What you should do after a ransomware rampage

Representational image of a cybercriminal
(Image credit: Pixabay)

Few things strike more fear into the heart of a CISO than the prospect of a major ransomware outbreak. A single click on the wrong link or file can be all it takes to send a ransomware infection racing through the company, bringing the organization to its knees as its critical systems and assets are locked up tight.

About the author

Ed Williams, EMEA Director of SpiderLabs at Trustwave.

2020 saw worldwide attacks increase by 64 percent, when compared to 2019, to reach more than 304 million. Combine this with a 171 percent increase in the number of firms caving in and paying ransoms means it’s a vicious circle – the more victims pay up, the more criminals are encouraged to launch attacks, and the more victims there will be. Even if the business refuses to pay up, a ransomware attack incurs heavy costs through investigation, remediation, and lost operational time.

Criminal groups continue to use more sophisticated tactics, including targeted ransomware that zeroes in on critical systems, and multi-pronged attacks that couple encryption with data exfiltration. Threat actors are also increasingly striking through supply chains, exemplified by the Kaseya VSA attack which compromised more than 60 Managed Service Providers (MSPs) and locked down over a million users.

Because a ransomware attack can come from any direction and cause severe damage in just seconds, it is essential for organizations to have a solid response playbook in place for dealing with an outbreak.

As the saying goes, hope for the best and plan for the worst.

What are the priorities in the first 30 days after an attack?

In the aftermath of a ransomware attack, it’s easy to get caught up in the immediate challenge of getting the business back on its feet. However, response plans also need to include long term actions to mitigate the risk of a delayed or repeat attack.

Immediately after an attack, it’s all about digital forensics and incident response. It is imperative to track down the source of the outbreak, determine how the attack was initiated, and close any security gaps that made this possible.

Once this has been accomplished, efforts should focus on hunting down any malware still hiding in the system. Many ransomware attacks use other malware as a delivery mechanism, enabling the perpetrator to trigger another infection once the initial outbreak has been dealt with. Dridex, Trickbot, Emotet and Qakbot are some of the most common modular malwares we encounter.

We have seen cases where a second attack is triggered over six months after the initial strike. Some criminals may even sell access to the malware backdoor to others over the dark web.

Undertaking proactive threat hunting is one of the most effective ways of ferreting out the more well-hidden, sophisticated instructions. Threat hunters are experienced security professionals that think like a cybercriminal to identify patterns, attack paths and vulnerabilities that automated scans miss.

Undertake regular IT audits will help establish a clear picture of what “normal” looks like. Whitelisting applications will help paint a clear picture of what systems are running and make it easier to spot unusual activity when a threat emerges.

Understanding the enemy

Once any lingering infections are dealt with, efforts should turn to mitigating the risk of future attacks. Even without hidden modular malware to provide a backdoor, many threat actors will try to hit the same targets again later. And with millions of attacks occurring on a yearly basis, there is every chance an organization will be targeted by an unrelated group.

The key to mitigation is understanding how the attack unfolded. Most attacks will be deployed via phishing emails or the exploitation of weak remote access controls. Remember, the ransomware payload is the final step of the kill chain.

More sophisticated strikes require infiltration, reconnaissance, and lateral movement. Being able to slow or stop the adversary at any point in the kill chain increases the chances of detecting and preventing an attack before it can bring the organization down.

Mitigating future threats

First and foremost, mitigation means closing off easy attack paths. Many ransomware outbreaks and cyber attacks are made possible because of unpatched system vulnerabilities. Implementing a regular cadence with patch management tools will increase the chance of vulnerabilities being closed before they are exploited.

Similarly, all organizations should ensure they have an antivirus solution in place. Although traditional AV solutions are no match for more sophisticated techniques, they will provide a basic layer of defense to stop many low-level attacks. Even the most basic of ransomware can hit hard.

Email and remote access security should also be priorities since they are favored ransomware attack paths. A combination of security awareness training and secure email gateways will mitigate the risk of phishing, while limiting remote access and monitoring remote entry points will help identify bad actors early into the attack lifecycle.

Taking these basic steps will mitigate the threat posed by the majority of common, opportunistic ransomware attacks. More sophisticated and determined threat actors, however, will eventually pierce even the most hardened defenses. By treating the possibility of a ransomware attack as a case of “when, not if” and planning accordingly, organizations can minimize the damage and bounce back quickly without even considering paying the ransom.

Ed Williams, EMEA Director of SpiderLabs at Trustwave.