Magazine Button
Editor’s Question: The best way to respond to a ransomware attack

Editor’s Question: The best way to respond to a ransomware attack

AnalysisEditor’s ChoiceEnterprise SecurityTop Stories

We asked three industry experts: Should organizations focus greater attention on putting systems in place that enable quick data recovery rather than pay a ransom in the event of a ransomware attack? Here are their responses:

Mark Lukie, Sales Engineer Manager – APJ, Barracuda

If your organization falls victim to a ransomware attack, the very last thing you should do is pay the cybercriminal’s demands.

Buckling under the threat and making payment, usually in Bitcoin or another cryptocurrency, may seem like the easiest way out of a dark corner, but it does nothing to help stem the rising tide of attacks occurring around the world. It also doesn’t guarantee you’ll actually regain access to your data.

Mark Lukie, Sales Engineer Manager – APJ, Barracuda

A further risk arises when cybercriminals copy sensitive data before they encrypt it. Even if the ransom is paid, they still have the option of selling this data to another party or simply releasing it in the hope of causing reputational damage to the victim.

The recent surge in ransomware attacks has been aided by the large number of people who have been forced to work remotely during the COVID-19 pandemic. No longer protected by perimeter security as they are in the office, they’re more open to threats and attacks.

Ransomware is also proving very lucrative for criminals as a result of surging cryptocurrency prices. The digital currencies are the perfect payment mechanism as they are unregulated and difficult to trace.

Attacks are also increasing in number because of the relative ease with which they can be conducted. It’s even possible to make use of so-called ‘ransomware- As-a-Service’ which removes the need for any technical knowledge at all.

It should also be noted that paying a ransomware demand can also put an organization at a greater risk of further attacks. It is a winning situation for an hacker when they receive payment, so they are likely to target the same organization multiple times. As long as the opportunity for payout remains, the attacks will continue.

Preparation is better than payment

To avoid falling victim to an attack, and ensure systems can be recovered quickly should one occur, every organization needs to have some key elements in place. These include:
Advanced Firewalls: If a user opens a malicious attachment or clicks a link and triggers a download, an advanced network firewall provides a chance to stop the attack by flagging the executable as it tries to pass through.

Malware and phishing detection: For emails with malicious attachments, static and dynamic analysis can detect indicators that the document is trying to download and run an executable file. Phishing emails that can lead to an attack can also be spotted and quarantined for further inspection.

Zero Trust: Rather than relying on traditional VPN links, implement a strategy of Zero Trust to ensure users, applications and data are secure at all times.

Regular backups: Conducting regular backups of critical data is a vital part of any preparations. If an attack happens, cloud backup can allow core systems to be quickly restored, minimizing cost and disruption.

User-awareness training: The weakest link in any security infrastructures continues to be the users. By visiting a rogue website or opening a suspicious email attachment, they can unwittingly launch an attack that brings their organization to its knees. Conduct regular training sessions to explain the nature of the threat and the basic steps they need to be taking to reduce risk levels.
All evidence points to the number and severity of ransomware attacks continuing to grow in the months ahead. This is why preparation rather than payment remains the best strategy to follow.

Derek Cowan, Director of Systems Engineering – APAC, Cohesity

Every 11 seconds over 33,000 Google searches are entered throughout the world, in that same time somewhere an organization will need to respond to a ransomware attack. Since the AIDs Trojan in 1989, the first large scale ransomware attack, organizations have been faced with the questions of: How do we respond? Should we pay the ransom?

Derek Cowan, Director of Systems Engineering – APAC, Cohesity

Organizations have many considerations to weigh up here, however, the short answer to the second question is ‘no’. There are multiple reasons why paying a ransom is not an effective ransomware response or remedy. And, while it may seem easier to pay, ransom payment does not guarantee business as normal the next day.

In addition, those funds your organization has paid could fund the next attack, which may even be a key partner or customer. It could also be illegal to pay a ransom depending on the jurisdiction of your organization’s operations.

