Ransomware Preparedness Assessment
Ransomware assaults on businesses of all kinds and across industries are on the rise, according to global data. Kroll’s 2019 cyber casework corroborates these findings. “Ransomware is estimated to infect a firm every 11 seconds worldwide, with a projected cost of more than $20 billion by 2021.” We know from our first-hand experience that any firm can become a victim of a successful ransomware assault since hackers can launch a successful ransomware attack from anywhere in the world.
Some threat actors are thorough planners, and this is true of some of them. They carefully map out internal networks to discover vital business operations and sensitive data storage, even going so far as to analyze a company’s financial records to determine how much they can afford to pay in terms of compensation. For those on the opposite end of the spectrum, those who offer to sell you “ransomware as a service,” in exchange for a portion of the total ransom, have opened the door for an entirely new class of attackers who can carry out operations with low risk against an even wider variety of targets.
The Best Protection Against Ransomware Is Preparation Ahead of Time
While it is practically difficult to prevent ransomware attacks, security and risk management professionals can take preemptive efforts to neutralize or limit the damage they do. The importance of basic internet hygiene cannot be overstated. First and foremost, this entails dedicating the necessary time and resources to precisely and routinely document the full setup of your network.
When a local government was targeted by ransomware, it had ramifications for the municipality’s police and fire dispatch systems, online utility payment system, centralized accounting system, and a variety of other vital components of its network infrastructure. Unfortunately, the IT director was completely uninformed of the number of servers that were connected to the network. This lack of understanding caused a delay in the first remediation, which was compounded by the fact that there were only a few usable backups for restoration.
Matthew Dunn is an Associate Managing Director in the Cyber Risk department.
Second, data mapping inventories are more significant now than they have ever been before. Several ransomware operators began threatening to reveal stolen data as early as last year, in an attempt to coerce victims into paying ransoms. Almost overnight, ransomware attacks went from being just expensive operational disruptions to being crises plagued with regulatory data privacy and breach reporting difficulties. The reasons for this transformation are unclear. It is critical to understand what kind of data you have and where it is gathered, used, and stored to protect yourself.
Several essential security actions, according to Kroll’s expertise, can provide instant layers of protection against ransomware:
- Access to data and systems should be restricted to those with the least amount of privilege.
- Delete any email addresses that are no longer in use.
- Strong password policies should be enforced.
- Multifactor authentication should be implemented.
- Valid backups should be created, updated, separated, and safeguarded against loss.
- Safe programs should be included on the whitelist.
- Network configurations must be accurately mapped.
If ransomware attacks, enterprises should have a plan in place to take rapid action, which should contain six actions, which are as follows:
- Isolate the impacted systems from the rest of the network’s PCs and servers, and disconnect them from all wired and wireless networks as necessary.
- Find out what kind of infection you have, which is occasionally specified in the ransom note but can also be determined from a variety of open-source websites. Kroll can also assist you in determining not only the type of ransomware in question but also any additional malware and persistence techniques that may still be present in your system.
- Report the incident to the appropriate local law enforcement agency – in the United States, this would be your local FBI field office or through the FBI Internet Crime
- Complaint Center; in the United Kingdom, this would be the police or the national Action Fraud website; and in Australia, this would be the ReportCyber website.
- Before making a payment, take the time to consider your options, which require decision-making processes that should be detailed in your incident response strategy. If you have cyber insurance, check with your provider to see if you have any ransomware-related coverage.
- Keep track of your log data! A rapid response is required since many log types expire quickly, making it vital to save any possibly relevant event data for further examination.
- Restore systems and ensure that your organization has placed a high priority on appropriate backup policies and practices by implementing them.
14 Critical Security Areas to Consider When Conducting a Ransomware Protection Assessment
- An Evaluation of Ransomware Preparedness
The goal of Kroll’s ransomware preparation assessment is to identify areas where your defenses are strong and areas where weaknesses exist that ransomware perpetrators can take advantage of. Our technique focuses on the cyber death chain, which is a complete evaluation that encompasses remote access configuration, phishing prevention, email and web protection, access controls, and endpoint monitoring, as well as end-user awareness and awareness training programs. Our report will include a prioritized, specific set of recommendations to assist your organization in deflecting, detecting, and responding to ransomware attacks after our study.
- First and foremost, Kroll’s cyber experts will concentrate on controls, processes, and technological solutions that will limit the likelihood of ransomware-based assaults from occurring. We will do the following throughout this step:
- Identify and investigate security flaws in the application firewall and network device configurations
- User activity tracking and audit setups should be reviewed to aid possible investigative efforts.
- Examine the solutions and techniques for network and endpoint security monitoring.
- Evaluating the options and setups for email and web filtering to prevent phishing attempts and malicious payload delivery
- Access and privileged access policies and processes should be reviewed.
- Evaluate the rules and processes in place for vulnerability and patch management.
Up to four remote interviews with technical teams will be conducted by Kroll to evaluate the secondary defensive mechanisms in place to safeguard the business against email-based assaults. The following will be covered in this review:
- Controls over remote access
- Controls via email and the web
- Application whitelisting and audit controls are two important features.
- Endpoint protection measures are in place.
- Employee education and awareness controls Backup and audit logging controls
- Response to incidents Business processes about vendor administration