The increase in ransomware attacks affects organizations across every business, government and social sector, regardless of their size. The best defense is multilayered security measures, including firewalls, monitoring and antivirus protocols. However, once an infiltration is detected, it's critical to take specific steps to prevent further spread and minimize the damage.
Evolving beyond rapid and opportunistic, ransomware attacks have become both prolonged and highly targeted. In response, chief information security officers and IT ops teams can create a ransomware playbook to define the defensive and remedial actions to take before, during and after an attack to contain damage and protect sensitive systems.
Let's look at the primary ingredients for a ransomware playbook, including defensive preparations, proactive responses and steps for comprehensive recovery.
Create a playbook and broaden precautions
Ransomware is malicious software that freezes IT systems and holds data hostage, thereby hamstringing normal processes. Once devices and networks are successfully infiltrated, ransomware encrypts data on drives, both virtual and hardware-based, so that end users can't access files. Malicious actors then extort monetary compensation from unwitting organizations.
However, after a ransom is paid in money or virtual currency, there are no guarantees that criminals will restore full access to files. To eliminate vulnerabilities requires that organizations:
- Take a methodical approach to fortify infrastructure.
- Execute systematic backups.
- Support workforce precautions through education programs.
Prioritize awareness training, responsibility and testing to prevent emerging threats from infiltrating IT systems.
In addition, IT admins must perform regular system updates, apply patches and reinforce antivirus protocols. An effective ransomware playbook reminds IT administrators to update firewalls to guard against known -- and unknown -- threats. By using proactive identification analysis and proper restrictions, administrators can be confident that their businesses can handle ransomware scenarios.
It's also difficult to understate the value of consistent backups. Backups represent a failsafe system recovery method -- instead of paying the ransom. Both automation and offsite storage to protect files from network access accelerate the backup process and ensure that sensitive data remains safeguarded. From this point on, IT must remain vigilant to identify vulnerabilities and apply patches as necessary.
Respond to an attack in progress
As part of a ransomware playbook, administrators can outline a number of defensive steps to take during an attack, such as disconnecting compromised systems. Assess attack severity, identify infected devices, isolate them and alert the IT team members who can respond appropriately. Documenting all remedial activities keeps those involved with the recovery effort up to date and helps to evaluate overall organizational response during the attack review stage.
Using out-of-band communication methods, such as phone calls or text messages, will avoid tipping off attackers that they've been identified. Malicious actors will also move laterally through infected networks to stay hidden or to spread malware across systems before they're taken offline. Once infected, organizations should focus on containment to limit the damage.
If it's impossible to take a network offline, administrators should unplug compromised devices from a network and remove them from the Wi-Fi to prevent malware from spreading. A system that's disconnected but powered on can still contain the ransomware unlock keys in memory, which IT admins can access to restore a device. During the short-term containment stage, retain data for forensic review and to glean information on the vulnerabilities that led to the attack.
Steps to recover after an attack
A well-thought-out ransomware playbook will accelerate system restoration, provide attack timeline details and help IT admins assess scope. It will also guide an infiltration inquiry, including key questions around timing and attack methods, and identify gaps hackers exploited. The first step to recover after an attack is to restore from reestablished backups.
Once malware is eradicated, collect and review infiltration evidence to answer questions such as:
- Who attacked the system?
- What changes were made?
- How long did hackers have access?
- Where were the systems located?
- Why did the attack occur?
Formalize a timeline in your ransomware playbook based on evidence from as many sources as possible, such as system logs and network device logs -- for example, those sourced from firewalls and intrusion detection systems.
Administrators and forensic specialists can use a snapshot of virtual systems and a clone of hardware to determine the root cause of an attack. The goal is to limit recurrence and to eliminate security gaps. As part of this effort, IT teams should scan systems for vulnerabilities before redeployment and restore only from preestablished good backups.
Perform a final review to gather attack documentation and evaluate where to make improvements to security controls and processes. Learning from an incident is critical to minimize the risk of future infiltrations and to uncover missteps. Then, safely store the incident timeline and documentation in a dedicated section of the ransomware playbook for future reference.