Ransomware attacks are now one of the biggest cyber security threats organisations face. There have been several high-profile and newsworthy attacks in the last couple of years and these have undoubtedly become a nice way for cyber criminals to earn significant amounts of money.
The colonial pipeline attack had a massive impact on fuel supplies to residents on the East coast of the United States last year. On this occasion the company paid the hackers $4.4million in an attempt to get their systems back online as quickly as possible, but unfortunately such payments will only help to increase the number of attacks in the future – so how can you protect your organisation?
Check your defences
Since the start of the pandemic in March 2020 many more organisations have opened up their systems to allow teams to work remotely. Initially there was a lot of pressure on IT teams to get remote access solutions set up very quickly and unfortunately, in these situations, security can easily be overlooked.
A lot of ransomware attacks gain access using insecure VPN access points. If you don’t have multi-factor authentication (MFA) in place on your remote access points then we recommend that you enable it as soon as possible. Stopping hackers from getting access to your systems in the first place is by far the easiest way to prevent your systems from becoming infected with ransomware.
Keep things separate
If a hacker does manage to get through your initial line of defence then the next thing you can do is make their life as difficult as possible. Typically, hackers will try and find the systems which are most critical to an organisation and target these first. Think about deploying multiple networks and only granting user access as required. Separate out your public-facing systems (which by default will be more at risk) from your internal systems, which do not need to be exposed to the outside world.
Ensure that individual systems are protected using unique and complex secure credentials so if a hacker gains access to one system, they don’t immediately have access to others. Once a hacker has access to some of your systems, and if they are determined enough, they will undoubtedly manage to take over more. Look out for any unusual network activity or errors generated by systems as this can be the first indication that there is some unauthorised activity going on.
If you think that a system may have been compromised in some way, we would recommend immediately isolating it or shutting it down to help prevent further damage. This will inconvenience users but could prevent a much greater cyber security incident.
No matter how confident you are in the levels of protection you have put in place, you should also have a recovery plan should the worst happen.
Prepare for the worst
As the potential to earn significant amounts of money from ransomware attacks increases, so the risk to any organisation of becoming a victim also goes up. No matter how good your perimeter defences it only takes one unpatched exploit on one of your public-facing systems to potentially let the hackers in. We can’t stress enough how important it is to keep the underlying operating systems and firmware up-to-date and patched very regularly. Look out for details of any zero day exploits and put mitigation measures in place and patch as soon as updates are available. If you run unsupported operating systems or applications then you are just inviting trouble.
No matter how confident you are in the levels of protection you have put in place, you should also have a recovery plan. For most organisations the worst envisaged situation is being completely locked out of systems and having data encrypted. The hackers will then offer to provide the decryption keys in return for a significant ransom payment. Many organisations in this situation choose to pay as the cost of trying to rebuild their systems from scratch would be similar or more than paying the ransom. Paying the ransom will only increase the number of attacks and organisations affected in the future – so think carefully before going down this road. There is also no guarantee that the hackers will provide the decryption keys once you have paid.
The types of protection which an organisation may need in order to recover from a ransomware attack will be very specific to what it has running and the cost of those systems being offline. We would recommend considering some or all of the following options:
- Run replicated copies of critical systems at a separate location.
- Keep point-in-time copies so you can roll back to a previous time period before the hackers took control.
- Keep regular backups of your critical data.
- Keep off-site copies of critical data and store these securely at a location which you are confident hackers cannot access.
- Test your recovery plan to ensure that you haven’t missed anything.
Not ‘if’ but ‘when’
We would strongly recommend that any organisation puts robust recovery plans in place on the basis that sooner or later there will be a hacking attempt and it may be successful. If you have secure copies of your data or replicated systems in place then it should be possible to implement your recovery plan without having to pay significant amounts to hackers.