How to Deal with a Ransomware Attack: 5 Key Steps to Consider

In 2020*, every 10 seconds a new organization became a victim of ransomware and an estimated $20 billion was paid out to criminals **.
How to avoid being a victim of such an intrusion?
When it comes to ransomware, it’s important to say that the ransom is only the last part of a much more devastating attack. In most, if not all cases, the intruders have been inside your systems for over 200 days*** harvesting credentials, installing malware, stealing your data, and corrupting your backups.
Once the attack is set and ready to launch, they start encrypting your data and asking you to pay that sizeable ransom payment, this is the point where most organizations realize they have been hit with a ransomware attack. Three of the latest very public ransomware attacks asked for $20M and $50M payments, totally changing the outlook for 2021 and what clients and their insurance companies are willing to payout.
46% of Canadian businesses reported a ransomware attack.**
$879,582 is the average cost of a security breach for an SMB.***
How Am I being attacked?
Nowadays, it has become easier more than ever to become a cyber-criminal. Ransomware kits can be bought on the Dark Web for less than $200. With these kits, cyber-criminals are leveraging fileless attacks that totally bypass all traditional antivirus and email protection systems.
Also, make no mistake, with many organizations now prioritizing employees working from home, more and more workers are now being hit with phishing emails, thus facilitating the access to the back end of a business. In fact, 67% of ransomware attacks begin with a simple phishing email. Furthermore, contrary to popular beliefs, no single operating system is safer than another: Windows, MacOS, Android and iOS are all being hit. **
But paying the ransom is no guarantee that you will get your data back or prevent any other theft. Actually, your data is usually already up for sale on the Dark Web before they even ask you for the payment. Trying to recover without paying is never as simple as restoring from backups, even if they have not compromised them. You will need to treat your network and systems like scorched earth and reset all passwords and credentials.
How can you mitigate the loss of your data?
Once an attack occurs, it happens very fast. Many are surprised their antivirus system did not catch anything early on. Some try unplugging their systems hoping the attack will go away, but in all cases, they all wished they had seen it coming!
Here are my 5 key steps that you need to address now to give you much more than a fighting chance:
- Knowing that ransomware usually starts with a phishing email, let’s start there. User Awareness Training that includes Phishing Simulation to trains users to recognize and report suspicious emails is a relatively inexpensive way to strengthen your largest attack surface.
- You can further enhance your mitigation above by applying a Secure Email solution to intercept any content-based attacks in email, cloud storage, CRM apps, and messaging platforms. This will dramatically reduce the number of malicious emails that reach your users inboxes. Bonus points here if it includes a Security Operations Center (SoC) to send all those user-reported suspicious emails to.
- An XDR or Extended Detection and Response is a must for any organization wishing to have a system in place to limit cyber-attacks. This program provides your organization with multiple layers of protection to stop ransomware attacks before they get anywhere near the last phase of the attack: compromising your backups and encrypting your data. You can prevent ransomware if you monitor your files, networks, and endpoints to mitigate and remediate automatically 24/7, 365 days a year, by detecting and stopping any suspicious behaviour in real time. In fact, XDR proved itself during the latest Microsoft Exchange Server breaches by detecting and stopping all zero-day attacks as well as the 15,000 ransomware attacks per day that we saw.
- Now that your files, networks, and endpoints are under control, you can take a closer look at your backup and restore plan. There are varying opinions on the best approach but thinking of the worst-case scenario is a good place to start. Your Recovery Point and Recovery Time Objectives need to be clearly defined. Now you can stage your backups with snapshots and or leverage cloud-based solutions to do the same. You should always have a fully offline version that you can turn to as a last resort. Practice your recovery regularly to ensure your plan works.
- Create and document your Cybersecurity Plan. This is now mandatory for all organizations of any size. Insurance companies are basing your cybersecurity insurance premiums on how well you are protected. They will ask you to fill in a questionnaire and will determine their risk of payout on your answers. Those organizations with the best documented plans will pay the lowest premiums and have access to the largest payouts, if required. Your plan should also provide your team with a step-by-step guide on what to do in case something does happen. It should clearly outline what steps to take and who to call. Do table-top exercises regularly to practice and turn it into a reflex.
By adopting this defense in layers approach with several mitigations at each layer, you will have more opportunities to detect and stop ransomware and any other type of malware or attack before it can infect your systems, exfiltrate your credentials and sensitive data, and finally overwrite or delete your files.
*Checkpoint Cyber Security Report 2021
**Purplesec 2020 Ransomware Statistics, Data & Trends
***CIRA Cybersecurity Survey