Many cyberattacks involve ransomware, a form of malicious software or malware, designed to deny access to a computer system or data until a ransom is paid and a decryption key (commonly called a decryptor) is given to the victim. The encryption is virtually unbreakable without the decryption key, and you should not spend valuable time seeking a way around the encryption if you are attacked with it.
The Current State of Ransomware
Ransomware can spread in multiple ways, but most typically, through phishing emails or by unknowingly visiting an infected website. Ransomware can be catastrophic to healthcare (along with many other industries), preventing critical information and systems for patient care from being accessed, for example.
ConvergeOne never advocates paying the ransom to cybercriminals. You are paying a criminal organization to extend their attack infrastructure further, rather than putting them out of business. Instead, you should build a cyber-aware culture within your organization and proactively follow a number of steps to keep your information and people protected from cyberattacks.
As we plan for 2023, here are 3 tips to help your organization defend against ransomware.*
Cyber Tip 1: Do you know precisely what to do if you get hacked?
- Contract or create an incident response team, develop an incident response plan and routinely test that plan to lock in improvements. Get help. Testing incident response is not easy.
- Disconnect or turn off Wi-Fi and Bluetooth. Unplug storage devices.
- Determine scope – shared drives/folders, network storage, USB, external storage, cloud-based storage, etc. Do you know what your “crown jewels” assets are and moreover, where they are?
- Check tools in use like Box, Dropbox and Google Drive. You may be able to revert to unencrypted versions of your files that reside there. Know your Recovery Point Objective (RPO). What is the oldest saved information you can revert to that still has current value to you?
- Know your backups, what is and isn’t backed up and the order that restores must take place.
- Know your firm’s Recovery Time Objective (RTO). How long do you have to get your files back before you start losing revenue every hour you have no access?
- We do not advise paying the ransom, but if you do, remember you need to reconnect encrypted drives to unencrypt them if you’ve disconnected them.
- Usually the attacker will give you access to a registry that has been created by the ransomware listing all files encrypted. Try to use Google to understand the version of ransomware you have been hit with. It’s important.
- Determine if your data or login credentials have been copied, and if so, how much and what. This can often be learned from the ransomware program’s announcement itself, as it brags as to what data has been copied or the information regarding your stolen data that the hacker posts on websites or blogs.
Cyber Tip 2: Know what’s going on under your nose.
“Dwell time” is a saying meant to describe how long an intruder is sitting within your network and collecting Information before you notice it.
The average dwell time is 210 days before you even realize that a cybercriminal has infiltrated your network! By employing a Managed Detection and Response (MDR) plan into your environment, you can be made aware of traffic that is outside the normal range (anomalies) and increase your threat-hunting capabilities. This will allow for visibility throughout and will help you act when needed.
We also often see a Remote Access Trojan (i.e., a RAT) included with ransomware that is hard to locate and eradicate. A RAT is malware that includes a back door for administrative control over the target systems. RATs are usually downloaded invisibly with other malware, like ransomware. Once the host system is compromised, the intruder may use it to distribute RATs to other vulnerable computers and establish a botnet or use it as a future entry point even after the ransomware portion of the payload has been thwarted.
Cyber Tip 3: Develop and optimize incident response programs (IRPs).
We’ve all heard, “It’s not if it happens, but when it does, are you prepared?” IRPs are key to a company’s ability to respond to an incident (malware, ransomware, DDOS, etc.) in an expeditious manner. Having a strong program in place allows for key role expectations and communication plans, both internally and externally, and the ability to understand actionable items via well-planned tabletop exercises.
*These 3 ransomware tips are part of ConvergeOne’s white paper: 23 Cyber Security Tips for 2023, by Chris Ripkey and Vito Nozza. You can check out all 23 tips covering Zero Touch, Cloud Security, Risk Management and more in the complete white paper. Access it now.