What To Do if an Enterprise Falls Victim to a Ransomware Attack
February 22, 2021
By Rachel Tsui and Jason Connotillo
Ransomware attacks on enterprises and their data are no longer novel, and have been capturing headlines for over twenty years. Some professional estimates date the first widely known attack back to 1989. Since then, the number of ransomware attacks reported annually continues to rise. The Verizon 2020 Data Breach Investigations Report1 reveals ransomware now accounts for 27% of malware incidents, and 18% of the organizations contributing to the Verizon Report blocked at least one piece of ransomware last year. Most attacks are financially motivated. The same Verizon Report highlighted that 83% and 79% of attacks on small and large businesses, respectively, involved financial motives. Another study estimated at one point in 2020, the average successful ransomware attack demanded payment of over $230,000.2
Ransomware is malicious software, or ‘malware,’ that attacks an enterprise by rendering either individual devices or major systems useless, and by restricting access to critical business data using encryption. The malware is usually installed inadvertently by unsuspecting employees, though in rare cases can be deliberately placed. The discovery of malware by victim enterprises is often accompanied by a bad cyber actor demanding payment to return access to vital systems and data. This is a tough spot to build a recovery strategy from, given that it’s largely impossible to conduct a decryption exercise without the specific parameters used to initially, and often illegally, encrypt the target.
After discovering a ransomware attack, what can enterprises do begin the recovery process? Foremost, the immediate response should involve disconnecting any affected machines from the network and isolating other machines. This will likely cut off the bad actor’s access and limit further dissemination of malware, should they still have control over breached machines. It is often after this exercise the bad actor will present a ransom request window. Generally, there are two options at this time: pay the ransom or decline.
If an enterprise strictly adheres to a “we do not negotiate with ‘bad actors’” policy, the answer, obviously, is an emphatic no. It is, however, at this time important to face the possibility that access to the restricted data may be forever lost. Well-prepared enterprises will have in place a comprehensive incident response playbook that includes detailed restoration plans for data backups. This will ensure minimal impact when deciding not to negotiate. Rarely do enterprises pay ransom. If this does become the ultimate decision, it is recommended a professional third party be involved to coordinate the recovery of machines and data and any ransom payment. In either scenario, it is unfortunate that some degree of reputation damage to the enterprise is likely.
Other important matters arise at the time of a ransomware event, separate from the ransom response and beginning recovery programs. Depending on the event’s severity, many enterprises are obligated to notify one or more regulatory authorities. For example, New York Department of Financial Services (DFS) licensees are required to report to the NY DFS any significant security event, including ransomware, within 72 hours of any occurrence. Financial institutions in general are required to file suspicious activity reports (SARs) under the Bank Secrecy Act. Private sector enterprises are encouraged to report cyber incidents to the federal government. It is also exceedingly important to consider thoroughly conducting a post-incident investigation leveraging a digital forensic expert.
A report compiled by Sophos, a major security software and hardware company, documented bad actors succeeded in encrypting enterprise data in 73% of ransomware attacks3. Enterprises must instill vigilance in their employees, and that begins with awareness. Successful attacks usually begin with a ‘triggering event’ that can be spotted by trained eyes. These events can include peculiar email requests, known as phishing attempts, file names transforming into a string of unusual characters, multiple windows popping up suddenly on machines without prompting, and the time it takes to access files increases considerably. Knowing the early signs of an attack can limit its impact.
We believe prevention will be a significant factor in an enterprise’s recovery success. Directly below are meaningful security initiatives enterprises can introduce into their technology environment to reduce the risk and impact of a ransomware attack.
- Enhance awareness within the enterprise to thwart attacks through routine security training and email phishing simulations;
- Create and test an enterprise’s incident response program;
- Routinely back up critical data to protected storage locations and regularly test data recovery;
- Leverage Security Information, Event Management (SIEM) and Endpoint Detection, and Response (EDR) tools for rapid attack detection;
- Scan your networks regularly and make sure only necessary ports remain open;
- Install anti-virus software and implement frequent signature updates.
Preparing for a security event may seem like a lot to undertake for small and mid-market enterprises. With the help of professional service organizations, like cybersecurity advisory firms and managed security service providers, enterprises can develop and implement a holistic cybersecurity program while remaining focused on core business activities.
Digital Intelligence Newsletter - Q1 2021