Ransomware Incident Response Plans: Strategies & Technologies to Defend your Business

Globally, cyber incidents such as ransomware are the leading risk threatening business success. In fact, ransomware attacks pose a significant threat to businesses of all sizes. If you don’t have an incident response plan for ransomware attacks in place, you’re asking for trouble.

So, what’s a business to do? Be prepared. When your business is proactively prepared for the threat of a ransomware incident, you’ll be ready to detect and mitigate the incident faster while reconnecting and restoring data in a safer manner. You will also have the confidence that the same or similar tactics cannot be used against your organization again.

Let’s take a look at the current state of ransomware and the direction it may be headed. Next, we’ll pivot to review some of today’s most effective cybersecurity strategies and finally, we’ll review the highlights of how to create your own ransomware response checklist.

 Related: How Long Does It Take to Detect a Cyberattack? 

Recent Trends and Evolving Attack Techniques 

Ransomware threat actors have accelerated their tactics and techniques in recent years. The diversity of ransomware attack types is growing, too. Here are four types of ransomware attacks that we’ve recently seen targeting businesses.

Advanced Targeting and Intelligence Gathering 

Threat actors are now taking more time to prepare for their attacks, gaining insight into their targeted victim’s vulnerabilities, networked systems and business behaviors. With this information, threat actors find gaps in a business’s cybersecurity and be able to customize their attack for maximum impact and destruction.

Double Extortion 

Having your files encrypted and then receiving a ransom note can put your cybersecurity experts on high alert. But if double extortion is a threat actor’s end goal – you’ll be in double the trouble.

In double extortion, a threat actor will extract sensitive data before encrypting your files. They will then threaten to sell your data if the ransom is not paid. In this manner, the threat actor presents two threats instead of just one. Even if you can unlock or recover your own data, you could be risking your sensitive business files being sold to the highest bidder or released to the public along with any sensitive information it contains. Even if this data is benign, it can create a reputation and trust concern with your customers and employees.  

Fileless Ransomware 

Ransomware is commonly based on executing malicious files into a victim’s networked system. But more and more, we’ve seen the rise of fileless ransomware. This type of ransomware is more difficult to detect as it hides within a system’s memory. Using this method, threat actors can release ransomware without leaving noticeable tracks, unlike file-based ransomware.

Ransomware as a Service

Ransomware has been found available for purchase (or rent) on the dark web. Therefore, it now takes little to no IT skills to launch a ransomware attack on a business. In fact someone with a marketing background may be more effective than a traditional IT person at getting malware onto systems. This tactic is expected to exponentially expand ransomware threats and is an excellent reminder that businesses of all sizes can be a ransomware target. Don’t be caught unprepared.

Cybersecurity Strategies 

IT professionals have a range of tools and technologies available to assist them with their cybersecurity plans. However, being proactive is the ultimate defense against threat actors.

When evaluating your organization’s cybersecurity, make sure it includes these five essential strategies:

• Regular Data Backups – Ensure that data is backed up at least weekly, although daily is preferred. Keep multiple copies with one copy stored off-site.
• Patch Management – Apply software patches in a timely manner to eliminate known vulnerabilities and shut down threat actors in their tracks.
• Employee Training – Cybersecurity is important for everyone! Empower your employees with knowledge and they’ll in turn be able to identify and report potential threats.
• Endpoint Protection – AI technology is an excellent tool that can be used to monitor endpoints and prevent ransomware from entering your network.
• Network Segmentation – If a virus is suspected within your network, network segmentation can assist in separating and quarantining the affected areas away from the rest of your network. If ransomware is found, this may help to limit the damage to your network.

Ransomware Response Checklist 

It’s also important to have a plan ready in the unfortunate event that a threat actor breaches your defenses and holds your data for ransom. A comprehensive response procedure should include a full spectrum of directives, including detection, containment and eradication.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recommended a ransomware response checklist designed to guide you through a ransomware incident. This checklist provides a framework for organizations to build their own ransomware cybersecurity breach response plan.

The steps in this checklist are organized into three sections:

1. Detection & Analysis
2. Reporting & Notification
3. Recovery & Post Incident Activity

For more information, we suggest that you review CISA’s Stop Ransomware Guide.

Section One: Detection & Analysis 

1. Find the affected systems and ensure they’re isolated.
2. If you’re unable to disconnect devices from the network, power them down to avoid spreading the ransomware further.
3. Determine the urgency of affected systems ahead of restoration and recovery.
4. Examine the existing detection or prevention systems (e.g., antivirus, EDR, IDS, Intrusion Prevention System) and logs that you have as an organization.
5. Meet with your team to create and document what has occurred based on initial analysis and your current understanding of the issue.
6. Start hunting the problem.

Section Two: Reporting & Notification

1. Notify all teams specified in your incident communication plan, explaining what they can do to help you mitigate, respond to and recover from the cybersecurity incident.
2. If mitigation is not possible, take a system image and memory capture of a few affected devices to send to federal law enforcement. It is recommended to consult with law enforcement if mitigation is possible or not.
3. Continue to contain and mitigate the incident by:
   1. Identifying the breach source.
   2. Placing a hold on any systems that may be used for unauthorized access.
   3. If server-side data is being encrypted by an infected workstation, follow server-side data encryption quick identification steps.
   4. Conducting extended analysis to identify outside-in and inside-out persistence mechanisms.
   5. Rebuilding systems based on prioritization of critical services (e.g., health and safety or revenue-generating services). If possible, use pre-configured standard images.
   6. Issuing password resets for all affected systems and addressing any associated vulnerabilities in security or visibility.
   7. Having the designated IT security authority communicate to staff that the ransomware incident is over based on established criteria, which may include taking the steps above or seeking outside assistance.

Section Three: Recovery & Post Incident Activity 

1. Prioritize your most vital services as you re-establish systems and data from the offline, encrypted backups.
2. Record all notes, learnings, and response actions from the incident.
3. Compare your notes, learnings, and response actions with any indicators of compromise, and consider sharing these findings with CISA to better help your industry.

Complete, Proactive Cybersecurity Protection for Every Business 

Did you know that 71 percent of cyberattacks target small businesses? Just because your business is small doesn’t mean you can’t have best-in-class cybersecurity. Learn how to better understand your tech environment needs and identify potential gaps or risks. Download your complimentary Business Technology Inventory Checklist, today!