In case of a ransomware attack, there are several steps that you can take to handle the incident efficiently. In this document we will give more information on how to respond to the incident and to help prevent this in the future.
PREVENT
To help prevent future ransomware attacks, use the following preventative measures
1. Install MFA
- Use Multi-Factor Authentication whenever possible. Always use Multi-Factor Authentication on remote access.
- Most Multi-Factor Authentication tools combine your password with things you have (smartphone, badge, ID card) or things you are (fingerprint). Using multiple elements to authenticate reduces the risk of hacking. See how to do it here.
- MFA is a must have for your accounts, this will provide an added layer of security and is overall one of the best defenses you can have.
2. Keep your systems up to date
- Keep your operating systems, software, and security solutions up to date to reduce their vulnerability to attacks. Do this by patching often and check for possible exploits. Your IT provider can and should be held accountable for keeping your systems up to date. While even a fully patched system is not waterproof, it can be the difference between an incident happening or not.
- Most software used by businesses is regularly updated by the creator of the software. These updates may include patches intended to improve software protection against new threats.
- Each company should designate an employee responsible for updating the software. By reducing the number of people involved in updating the system we reduce the number of potential attack vectors for cybercriminals.
Monthly updates are a must and a step-by-step approach (test phase then put into production) is a good thing to put in place. - You must also have an inventory of your assets: a clear vision of what that exists on your network.
Register your organisation on Safeonweb@work to receive vulnerability alerts and reports
3. Make Backups
- Backups are essential in order to recover files after an incident involving ransomware. Backing up all vital files and systems is one of the best defenses against ransomware. If you have to decide on the number of backups potentially achievable, evaluate what are the most critical information for your business.
- All data can be recovered up to the last time backup. Backup files should be tested to ensure that the data is complete and uncorrupted. This analysis is essential!
- Apply the 3 to 1 rule: 2 different supports on site and 1 on another site. One of these backup copies must be the “offline” copy.
- Limit the number of users who can access your backup. The less there the more, the better.
4. Train your employees
- Train your employees on how to recognize phishing, such as avoiding suspicious emails and links.
These mails are often times the way your organization becomes compromised.
For this you can find more information on safeonweb.be. - Establish a cybersecurity training and awareness program quality.
- Conduct phishing tests regularly and educate users. Train users about the importance of not clicking on everything and anything and on how to recognize spam and phishing emails.
- Train your IT staff on an ongoing basis.
5. Rights management
- Limit administrative rights and shares.
- Appropriate tracking of credentials: every employee, contractor and access to systems is a potential point of vulnerability for malicious actors. Change of personnel, failure to update passwords and inappropriate restrictions are all potential vectors that a malicious actor can abuse to compromise a computer system.
- Enable the operating system to display file extensions.
- Disable AutoPlay.
- Block USB storage.
- Install ad-blocking software on network perimeter.
RESPOND
- To help answering a current ransomware attacks, use the following responsive measures.
Consult our guide How to respond to a ransomware attack in 12 steps
1. Determine and confirm the extent of the Ransomware attack
Rebuilding systems is NOT the first step in your response. Assess the extent of the ransomware attack by focusing on what has been encrypted and/or potentially taken by the intruder. Providing an answer to this question is critical to your response. Try to document what data was on the encrypted machines and look for data that may have been stolen.
2. Isolate affected devices as much as possible to prevent any further spread
When ransomware strikes, it’s essential to isolate affected devices as much as possible to prevent any further spread. Assume attackers are already deep in your environment before the ransomware attack is performed.
Start by isolating the infected devices and removing them from the network. Unplug network cables, and stop network connections (including WiFi-networks). If your network permits it and is properly segmented, you can also disconnect the infected network segment.
- Do NOT turn OFF the infected devices, and avoid shutting down systems. There still might be malware installed that is not activated. Having a running system might also help when seeking help from an incident response firm to conduct investigations.
- Do not start recovery operations until the extent of the attack is known, this includes the method, time, and impacted systems.
3. Assess the integrity of your backups
Verify that the attackers have not also compromised the integrity of your backup system.
You should have confirmation that the backups have not been compromised or accessed before using these to restore your environment.
4. Start your incident response
- If you have an internal IT department , they can start working on resolving the issue.
If not, hire a professional incident response team to help you in assessing the extent of the damage.
Since it is expensive to hire an incident response team, check if incident response is part of your insurance contract. - The Centre for Cybersecurity Belgium (CCB) strongly discourages the payment of a ransom.
There might be situations where paying seems to be the only remaining option. Please remember that the attackers are very likely interested in financial gain. All opportunities to extort more money from your organization will be evaluated by those actors. - Use caution when interacting with the attacker: hiring a professional negotiator is not a silver bullet. Remember that there is no guarantee that the decryption keys will be received after payment.
5. Inform the authorities
File a report with your local police department. And inform the data protection authority if there is an indication that data was stolen. Reporting the possible loss of personal data is obligated by law and must be done as a priority.