12 key ransomware responses

Published
  • November 03 2016, 4:00am EDT

12 key ingredients for a ransomware game plan

With many healthcare organizations falling victim to ransomware attacks, security consulting firm Peak 10 offers 12 steps for a unified, effective approach to dealing with these potentially crippling incidents.

1. The invariable No. 1 rule—don’t pay the ransom

While there are some exceptions to the rule, paying the ransom is not the answer. The criminals that did this to you may not actually unlock your data and, upon payment, “is under no obligation to do so. Their goal is to gain profit, not keep a promise, according to Peak 10.” Second, once a ransom has been paid, your organization gains a reputation as one that will cave in and pay up. “If your business pays the ransom the first time, an offender will assume you will pay it again and may continue to exploit your organization.”

Content Continues Below

2. Preparing for an attack: Have a backup strategy

Ensure your organization is performing backups regularly across the entire infrastructure. “Healthy, consistent backups are the No. 1 mitigating measure your security team can and should be taking,” Peak 10’s report says. Of equal importance is ensuring that backups are NOT stored on a drive that is network-connected to other organizational assets. “If they are, in the case of ransomware, the purpose of backups is defeated (because) a ransomware attack will lock all of those files as well.”

3. Preparing for an attack: Implement a healthy encryption practice

While taking a holistic approach to encryption prevents errors, some organizations may have more generalized security needs or specific budget considerations that call for an individualized approach. Encrypting data does not prevent or stop ransomware attacks, the Peak 10 report notes. “However, encrypting your organization’s sensitive data, at the very least, will give your security team the upper hand in a ransomware situation. If an attacker manages to successfully infect systems, they may tell you they are holding your data, but in reality, encrypted files are comprised of undecipherable information that has no proprietary or marketable value.”

4. Preparing for an attack: Invest in endpoint security and firewalls

At a minimum, using a reputable suite of endpoint security software that is regularly updated will provide assurance that only the most advanced releases of ransomware have the potential to affect your organization. “As long as upgrades are kept up with, your data will at least be protected from all previous releases.”

Content Continues Below

5. Preparing for an attack: Conduct consistent system upgrades and manage patches

Make sure your IT team is keeping up with OS upgrades and patching. “Microsoft, for example, is very reliable in assembling patches as soon as a new vulnerability is identified,” Peak 10 says in its report. “Staying up-to-date on a regular basis with all patches on operating systems in your enterprise is a good method of defense.”

6. Preparing for an attack: Conduct phishing training

Having an organization-wide training program for recognizing phishing attempts “is a reliable way to stop ransomware attacks,” Peak 10 says. “Most ransomware is executed via email phishing, so ensuring that employees are trained to stop and evaluate all emails before engaging can save a lot of trouble.”

7. Responding to an attack: Pull backups

Instead of paying, deploy your backups. “The best first step in response to a ransomware attack is to review all systems and complete an inventory to identify where you have been infected,” Peak 10 contends. Many tools and community web sites developed by reputable security vendors will assist organizations in conducting an inventory to find infection sites. After identifying impacted systems, “immediately pull the backups for every affected system and restore from scratch to a point in time before the ransomware was installed. Restoring from backups is the ideal scenario—your organization will not have to pay any money or lose a great deal of data.”

Content Continues Below

8. Responding to an attack; look into ransomware toolkits

If restoring to an earlier backup does not work or is not a viable option, several relatively effective toolkits are available for different types of ransomware—some may work better than others. “Using a ransomware toolkit is not a reliable default policy, but in the event of an attack and unsuccessful backups, it may be worth a shot.”

9. Responding to an attack: Hire a trustworthy partner

Peak 10 says this is the last option—signing a contract with a trustworthy source for help, whether a security firm, service provider or technology partner that offers endpoint security. “There is a good chance they have seen the ransomware before with other customers and can help. It may be necessary to hire a security firm.” Also, depending on the size of the attack, an organization’s best move may be to call the FBI. “They have teams of security experts who can come in, but doing so also runs the risk of public exposure.”

10. Responding to the attack: Know when to make an exception to Rule No. 1

If a security team has made every effort to regain access to data and failed, “it may make sense to pay ransom,” Peak 10 says. “Ultimately, your organization has to determine the value of the stolen data vs. the cost of the ransom.”

Content Continues Below

11. Evaluating after the attack: Achieve a quiet restoration

Focus efforts on dealing with the attack and using every mitigation method possible, “rather than trying to wrangle the media or control external factors,” Peak 10 advises. “No one is safe from ransomware, and if your organization falls victim, the damage has already been done.”

12. Evaluating after the attack: Lessons learned

All organizations that deal with ransomware attacks must react from different levels of preparedness and capacity to mitigate. “When the attack has been dealt with and normal operations resume, understand where your security team was most, and least, prepared to respond, and adjust your response plan to be better prepared.”

Security teams can make better efforts to prevent ransomware, but there is more value in knowing what to do in the wake of a successful attack; Peak 10 suggests implementing ransomware training and regular breach exercises to help employees more effectively recognize phishing attempts; greater awareness will head off most attacks before they begin.