Death, taxes and cyberattacks – they are the three certainties in modern life. Every organization will fall victim to cyberattacks, for those that fall victim to ransomware there is a lasting threat to business operations, and in many cases something malignant will have been going on for a long time.

A multi-layered security approach to prevent the attack is required upfront, but what about data recovery in the event of a breach of your network? A next-gen data management architecture offers organizations deeper data oversight and extends your security capabilities, ultimately providing a better chance of recovering against attacks. By understanding where your data resides and eliminating the fragmentation that occurs across multiple data silos, you immediately are in a better place to protect the precious data being held.

Such next-gen data management solutions and services should consolidate silos, increase visibility, remove complexity, increase automation to eliminate human error and standardize processes, and offer immutable backup by design. Without this level of data management, organizations are unable to holistically protect, detect and recover from ransomware.

If you’re in a situation where you have been attacked and you must consider paying a ransom to get your data back, you’ve already lost. Businesses must get ahead of these attacks by preparing properly.

People focus on the defense, not on the recovery. Even though it may seem like the easiest way to get your business back up and running, paying a ransom doesn’t restore your system back to normal. There is often a lot more work to do, file corruptions and a prolonged period of network/service outage. The quick dollar paid does not provide the remedy it promises.

Taking proactive steps to next-gen data management, before an attack, by conducting regular backups and planning data recovery, will strengthen an organization’s ability to respond and remedy a ransomware attack. For the organizations that take the passive approach, the crunch time of having to decide between paying a ransom to moderately recover, or losing it all, might be just 11 seconds away.

Simon Howe, Vice President Sales APAC, LogRhythm

With the volume of ransomware attacks growing by the day, attention is focused on the best ways for organizations to minimize their impact.

In many cases, such attacks are viewed as an inevitable occurrence and focus is therefore placed on how the organization can get key systems up and running again as quickly as possible. Their strategy is one that revolves around regular backups and using them to restart systems as soon as malicious code has been removed from servers.

Simon Howe, Vice President Sales APAC, LogRhythm

While taking this approach will allow an organization to eventually resume normal operations, it should not be the preferred strategy for combating the threat posed by ransomware. A better option is to have capabilities in place that prevent the attack from happening in the first place.

There are a number of steps an organization can undertake to prepare for a ransomware attack and reduce the likelihood of one occurring. These steps include:
Conduct staff education sessions:
One of the most common vectors through which a ransomware attack is launched is a phishing email campaign. A staff member receives a message that appears to come from a trusted source, however it contains an infected attachment or a link to a malicious website.

Organizations should conduct regular education sessions for all staff. During each, the threat posed by ransomware should be clearly explained, together with basic steps that can be taken to avoid a successful attack.

These sessions can be augmented with awareness campaigns involving fake emails sent by the IT team that contain links or attachments. Staff can then be monitored to see whether anyone opens them and be reminded of the risks.

Deploy endpoint and network detection tools:
An important step to have in place is the capability to monitor activity and flag anything that looks out of the ordinary. Security tools should be deployed that can detect anomalous activity and automatically flag it for closer attention and remediation. This will allow infected endpoints to be quarantined before they can infect core systems.

Additional tools should also be installed on core critical systems. Should malicious code not be picked up at an endpoint, it can be quickly identified and removed before it makes it deeper into the IT infrastructure.

Have solid backup strategy:
While it should not be regarded as a first line of defense, a reliable backup strategy is still an important element to have in place. This will ensure the organization can restore systems as quickly and thoroughly as possible should a ransomware attack actually take place.

Monitor the security landscape:
The threat of ransomware is evolving very quickly and new types and tactics are emerging all the time. For this reason, it’s important to monitor emerging threats and delivery vectors so that you have in place the tools needed to identify and remove them. Working with a trusted technology partner can assist with this monitoring process.
Ransomware is going to continue to be a significant threat for a considerable period. For this reason, it is important to undertake these steps now to reduce the chance of disruptive attacks in the future.

Click below to share this article

Browse our latest issue

Intelligent CIO APAC

View Magazine Archive