Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Expecting the Unexpected: Tips for Effectively Mitigating Ransomware Attacks in 2021

Cybercriminals continually innovate to thwart security protocols, but organizations can take steps to prevent and mitigate ransomware attacks.

2020 was a watershed year for ransomware attacks, and 2021 is showing more complex and destructive extortion schemes targeting energy and critical infrastructure, schools, hospitals, law firms, government agencies, and corporations. With damages from cybercrime expected to soar this year, threat actors are continuing to exploit businesses and individuals distracted by the pandemic.

Related Content:

Know Thy Enemy: Fighting Half-Blind Against Ransomware Won't Work

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: 11 Cybersecurity Vendors to Watch in 2021

The good news is that, even as cybercriminals continually innovate to thwart evolving security protocols, organizations can follow a proven playbook to help prevent and mitigate ransomware attacks.

Prepare for Seemingly Improbable Scenarios
Long before a ransomware attack, much can be done to prepare from a technical perspective. Have a detailed current data map so that you know exactly what is on any affected system. Identify technical backups and ensure they are ready for rapid deployment to minimize any gaps from data loss. Further, develop well-documented addendums to your incident response and data recovery plans that are specific to cyber and ransomware issues.

Many organizations think they are prepared for data recovery after an attack by testing and confirming they have good backups in place. However, savvy ransomware attackers are now compromising organizations' backups by encrypting or deleting them altogether. Further, it may be difficult to leverage backups quickly enough for the broad, sweeping effects of a widespread outage caused by ransomware. You should consider these contingencies in planning.

Tabletop exercises and threat-modeled scenarios — which simulate the tradeoffs and dynamic choices the incident response team must make in a crisis — are extremely helpful to develop these addendums. These exercises should be informed by the current threat landscape and the likeliest risk scenarios facing your business. Focus on issues that will impact the entire organization, and bring in stakeholders from across the company to understand how threat identification, remediation, and reporting affect the entire enterprise, not just the security organization.

Understanding and agreeing upon response options for items such as the limits of cyber-insurance policies, international reporting requirements, data retention policies, and go/no-go protocols for enterprisewide mitigation procedures (such as global password resets or customer communication) are the difference between a minor service interruption and front-page news in a ransomware incident. Waiting to address and debate these issues until you are in the middle of a response action leads to suboptimal outcomes and extended recovery time.

Last, but certainly not least, assume the worst: Any single control can be bypassed or fail. Resiliency plans should focus on what layers of defenses can be put in place to proactively mitigate this possible scenario. Network segregation, a zero-trust policy for third-party software (a lesson learned from SolarWinds), and advanced detection and response controls can help limit an organization's risk exposure should any line of defense fail. Advanced detection and response should also include advanced malware detection and threat hunting.

Many organizations incorrectly assume that ransomware's impact is the immediate effect of the cyberattack. Most often, attackers stage other effects, including compromising other security weaknesses. Advanced controls shorten the time to detection and the attacker's time to stage attacks, increasing the chances to catch illicit activities before ransomware is deployed. Advanced detection and response practices can minimize the impact of exposures that ransomware attack groups intend to leverage for an increased likelihood of payment.

Proactively Mobilize a Multidisciplinary Team and Strategic Redundancies
Given that cybersecurity is not IT's problem alone, assemble a multidisciplinary team spanning IT, investor relations, communications, legal, marketing, sales, and HR to respond to ransomware attacks and other crises. Ransomware should be treated like any data breach, with a cross-functional team mobilized to follow and implement an established playbook and response plan. To maximize efficiency, incident response team members should meet regularly and clearly document responsibilities and escalation points for various crisis scenarios.

Extortion attempts now include public shaming and customer-data exposure. Further, double-payment requests are on the rise, so the threat remains even after making payment. Therefore, customers, employees, and shareholders cannot be kept in the dark and may even have roles in minimizing ransomware's impact.

Make sure to have another means of trusted communication at the ready in case companywide email is compromised in an attack. This "out of band" communication system is critically important to maintaining normal business operations and providing key constituents with a trusted source of reliable information in a crisis. This platform should be tested and users taught that it is an acceptable alternate communication method.

Document Lessons Learned and Provide Post-Event Assurance
You need a combination of attack detection, data security, and data backup to effectively weather a ransomware attack. The post-event path forward often receives less attention and fewer resources. Unfortunately, hackers are increasingly using automation to attack business networks, spot patterns of defense, and identify vulnerabilities in similar systems, so thorough remediation is key. To avoid enforcement action and irreparable reputation damage, you must be able to demonstrate that appropriate corrective action has been taken. There is also much to learn in the wake of successful and unsuccessful cyberattacks.

As a first step, undertake a thorough investigation to identify the extent of the breach, pinpointing all exposures and the ransomware's navigation throughout the system. If the public is aware of the attack, an independent third party can provide objective assurance that the threat is eradicated. Further, outside experts can also suggest and implement enhancements to internal controls, policies, and procedures to prevent similar future attacks. It is wise to monitor external open source and Dark Web intelligence channels for continued indicators of information exposure. Finally, if reparations are in order, third parties can oversee the required reporting (8-K filing, media release, HIPAA notifications, etc.) and take the lead on restitution processes to enable the recovering organization to focus on resiliency and return to business as usual.

Luke Tenery, a Partner with StoneTurn, brings nearly 20 years of experience helping leading organizations mitigate complex cybersecurity, data privacy, and data protection risks. He applies extensive expertise in cyber investigations, threat intelligence, incident response, ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-10-19
A flaw was found in the libtpms code that may cause access beyond the boundary of internal buffers. The vulnerability is triggered by specially-crafted TPM2 command packets that then trigger the issue when the state of the TPM2's volatile state is written. The highest threat from this vulnerability ...
PUBLISHED: 2021-10-19
FreeBSD's crontab calculates the MD5 sum of the previous and new cronjob to determine if any changes have been made before copying the new version in. In particular, it uses the MD5File() function, which takes a pathname as an argument, and is called with euid 0. A race condition in this process may...
PUBLISHED: 2021-10-19
A potential security vulnerability has been identified in HPE Superdome Flex Servers. The vulnerability could be remotely exploited to allow Cross Site Scripting (XSS) because the Session Cookie is missing an HttpOnly Attribute. HPE has provided a firmware update to resolve the vulnerability in HPE ...
PUBLISHED: 2021-10-19
Clustered Data ONTAP versions 9.x prior to 9.5P18, 9.6P16, 9.7P16, 9.8P7 and 9.9.1P2 are susceptible to a vulnerability which could allow an authenticated privileged local attacker to arbitrarily modify Compliance-mode WORM data prior to the end of the retention period.
PUBLISHED: 2021-10-19
WordPress Popups, Welcome Bar, Optins and Lead Generation Plugin – Icegram (versions <= 2.0.2) vulnerable at "Headline" (&message_data[16][headline]) input.