<< Back to article Print this page Loading page, please wait...

Ransomware: How to mitigate Attacks

Jeff Marshall, Regional Director, ANZ, SonicWall (ARN)
17 November, 2021 15:31

By Jeff Marshall, Regional Director, ANZ, SonicWall

Ransomware is a form of malicious software that when deployed on a device encrypts a user’s sensitive data. To secure a decryption key or initiate a decryption process, the victim is asked to pay a ransom to the attacker, usually in the form of cryptocurrency such as Bitcoin.

The amount demanded by attackers can vary, with ransoms typically in the range of $200 to over $100,000, depending on the size of the enterprise and the value of the data held for ransom.

The rise of cryptocurrency today has become the answer ransomware and other malware developers had been waiting for. Bitcoin and similar technologies allow for a far simpler, anonymous, more streamlined and dynamic payment architecture for criminals, who can now use these blockchain-based currencies to control ransom demands over time and collect and manage all payments digitally.

Planning for a Ransomware Attack

Organisations should prepare for a possible ransomware incident by creating all the relevant components for an incident response management process. They need to consider specific ransomware responses and recognize that existing IR plans might not be applicable to ransomware incidents due to the combined possibilities of encryption, loss of access to critical system files and services and data breach notification issues.

Few key elements which should be considered when planning and preparing for a ransomware incident:

1. Preparing an Incidence Response Policy:

Preparing an incident plan to help be prepared in case of an attack is the most sensible thing a company can do as a start. The following are some crucial questions that a robust policy document must have answers to:

Preparation phase: How are staff trained and prepared? What tools and resources are they armed with to respond to ransomware incidents?
Identification phase: How do you recognize and detect a ransomware incident? How do you go about understanding the strain of ransomware, attack vector, attack group and real motivation?
Containment phase: How will you contain the incident from spreading to network shares and other connected devices?
Eradication phase: How will you perform a forensic analysis of data to determine the cause of the incident, remove the ransomware from infected devices, patch vulnerabilities and update protection?
Recovery phase: How will you return to normal operation and in what time frames?
Post-Incident phase: After the incident is resolved, what can you learn to prevent it from happening again in the future? How will you document the incident? How can you monitor to stop repeat performances or further connected activities? How can you improve and update organizational threat intelligence feeds?

2. Recruitment:
Secondly, teams would need specific skills, knowledge and access to relevant system tools and technologies to effectively detect, investigate and respond to a probable attack. This may include outsourced help as well as non-technical staff like executives, PR and media teams.

3. Define Roles and Responsibilities:
Prepare documentation that clearly states the roles, responsibilities and processes. Clarity makes for timely action and eliminates confusion in a time-sensitive ransomware infection.

4. Create a Communication Plan:
The entire response team should know who to contact, why and when during an incident. What information will be required in the first stages of a detection?

5. Test your Incident Response Plan:
Identify which are the most sensitive assets and what are the critical security incidents the team should focus on. Roll play, tabletop and test the incident response plan to identify any weaknesses proactively.

6. Review and Understand Policies:
Review and consider changes and updates to existing policies/procedures to ensure they are fit for purpose relating to ransomware.

Latest research shows that sophisticated threat actors are tirelessly adapting their tactics and embracing ransomware to reap financial gain and sow discord. With remote working still widespread, businesses continue to be highly exposed to risk and criminals are acutely aware of uncertainty across the cyber landscape. It’s crucial that organizations move towards more modern Boundless Cybersecurity solutions to protect against both known and unknown threats. An important way to stop ransomware is to have a very strong endpoint security solution.

For more information please reach out to Jeff Marshall, Country Manager & Regional Director - ANZ, SonicWall +61477 040 118 jmarshall@sonicwall.com.