With digital extortion on the rise, organizations should develop detailed incident response plans.
In just a few short years, ransomware has progressed from a digital nuisance to a full-blown global crisis. Experts say there are 1.7 million ransomware attacks daily, or 19 every second. These attacks have resulted in billions of dollars in damages to the global economy.
Less than a decade ago, ransomware attacks were largely perpetrated by lone-wolf hackers looking to extort a few hundred dollars from random victims. Today, well-funded criminal organizations and state-supported actors are using ransomware to score multimillion-dollar payouts. Many attacks target critical infrastructure, energy and utility companies, healthcare organizations, and government agencies.
The stakes are now so high that the FBI and the Department of Justice treat ransomware attacks with a similar priority as terrorism. In 2021, Deputy Attorney General Lisa Monaco said digital extortion now poses “a national security and economic security threat to the United States.”
The cost of ransomware attacks — including ransom payments, downtime, remediation, data loss and insurance premiums — is expected to exceed $30 billion this year. Experts predict costs will increase almost tenfold to $265 billion by 2031.
More than two-thirds (68 percent) of organizations paid the ransom in 2020, according to data from Statista. However, paying the ransom almost never fully resolves the problem. Research finds that 80 percent of organizations that pay a ransom suffer a second ransomware attack — often at the hands of the same threat actor. The study also found that nearly half of those paying a ransom reported that some or all of their data was unrecoverable due to corruption during the recovery process.
Organizations may find that paying the ransom contravenes the terms of their cyber insurance policies. Additionally, paying hackers is illegal — it’s impossible to trace where the money is going, so the U.S. government assumes it is funding terrorist groups or embargoed countries.
What’s the Plan?
Preventive measures play an essential role in reducing exposure to ransomware. However, today’s highly sophisticated attacks may get past baseline security controls. Organizations should take steps to ensure that they can sustain operations in the event of such a ransomware attack.
The key is to develop an incident response plan that provides detailed guidance when an attack is in progress. The plan should outline the processes and procedures your team will follow to detect, investigate, mitigate and recover from an attack. The Cybersecurity and Infrastructure Security Agency (CISA) says a robust incident response plan should include these steps:
Create an incident response team. This should include technical specialists who can collect and analyze evidence, determine the root cause and implement recovery processes. It should also include operational specialists who can document all aspects of the investigation and communicate with the rest of the organization.
Perform frequent backups and verify they are working properly to ensure data, files, applications and other resources can be reliably accessed in the event of an attack that encrypts your files. Make sure at least one copy is isolated to ensure it can’t be compromised. This can be done with an “air-gapped” environment, immutable storage, cloud backups or by physically storing backup data offline.
Keep an updated inventory of the hardware and software assets connected to your network. Prioritize systems and resources to facilitate restoration processes.
IDENTIFY & ISOLATE
Early detection is critical. Once a computer or another endpoint is infected, ransomware can propagate throughout the network quickly. Unusual CPU, file system and disk activity are common signs of an attack, indicating that ransomware is accessing, encrypting or relocating files. Intrusion detection and prevention systems can identify and record suspicious activity.
Disable Internet connections in the early stages of an attack. This can prevent ransomware variants from establishing a connection with their command and control (C&C) servers to complete their encryption routine. This may give you time to remove the malware before any damage is done. Take the network offline at the switch level if several systems or subnets appear impacted.
Isolate infected computers or endpoints as soon as possible to protect networked and shared resources. Change all network passwords and online account passwords as soon as possible. Work with a forensics expert to learn as much as possible about the source of the infection before wiping and reimaging the machine.
INVESTIGATE & ERADICATE
Conduct a memory dump that saves all contents of system memory. This can help you create a full record of any malicious processes that are running. The memory dump may contain key material that was used to encrypt the files.
Quarantine the malware so that forensics experts can analyze it and identify which strain of ransomware was used. You can also upload an encrypted file to an online service such as ID-Ransomware or VirusTotal to learn about the strain. If you know which strain was used, you may be able to find a free decryptor so you can restore data without paying the ransom.
You may be able to remove ransomware with antivirus and endpoint detection and response (EDR) software. However, sometimes this process will only remove pieces of the malware. If newer, more sophisticated malware was used, the better approach may be to rebuild or reimage the compromised system and restore data from a known good backup.