransomware will start encrypting the data on the system and the victim will be forced to pay the ransom to get the decryption key and recover their data.

A ransomware attack might be staged in advance and executed some time later. There might be days or weeks between the infiltration of the network and the actual attack.  

In many cases during this period, the attacker will take your data and move it out of the network to request an additional ransom for not releasing it or to profit from the sale of your data.

Ransomware statistics 2021 – to pay or not to pay?

When you are hit by ransomware you might think about paying the ransom and have it solved. Well – it is not what we recommend.

Paying does not always pay off. Besides the moral aspect, remember that you are dealing with criminals, and they might not keep the deal or still sell your data afterward.  

Paying the ransom also fuels the cybercrime industry (it IS an industry) even further. With Ransomware-as-a-Service (RaaS) solutions on the rise, attacks are so easy to launch that they should be considered a source of income. 

According to the State of Ransomware 2021 report by Sophos, only 65% of the encrypted data is restored after paying the ransom. Another statistic says that the average bill for resolving a ransomware attack, including downtime, people time, device cost, network cost, lost opportunity, ransom paid, etc., was $1.85 million. 

What to do after a ransomware attack – general rules [for businesses using Azure]

When the day comes, and your business faces a ransomware attack, here are 8 points to follow:

1. Restrict outgoing and incoming connections from/to the corporate network, including all VPN and remote access services.
2. Reset passwords of all high-privileged accounts for hybrid environments. Do this in Active Directory and Azure.
3. Reset root passwords of all managed network equipment and storage.
4. If there is no password rotation solution in place (is there?), then reset all local administrator passwords on all servers, including domain joined and workgroup machines.
5. Disconnect the affected device(s) from the network (make them entirely offline). Do not turn them off.
   – Unplug machines from the network. Turn off the Wi-Fi or disconnect them via the managed network switches.
   – Take snapshots and disconnect the virtual adapters from virtual machines.
   – Unplug virtualization hosts from the network.
   – Make sure infected systems are offline and cannot access the storage system.
6. Check your offsite and online backups for damage and make them available (you do have them?)
7. Collect logging information from the SIEM solution starting 15 days before the incident.
8. Call us (OK, this one is optional, but I’m here if you need us).

Now is an excellent time to check if you have procedures in place to follow these steps. It might come in handy if there is a need to react. Time is of the essence in moments like these.

That was a general guide, applicable to most ransomware attacks.  

Now, let’s look at how you might prevent it from happening. Before a ransomware event happening to your network, the attacker needs to infiltrate it. Typically it happens through phishing campaigns or targeted phishing attacks.  

What is phishing?

Phishing is the No. 1 method for cybercriminals to gain access to organizations through business emails. Compromised mailboxes can leak credentials and help escalate incidents without the user even knowing what happened.

What to do after a ransomware attack – phishing emails [for businesses]

Our cybersecurity team is helping customers daily to solve such problems. I want to share our guide, created by them, to highlight the steps that should be taken in case of a mailbox breach.

Names in brackets state a team who handles it. In our case, [SOC Team] is our Managed SOC team within our cybersecurity unit helping customers.

1. [SOC Team] Locate all malicious mails and enforce deletion of them.
2. [SOC Team] Block end-user from sending mails
3. [SOC Team] Send mail to IT Security Contact requesting to perform trigger remediation actions as follows:
   – [Service Desk] Block end user’s sign-in for the time of the investigation.
   – [Service Desk] Perform a password reset and pass the password to either IT Security Contact or the end user’s manager.
4. [SOC Team] Remove suspicious inbox rules/forms/forwarding addresses using PowerShell.
5. [SOC Team] Enforce MFA on end-user on all devices and platforms.
6. [SOC Team] Remove assigned administrative roles for a grace period.
7. [Service Desk] Unblock the sign-in.
8. [IT Team] Scan end-user’s PC.
9. [SOC Team] Unblock users from sending mails.
10. [SOC Team] Consult with IT Security Contact the IP list and block all suspicious addresses.
11. [IT Security] Request mandatory security training for end-user to raise awareness.

Here is a downloadable guide that you’re free to use and share within your organization:

How to prevent ransomware attacks?

Life writes surprising stories. Earlier this year, Acer, the brand you might recognize, became a ransomware victim with demand as high as $50M. Most likely, it is the result of the exploitation of the last bug in Exchange servers.

Just this month half of the Swedish Coop supermarkets were shut down due to a supply chain ransomware attack, affecting about 200 businesses, mostly in the U.S. 

How can you counter such threats for your organization? The answer is in 4 significant industry trends for the upcoming years. 

Check out my earlier article about it, where I cover:

• What is an OODA Loop, why is it important, and how does it relate to security?
• Why do you need different skills in your teams, and what are those skills?
• Why do you need a feedback loop in cybersecurity across all your services?

Or, if you don’t feel like reading, you can watch the video below.

The threat is real but there are ways to minimize it – with the right countermeasures. Here are a few key takeaways I’d like to highlight:

• Should something like this ever happen to you, the first step is to stay calm.
• It’s best to have different scenarios in case a data breach takes place.
• Cybercrime is constantly evolving – so should you.

Staying up to date with the latest threats, trends, and forecasts is time-consuming, and it takes some effort to find value. But trust me, it’s worth it. What may help you is signing up for my email updates – I cover all the latest industry trends there.

Should this resonate with you, and you’d like to hear even more about current cybersecurity developments and how to align them with your responsibilities, then I’d be happy to set up a call – just let me know.