Ransomware attacks threaten organizations of all types and sizes, and IT teams must be willing to take whatever steps necessary to minimize the risks.
In early August, global consulting firm Accenture suffered a LockBit ransomware attack that threatened confidential data. This made the firm one more victim in a long line of organizations that have fallen prey to these types of attacks. Accenture was fortunate, however. Before the incident, the firm implemented security controls and protocols to guard against such threats and prepared a response if ransomware attackers struck. As far as the firm is aware, no customer data or sensitive information was compromised.
Many have not been so lucky. Ransomware attacks have added up to millions in lost revenue, recovery costs and ransom payments. Even businesses that take the necessary precautions can still fall victim to attacks -- a threat that continues to rise as ransomware becomes more prevalent and sophisticated and grows more adept at infecting backup data. In such a climate, IT teams are under greater pressure than ever to safeguard primary and backup data. To meet these challenges, they must know the right ransomware questions to ask if they hope to ward off attacks or minimize the damage if one occurs.
Questions to ask prior to a ransomware attack
Preparation is the most effective strategy against ransomware. An organization may not be able to completely prevent an attack, but there are safeguards and systems it can put into place to help protect data.
Here are three questions that IT teams and backup admins can ask before a ransomware attack.
How does the organization secure and protect backup data?
Data backups are the first line of defense against ransomware and other threats, but those backups must be fully protected and secured. Not only does this include physical protections -- such as retina scanners, video surveillance, or entry and exit logging -- but also comprehensive storage and network security, which can include a wide range of protections. For example, an IT team might use vulnerability scanning, network segmentation, multifactor authentication, dark web monitoring, intrusion detection systems and antimalware/anti-ransomware software.
Maintain at least two copies of each backup. Store them on different types of media and locate them someplace other than on the primary network. At least one of those backups should be immutable and kept offline (air-gapped). With an immutable backup, data can be written only once, often in a single session, and it cannot be updated or deleted -- a strategy often referred to as WORM (write once, read many). Along with these safeguards, administrators should also ensure that all systems are patched and updated in a timely manner.
What is the organization's prevention strategy?
The first step in ransomware prevention is to review and update backup policies. These policies must reflect what data the organization has, where it is and the systems IT teams should recover first in the event of an attack. Efficient policies specify everything businesses need to back up and when those backups should occur. Back up data regularly and frequently, with critical data the most often. Verify and scan backups for infection. In addition, the policies should specify the length of time to retain backups. Keep in mind how long ransomware can lurk in the background.
An organization must have a comprehensive monitor and alert system that tracks the entire back-end, endpoint and network environment, and looks for anomalies in traffic, data patterns, user behavior and access attempts. The system should be able to respond automatically to threats, such as a quarantine of infected systems. These systems may use machine learning and other advanced technologies to identify and mitigate threats. Ensure that end users receive the education and training they need to minimize risky behavior and know what to do if they suspect that their machines have been infected. IT teams must take whatever steps they can to reduce the network attack surface and limit the possibility of end-user actions resulting in ransomware.
How prepared is the organization to handle a ransomware attack?
In addition to an effective backup plan, an organization needs a strategy and system in place to recover that data. IT administrators should know where the backups are located, how to interface with those backups, what processes to use to restore the backups and how to prioritize restore operations. To this end, they must be able to easily access the backups and manage operations, regardless of where the backups are stored. Thoroughly test all phases of the recovery process to ensure the data will be there when it is needed.
Businesses should create an incident response plan that specifically outlines what steps to take in the event of a ransomware attack. The plan should define roles, obligations, who to contact and how to go about containing and eliminating the threat. Anyone who might fulfill one of these roles should receive incident training, which can also validate the response plan. Consider working with a third-party cybersecurity service to help protect against ransomware or assist the organization if an attack occurs. Another option to consider is a cyber insurance policy, which can help offset some of the costs that come with a ransomware attack.
Ransomware questions to ask after an attack has taken place
Even the most diligent organizations can be vulnerable to ransomware attacks, and they must be prepared to take immediate action. By the time IT teams discover an attack, it's likely that the ransomware has already started to encrypt files, even if the scope is relatively contained. If a business does come under attack, IT teams should ask themselves several important questions.
Has the organization controlled the environment?
The priority is to carry out the measures necessary to contain the ransomware. The launch of the incident response plan sets into motion the steps needed to regain control of the environment. Identify which systems have been infected and immediately isolate them. This typically means taking them offline, whether it involves individual computers or an entire subnet, but if IT teams cannot disconnect a system from the network, they should power it down. Be aware, however, that a shutdown can result in the loss of evidence, so organizations should only do it as a last resort.
The response team should also conduct a root cause analysis to try to understand the type of ransomware, the specific variant and how it came into the environment. This process can help identify potentially infected systems and point to possible pathways to recovery. Analysts should collect whatever evidence they discover, as well as capture system images and memory dumps. They should try to identify any sensitive data that the attack might have stolen, even if they can eventually restore the files.
Has IT notified and enlisted key players?
A malware attack can have extensive implications, and effective communication is critical. IT must immediately notify any internal or external stakeholders that the attack could affect, or who might be able to help respond and recover. If an organization has already engaged outside security experts or plans to engage them, they should contact them immediately. If an organization has a cyber insurance policy, contact the provider as soon as possible, in part because the company might be able to provide forensic analysis tools.
Along with legal counsel, someone will need to notify the appropriate local and federal law enforcement agencies and government entities, including the FBI's Internet Crime Complaint Center. Some of these agencies might be able to assist in incident response. Organizations such as the Cybersecurity and Infrastructure Security Agency (CISA) and Multi-State Information Sharing and Analysis Center (MS-ISAC) might be able to help if an attack occurs. Businesses might also be required to report the incident to one or more regulatory agencies, such as those that govern HIPAA or the EU's GDPR.
How should backup admins proceed with data recovery?
Communication and ransomware containment must come before all else, but at some point, it will be time to start recovery. The exact process will depend on whether the business decides to pay the ransom and, if so, whether the cybercriminals send the decryption key as promised. Even if they do provide the key, the organization must still take steps to recover from the attack, deal with the infected systems and protect against another attack.
The CISA, MS-ISAC and federal law enforcement advise against paying the ransom.
When it comes time to start the recovery process, IT should prioritize which systems to restore and in what order. This order is ideally included in the organization's backup and disaster recovery plan. They should then eradicate the ransomware from the infected systems, rebuild the systems if necessary and address any vulnerabilities they discover through the root cause analysis. IT teams should then bring the cleaned-up systems online, verify which backups are safe to restore and then recover the data from those backups. After the systems are up and running, they should document lessons learned and take any steps necessary to reduce the risk of subsequent ransomware attacks.