Last week, Stephen Jones, our Senior Director of Cybersecurity and Blue Team Alpha's CISO Jeff Wheat, partnered to present our latest webinar, "How to Survive a Ransomware Attack: Infection Vectors, Response, & Long-Term Defense".
The webinar covered the current state of Ransomware 2.0, which is currently devastating businesses across all industries. It also covered the dos and don'ts of real-life responses, as knowing the right approach is critical to protecting your business.
Here we will break down the most common infection vectors and cover tips on remediation and post-incident communication. After reading this summary, check out our full webinar below.
The Age and Business of Ransomware
In 2020, there was a Ransomware victim every 10 seconds. Ransomware started as a shotgun effect - its main attempt was to cast as big of a net as possible to hit as many individuals and companies as possible. In 2017, about 54% of companies saw some form of Ransomware incident. In 2021, attacks have become increasingly strategic as Ransomware begins to strike more lucrative businesses, such as the recent attack the Colonial pipeline that led to a stoppage in fuel delivery to the East Coast for an entire week. In the same way that you as a business would identify your market and figure out how to optimize your success, Ransomware attackers are doing the same thing. The IBM Security Report of 2020 estimated that the average cost of a cyberattack in 2020 was $3.86 million.
What is Double Extortion?
Ransomware attackers are also finding new ways to entice organizations to pay, including through double extortion. Double extortion is when Ransomware attackers steal a copy of your data and either delete or encrypt your local copy. Then, the attackers will ask you to pay twice- once so you can regain access to your local copy, and once to stop them from sharing or leaking the copy that they took. The increased leverage makes it more likely you will be enticed to pay.
What are the most common infection vectors and what are the layers of defense against them?
The three most common infection vectors are:
- Phishing Emails
- Malicious Links
- Exploiting Vulnerabilities
Phishing emails and malicious links are incredibly common. If you open your inbox today, you probably have emails with malicious links in them. Ransomware attackers will go so far as to create a specially crafted websites to try to increase legitimacy and make end-users believe that it is not malicious. These vulnerabilities are the heart of common infection vectors, and phishing emails coupled with malicious links are the delivery mechanism.
The best way to defend yourself against these common vectors are:
- Patching Vulnerabilities
- Advanced Endpoint Protection
- Automated Backups
- SOC/Monitoring: Early and Rapid Identification
- Security Awareness Training
How can you tell you are under a Ransomware attack?
Some common signs that you are under a Ransomware attack include:
- Suspicious/unexpected money transfer
- Suspicious/unexpected vendor account
- Change request
- Multiple failed login attempts (brute force)
- Abnormal remote login sessions
- Unauthorized email forwarding rules
- Logins from an unfamiliar domain
- Unopenable files
- Increased quantity and quality of phishing attempts
- Duplicate invoice complaints from multiple customers
These can all be precursors to an act or a sign that an attack is imminent. It may seem small to you, but it’s important to report anything suspicious before it amounts to anything more serious.
How to Respond?
Response timing is critical when you believe you are under a Ransomware attack. Here is a list of Dos and Don'ts to help guide your response:
- Isolate network traffic to mitigate the risk of continued adversary activity
- Verify the state of business-critical system backups and make an offline copy of these backups
- Contact legal counsel and inform them of the situation
- Turn off servers until you are certain they have not been affected by ransomware
- Try to "clean up" the ransomware without professional assistance
As technology continues to advance, Ransomware attackers will continue to find new ways to extract sensitive information from your company. It is more important than ever to take preventative measures to ensure rapid response time and minimal damages occur. At Dataprise, we can help you get a jump start in mitigating risk with a 'no cost' IT environment assessment. Find out more below!