Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

// // //

Expecting the Unexpected: Tips for Effectively Mitigating Ransomware Attacks in 2021

Cybercriminals continually innovate to thwart security protocols, but organizations can take steps to prevent and mitigate ransomware attacks.

2020 was a watershed year for ransomware attacks, and 2021 is showing more complex and destructive extortion schemes targeting energy and critical infrastructure, schools, hospitals, law firms, government agencies, and corporations. With damages from cybercrime expected to soar this year, threat actors are continuing to exploit businesses and individuals distracted by the pandemic.

Related Content:

Know Thy Enemy: Fighting Half-Blind Against Ransomware Won't Work

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: 11 Cybersecurity Vendors to Watch in 2021

The good news is that, even as cybercriminals continually innovate to thwart evolving security protocols, organizations can follow a proven playbook to help prevent and mitigate ransomware attacks.

Prepare for Seemingly Improbable Scenarios
Long before a ransomware attack, much can be done to prepare from a technical perspective. Have a detailed current data map so that you know exactly what is on any affected system. Identify technical backups and ensure they are ready for rapid deployment to minimize any gaps from data loss. Further, develop well-documented addendums to your incident response and data recovery plans that are specific to cyber and ransomware issues.

Many organizations think they are prepared for data recovery after an attack by testing and confirming they have good backups in place. However, savvy ransomware attackers are now compromising organizations' backups by encrypting or deleting them altogether. Further, it may be difficult to leverage backups quickly enough for the broad, sweeping effects of a widespread outage caused by ransomware. You should consider these contingencies in planning.

Tabletop exercises and threat-modeled scenarios — which simulate the tradeoffs and dynamic choices the incident response team must make in a crisis — are extremely helpful to develop these addendums. These exercises should be informed by the current threat landscape and the likeliest risk scenarios facing your business. Focus on issues that will impact the entire organization, and bring in stakeholders from across the company to understand how threat identification, remediation, and reporting affect the entire enterprise, not just the security organization.

Understanding and agreeing upon response options for items such as the limits of cyber-insurance policies, international reporting requirements, data retention policies, and go/no-go protocols for enterprisewide mitigation procedures (such as global password resets or customer communication) are the difference between a minor service interruption and front-page news in a ransomware incident. Waiting to address and debate these issues until you are in the middle of a response action leads to suboptimal outcomes and extended recovery time.

Last, but certainly not least, assume the worst: Any single control can be bypassed or fail. Resiliency plans should focus on what layers of defenses can be put in place to proactively mitigate this possible scenario. Network segregation, a zero-trust policy for third-party software (a lesson learned from SolarWinds), and advanced detection and response controls can help limit an organization's risk exposure should any line of defense fail. Advanced detection and response should also include advanced malware detection and threat hunting.

Many organizations incorrectly assume that ransomware's impact is the immediate effect of the cyberattack. Most often, attackers stage other effects, including compromising other security weaknesses. Advanced controls shorten the time to detection and the attacker's time to stage attacks, increasing the chances to catch illicit activities before ransomware is deployed. Advanced detection and response practices can minimize the impact of exposures that ransomware attack groups intend to leverage for an increased likelihood of payment.

Proactively Mobilize a Multidisciplinary Team and Strategic Redundancies
Given that cybersecurity is not IT's problem alone, assemble a multidisciplinary team spanning IT, investor relations, communications, legal, marketing, sales, and HR to respond to ransomware attacks and other crises. Ransomware should be treated like any data breach, with a cross-functional team mobilized to follow and implement an established playbook and response plan. To maximize efficiency, incident response team members should meet regularly and clearly document responsibilities and escalation points for various crisis scenarios.

Extortion attempts now include public shaming and customer-data exposure. Further, double-payment requests are on the rise, so the threat remains even after making payment. Therefore, customers, employees, and shareholders cannot be kept in the dark and may even have roles in minimizing ransomware's impact.

Make sure to have another means of trusted communication at the ready in case companywide email is compromised in an attack. This "out of band" communication system is critically important to maintaining normal business operations and providing key constituents with a trusted source of reliable information in a crisis. This platform should be tested and users taught that it is an acceptable alternate communication method.

Document Lessons Learned and Provide Post-Event Assurance
You need a combination of attack detection, data security, and data backup to effectively weather a ransomware attack. The post-event path forward often receives less attention and fewer resources. Unfortunately, hackers are increasingly using automation to attack business networks, spot patterns of defense, and identify vulnerabilities in similar systems, so thorough remediation is key. To avoid enforcement action and irreparable reputation damage, you must be able to demonstrate that appropriate corrective action has been taken. There is also much to learn in the wake of successful and unsuccessful cyberattacks.

As a first step, undertake a thorough investigation to identify the extent of the breach, pinpointing all exposures and the ransomware's navigation throughout the system. If the public is aware of the attack, an independent third party can provide objective assurance that the threat is eradicated. Further, outside experts can also suggest and implement enhancements to internal controls, policies, and procedures to prevent similar future attacks. It is wise to monitor external open source and Dark Web intelligence channels for continued indicators of information exposure. Finally, if reparations are in order, third parties can oversee the required reporting (8-K filing, media release, HIPAA notifications, etc.) and take the lead on restitution processes to enable the recovering organization to focus on resiliency and return to business as usual.

Luke Tenery, a Partner with StoneTurn, brings nearly 20 years of experience helping leading organizations mitigate complex cybersecurity, data privacy, and data protection risks. He applies extensive expertise in cyber investigations, threat intelligence, incident response, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-33196
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
CVE-2023-33185
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
CVE-2023-33187
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
CVE-2023-33194
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
CVE-2023-2879
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file