What is a ransomware attack?
Ransomware attacks are becoming more commonplace as companies and organizations increasingly utilize digital networks and data storage in their daily operations. The United States Government’s Cybersecurity and Infrastructure Security Agency (CISA) defines ransomware as “malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable.” These attacks can cost businesses millions of dollars in lost revenue or payments to the attacker, as well as cause irreparable harm to their reputation given the frequency of sensitive and personal data targeted. Fortunately, there are ways for your organization to mitigate any potential damage from a successful ransomware attack.
Isolate Your Network and Set Aside Impacted Systems
Given that phishing, the most used method of cyber-attack, typically originates off-site in the form of email scams or fraudulent links, a necessary first step to minimize the fallout for your organization is to disconnect the impacted systems from the internet, including local wi-fi. Doing so will make certain that the threat actor is unable to maintain access within the system. It is important to keep your technology powered on, so the security teams can properly assess the breach, respond properly to the disruption, and minimize the damage.
Review External Remote Access to Your Network
Once your network has been isolated and secured, it is vital to review the remote access to your network. This review should be thorough and account for all ways in which your network can be accessed externally, including Virtual Private Network (VPN), Remote Desktop Protocol (RDP), Secure Shell (SSH), and other entrance points. Simply put no actor, other than those responding to the attack, should be able to access the network until security has been restored and verified by the attack response team.
An overwhelming amount of ransomware attacks have been perpetrated after the threat actor has acquired passwords leading into your network. Once an attack has occurred, it is imperative that all passwords within every aspect of your system be reset using a complex pattern of numbers, letters, and symbols. Maintaining the passwords that were used before and during the attack leaves you just as vulnerable to another breach and a further devastating impact on the organization.
Review Available Backups and Take Them Off Network
Any responsible organization should maintain a separate network with backed-up data. When analyzing the impact of a ransomware attack, it is necessary to identify if your backup system has also been accessed by the threat actor. If so, share this with your attack response team immediately. If the backup data remains secure, disconnect these servers from your network and immediately pause all backup procedures so this system is no longer vulnerable. Do not attempt to restore any backups until the system has been thoroughly examined and deemed safe by the experts assisting in the response.
Plan Your Restoration Strategy
It is important to begin planning the restoration process once all these critical steps have been completed. Begin by identifying the systems most critical to resuming operations and sharing those systems with the attack response team so they can prioritize securing those assets. It is also necessary to highlight the organizational systems containing proprietary information and sensitive data, including financial records and personal details, so they can be properly protected as you recover from the ransomware attack.
Threat actors are always looking for innovative ways to infiltrate your company’s network, but with SpearTip’s Security Operations Center as a Service, a dedicated team of certified engineers will continuously monitor your network and provide a rapid response against further intrusions.
SpearTip engineers work in tandem with ShadowSpear, our endpoint detection and response tool, to detect threats early and prevent attackers from accessing your network. ShadowSpear also contains a customized dashboard that tracks threats in real-time and gives our partners direct access to our certified engineers. With one of the fastest response times in the industry–from initial call to engagement in less than 1 hour–you can trust SpearTip’s ability to quickly assist in reclaiming your network and restoring operations so your business can run as it should.
If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.