Ransomware remediation: What steps should your business take for recovery?
Yahya Patel probably knows better than most just how much damage ransomware can cause. As Check Point Software’s lead security engineer, he’s witnessed ransomware grow from a “single group threat” holding decryption key as hostage, into a “triple extortion” catastrophe, where even customers of targeted companies are dragged into paying extortion for the stolen data.
Add the rise of ransomware as a service (RaaS) to the mix, which has made it easier for anyone to launch large-scale attacks, with companies left scrambling for survival or shutting their doors altogether.
“We’re facing nearly a million ransomware attacks per Statista a day, and 2023 alone saw over a billion dollars paid out,” Patel shares. “Without a remediation strategy in place, businesses are left open to painful financial losses, a bruised public image, and even a broken employee experience.”
Patel’s not the only voice in the room calling for a robust ransomware remediation strategy. Sophos’ The State of Ransomware 2024 report echoes his thoughts, revealing that 46% of businesses with uncompromised data backups recover from ransomware attacks in a week or less, while only 25% of those without secure backups manage the same.
As Aaron Bishop, CEO of Novous, puts it: “If you don’t have a strong remediation strategy in place, you’ll probably be leaning on your disaster recovery and business continuity plans, and that might not be enough. You could be staring at lengthy downtimes, lost data, regulatory fines, and lawsuits on the horizon.”
Ransomware remediation is an end-to-end security plan to prepare for, respond to, and recover from ransomware attacks. It involves a comprehensive strategy that includes detecting, containing, and eliminating the ransomware threat, and restoring affected systems and data.
Kurt Wuckert Jr., co-founder of blockchain firm Gorilla Pool, explains, “The focus isn’t just on dealing with the current threat; it’s also about bolstering our defenses for the future. We want any ransomware encounter to result in minor disruption at best, not a major loss.”
Wuckert also highlights a series of coordinated steps to implement a ransomware remediation strategy that starts with:
1. Isolate the infected system
- Disconnect the infected devices from the network to stop the ransomware from spreading. This could mean unplugging Ethernet cables or turning off Wi-Fi. Network segmentation can be another effective technique to break an enterprise network into smaller sections to isolate the affected areas. And while you’re at it, temporarily disable any non-essential services and applications to shrink the attack surface.
- Set up network access control (NAC) to enforce rules that limit who can access your network resources based on user identity and device compliance standards.
- Monitor security red flags such as shadow IT, unfamiliar accounts popping up, sudden drops in battery life, or random spikes in disk activity – these could all be signs that ransomware is infecting your system.
2. Assess the damage
- Set up an intrusion detection system (IDS) to keep tabs on anything fishy, like unexpected data encryption or unauthorized access attempts. Patel pairs this step with “running a risk assessment to dig up any vulnerabilities” in your security posture. This could include log data, crucial business processes, and entry points that ransomware could exploit.
- Roll out a ransomware analysis tool once your infected devices are isolated. Gather ransomware samples in a virtual environment so you can get to know the ransomware variant and spot any new strains it might morph into. Understanding what type of ransomware you’re dealing with will help you take the next step. Next, rebuild the infected parts, reset passwords, or manage patches.
- Figure out the extent of your data loss by checking your data inventory, which shows where everything is stored and how to access it. With this information in hand, you can then compare it with what you discovered during your digital forensic investigation using your IDS and ransomware analysis tools, to see which data streams were targeted and just how badly they were affected.
Trend Micro’s David Sancho explains that AI-driven automation can make a “big difference in how fast a company recovers” from a cyber incident. By automating key steps, such as managing data centers, consolidating operations, and replicating data AI helps companies quickly assess damage and get back online.
3. Focus on data backup and recovery
- Quarantine your backups to keep them safe from any attacks. Use incremental backups to help minimize data loss, and choose storage solutions that can’t be overwritten so you always have a reliable version of your critical data on hand.
- Stick to the 3-2-1 rule to keep three copies of your data, two stored locally, and one stored off-site. Mix things up with different types of backups – like on-premises options (hard drives or tapes) along with cloud storage for accelerated recovery.
- Encrypt your data, both at rest and in transit, to keep those backups safe from malware. And before you jump into the recovery process, run some malware scans just to be sure.
- Set up a backup infrastructure in advance for business continuity in case of crisis. While it might be a bit pricey, having a mirrored version of your primary production center means you can keep operations running smoothly even after a major attack.
If you don’t have a solid backup system in place, jump straight to a ransomware recovery as a service (RRaaS) solution. It’s a one-stop shop with built-in incident response, regular backups, and risk assessments. You also get 24/7 monitoring for ransomware signs and access to threat intelligence feeds to stay ahead of new cyber threats that your traditional cyber solutions might miss.
4. Rebuild your infrastructure
- Prioritize patches, especially for internet-facing devices, to reduce your risk of attack. “The WannaCry attack showed how dangerous it is to skip patching vulnerabilities,” Patel says. “Not patching the EternalBlue vulnerability led to a massive outbreak that infected 200,000 systems in just three days.”
- Adopt the principle of least privilege (PoLP) and zero trust model to build a layered cybersecurity defense along with firewalls, endpoint detection and response (EDR), and multi-factor authentication (MFA).
As ransomware evolves, so must our solutions for detecting and recovering from it. Wuckert believes blockchain holds the key to creating a robust, end-to-end system for ransomware recovery. “Blockchain-based checkpoints and backups create a secure, tamper-proof record of your system’s state, making it easier to spot issues quickly,” he says. “And with real-time logs and alerts, you get a clear picture of events, which simplifies containment and recovery.”
Bishop adds: “At the end of the day, whatever tool you use, a well-thought-out remediation strategy is about resilience—keeping the business running, no matter what.”
Source link
/cdn.vox-cdn.com/uploads/chorus_asset/file/25772193/vizio_tv_on_wall.jpg)
