SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewall
#
ransomware
Search
Story image
#
Cybersecurity
#
Malware
#
Ransomware
The do's and don’ts of responding to ransomware
Thu, 11th May 2017
FYI, this story is more than a year old
By Matt Williams, Faronics
Follow us

Ransomware may have had a killer 2016, but according to some cybersecurity researchers, encryption malware is just getting started. This year, ransomware is expected to increase both in volume and variety as hackers continue churning sophisticated new strains of encryption malware. And while you might not be able to prevent every single one from slithering through the cracks, a smart incident response strategy for ransomware can help prevent significant loss and business downtime.

To that end, here are the dos and don't of ransomware incident response (IR):

Do…

Abide by the principle of least privilege: Before there is ever even a need for IR, we recommend applying the principle of least privilege (POLP). In other words, limit end-user admin rights to local drives, or remove them altogether. This can help preclude more widespread infections throughout the network, and reduces the likelihood of an unauthorized executable running in the first place. With cloud computing coming to the fore, this is becoming an increasingly viable option.

Quarantine infected machines: Traditionally, ransomware needed to call home to a command and control server in order to get the encryption key. However, some strains of ransomware now come preloaded with a public encryption key. This makes it more difficult to intercept these attacks early, and increases the likelihood of successful data encryption. Once encryption malware is successfully executed, infected systems must be quarantined to prevent lateral movement on the network.

Execute your premeditated IR plan: First and foremost, hopefully you have an IR plan for ransomware. If you don't, take this as your wake-up call to create one. Make sure that every person, from the intern to the CEO, knows his or her role in this plan – there is strength in numbers, but only if everyone works in harmony. Remember, the only way to ensure adequate data protection in a ransomware intrusion is to have a clear pathway to remediation.

Don't…

Pay the ransom: Last year, a Kansas hospital paid a ransom only for the criminals to come back and demand a second. This institution was hardly the only organization to pay up in vain – it's to be expected of cybercriminals. And yet, a study from IBM revealed that 70 percent of businesses that get hit with ransomware end up paying. Our advice? Do not pay. Take that money you might lose, and instead invest into IR that will preclude you from having to fork over hundreds, if not thousands, of dollars.

Make DR your IR: Last but not least, do not make your disaster recovery plan your IR plan. DR plays a role in data protection, but it is not the be-all end-all of IR because it does not guarantee business continuity. Rather, DR is a sort of last resort in the event that there is no quicker path to recovery (and there almost always is).

Related stories
Illumio unveils AI enhancements for faster Zero Trust Segmentation adoption
RiverSafe teams up with Cribl to boost IT & data security services
Half of online traffic in 2024 generated by bots, report finds
Spirent partners with online payments platform to boost cyber defenses
Axis unveils hybrid cloud platform for adaptable security solutions
Top stories
Fortinet recognised as Challenger in Gartner's 2024 Magic Quadrant for SSE
Coalition integrates cyber risk platform with top cloud services providers
Secolve & Asimily join forces to boost Australia's IoT security
Armis warns of major cyber-attack risk to 2024 global elections
i-PRO to support Genetec SaaS with new AI-enabled camera models