The wave of ransomware, which is driven by ransom rackets, is sweeping across companies and authorities, and it seems that the security situation is worsening. The only question now seems to be: when and how does it get you? There are many guides on how to defend your cyber defense against ransomware or technologies that promise a successful defense. But when the time comes, it is useful to know what to do first. Panic is always a bad advisor. Just like reaching for your wallet to pay the ransom.
The first priority is of course to get the data and systems available again as quickly as possible. In order for this to work and in order to draw the right lessons from a successful attack, there are a few steps to follow:
1. Quickly isolate equipment.
Ransomware should not be able to spread further than it already has. Therefore, administrators should isolate affected systems from the network as soon as possible. It is particularly important to prevent the extortionate malware from spreading further during the clean-up work after the ransomware attack.
2. Understand the attack vector.
If the affected devices are isolated, it is important to understand how the incident came about. On the one hand, this helps to cope with the incident. It also provides valuable lessons for the future. So you have to find out: Who was Patient Zero in the network?
3. Back up and review backups.
Applications and servers can be set up again, but data is irreplaceable. Without backups it is no longer possible to secure them. Therefore, the measure is to take them off the grid first.
Attackers specifically look for backups as part of their attack. If they remain online, there is a risk that they will be involved in the attack. It is of course even better to keep offline backups in a physically separate location from the outset. The 3-2-1 rule of backup is a matter of course, especially when it comes to securing data against extortionate attacks. This means that a ransom demand may come to nothing – at least as far as the database is concerned. Instead, IT administrators can take care of rebuilding the systems.
4. Stop projects and scheduled tasks.
A ransomware attack is an emergency and requires all resources to be pooled. Any changes to the IT architecture, such as migrations to new environments or the installation of new applications and servers, should be stopped immediately. Such projects could help the malware spread further. It is equally important to stop scheduled tasks such as backups. Because in the course of this, the extortionate malware can spread further.
5. Quarantine potentially compromised areas.
In general, no possibility should be ruled out immediately after an attack and all potentially affected parts of the infrastructure should be quarantined. That means taking everything off the grid first and examining it individually before it can be used again.
6. After the attack is before the attack: change passwords.
Better safe than sorry. At the beginning of an incident, it is often not completely clear how it came about. Was it just a simple attack? Or was it a complex attack that was possible because the attacker had stolen authentication data? If so, he can always start the next attempt. It therefore makes sense in any case to change the passwords of system-critical user accounts.
7. Don’t panic – plan and practice critical security situations
If the worst comes to the worst, IT administration will be under high pressure – and there is therefore a risk that the wrong decision will be made in this pressure situation. To prevent this as much as possible, IT departments should prepare for an emergency. Ideally, those responsible for security have defined processes. Because especially in an emergency, companies need a blueprint so that they do not forget any useful measures. These processes should also be practiced regularly, for example in the context of simulated “Red and Blue Team Testing”. If employees know that there is a plan that will work in an emergency and that this plan has been practiced, the risk of wrongdoing under pressure is minimized.
“Ideally, organizations have invested enough in preventive measures such as an XDR solution to avoid falling victim to a ransomware attack,” summarizes Daniel Clayton, vice president of global services and support at Bitdefender. “In addition to technological defensive measures, the classic precautionary measures and tasks of IT count in prevention: update systems, secure distributed backups and check that they are functioning properly. But just as important is permanent monitoring of what is happening in the network by in-house or external experts, such as within the framework of an MDR service. These involve a lot of routine and, under certain circumstances, the necessary distance to prevent what must be avoided in any case: panic and the subsequent mistakes. How many attacks a Managed Detection & Response (MDR) service or a Security Operation Center fended off cannot of course be said. We hope for a high number of unreported cases. ”