Ransomware Readiness Assessments: One Size Doesn't Fit All

Tailored ransomware readiness assessments help organizations develop comprehensive response plans that minimize damage and restore operations quickly.

Michael Rogers, Senior Director of Technical Advisory Services, MOXFIVE

November 3, 2023

4 Min Read
Man looking at laptop; on the screen there's a ransomware image
Source: Vladimir Stanisic via Alamy Stock Photo

Ransomware attacks can be devastating for organizations, causing significant damage to operations and reputations. Therefore, it's crucial to prepare for such an eventuality with a comprehensive ransomware response plan. However, it's also essential to understand that ransomware readiness assessments aren't a one-size-fits-all solution.

Let's explore why a tailored approach to ransomware readiness assessments is necessary and highlight some scenarios you may encounter during a ransomware attack.

Why Tailored Assessments Are Necessary

The impact and severity of a ransomware attack can vary depending on the attacker's objectives, the organization's security posture, and other factors. Therefore, a comprehensive response plan must be tailored to the specific circumstances of different types of impacts from an attack.

For example, a ransomware attack may impact servers only within a particular geographic region, cloud environment, or data center. Alternatively, the attack may affect authentication of every user due to compromised Active Directory servers. Or you may not know the viability of backups, or the threat actor may provide a decryption tool.

Preparing for different scenarios requires a thorough ransomware readiness assessment to better understand the current maturity of response and to develop or improve an incident-response plan that considers each potential scenario's unique characteristics. There is definitely value in identifying and resolving what keeps the business up at night and hyperfocusing on that in the assessment's first pass. For instance, prioritizing backup immutability can be a critical step in ensuring the organization's resilience against ransomware attacks. Your assessment could focus solely on immutability or disaster-recovery strategies.

Here are a few questions that can help you think through your ransomware readiness preparations:

  1. If you rely on server infrastructure managed by an outsourced service provider, have you considered the steps you would need to take if it is impacted by ransomware?

  2. Have you thought about how to respond in the event of a ransomware attack that affects authentication for a significant number of users (for example, based on impacts to Active Directory servers)?

  3. Are you prepared for a significant ransomware attack that affects a significant number of end-user workstations and laptops in a region?

  4. If you obtain a decryption tool from the threat actor, do you have a plan in place to safely and effectively decrypt servers?

Better to Prepare When Not Under Duress

To prepare for the various scenarios that can arise during a ransomware attack, you can hold workshops on topics such as emergency implementation of containment measures, backup tooling and configurations, critical application assessment, Active Directory and network architecture, coordination processes, and surge resourcing.

Workshops on emergency server, end-user, network, and backup system containment help identify the steps required to contain an attack, minimize malware spread, and isolate affected systems.

Backup tooling and configuration workshops help ensure you have backups available and accessible during a ransomware attack. Identify and address any risks, such as privileged credential misuse, and establish backup restoration times sufficient to recover critical systems.

Assessing critical applications and executive user backup capabilities is another essential workshop topic. It allows you to identify your most critical systems and institute adequate backup capabilities. Addressing any risks identified during the assessment enables you to recover critical applications in the event of an attack.

Active Directory and network architecture workshops are necessary to understand the lateral movement that may occur during a ransomware attack. This knowledge can help minimize the severity of an attack and limit the attacker's ability to move laterally within the network.

Workshops Identify Areas of Weakness or Strength

Workshops on coordination processes help organizations stay aligned while executing recovery operations. These workshops bring together key technical engineering teams, such as server admins, backup system admins, security teams, outsourced IT providers, and third-party service providers, to make recovery efforts coordinated, efficient, and effective.

Workshops on surge resourcing help you obtain access to the necessary resources to restore servers, build new servers, install and validate apps, provide help desk support, and so on. Identifying potential surge resourcing scenarios in advance can help you respond effectively during a ransomware attack.

Overall, conducting workshops on these topics is critical to help organizations prepare to respond to a ransomware attack. These workshops can help you identify your organization's strengths and weaknesses in terms of readiness and create a response plan that considers your unique circumstances.

There's No Such Thing as Being Too Prepared

Ransomware attacks are a significant threat to organizations, and their impact and severity can vary. Therefore, it's wise to develop a comprehensive ransomware response plan for the specific circumstances of each type of attack. By conducting tailored ransomware readiness assessments and workshops, you can develop a comprehensive response plan that minimizes damage and restores operations quickly.

About the Author(s)

Michael Rogers

Senior Director of Technical Advisory Services, MOXFIVE

Michael Rogers is Sr. Director of Technical Advisory Services at MOXFIVE where he provides strategic advisory services and solutions to large enterprises during and after impactful incidents. He holds a Master’s Degree in Cyber Security and is accredited through SANS for the GCFA, GCIA, GDAT, and GOSI certifications. He has had a wide range of experience from building and managing global Security Operation Centers, Threat Hunting Teams, DevOps Teams, and Infrastructure Teams.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights