According to recent studies, organisations in Singapore are among the most targeted in the world when it comes to ransomware attacks, with an estimated 65% already hit by at least one. In a survey released earlier this year, cybersecurity firm Cybereason found that Singapore companies pay an average of S$1.5 million to cybercriminals.
Since the pandemic, Singapore companies increasingly rely on digital infrastructure, and cybercriminals have found it easier to target those who fail to encrypt and secure their data properly. Here’s what you need to do when faced with a ransomware attack.
Do NOT panic
One of the most crucial steps is not to panic. Panicking leads to mistakes that can be irreversible and cause even more damage to your organisation. It would be best to act quickly and methodically, calmly executing your company’s incident response (IR) plan. Inform your internal legal and public relations departments so they can start to plan. You should notify all stakeholders that you will establish a more formal communications and reporting system when you acquire more information.
It would help if you used a designated contact to establish communication and updating procedures for each business sector. For instance, commit to providing a situation update to all pertinent team leads every few hours. This is crucial as it would prevent any miscommunication or confusion, stop individuals from asking for updates all the time, and keep your team focused on containment.
Activate incident response (IR) plans
Firstly, isolate your systems and stop the spread. If the incident has already been proven to be widespread, you may decide to impose network-level restrictions, such as isolating traffic at the switch or firewall edge or temporarily shutting off the internet connection. You could also isolate the affected systems at the device level by cutting off the Ethernet or the Wi-Fi if the incident’s scope has already been more limited and affected only a few systems. To prevent the loss of forensic evidence, keep all systems switched on whenever possible. Additionally, remember that if you accidentally tip the attackers off, they can become inactive, making it more challenging to determine the full breadth of the attack.
Next, you should identify the variant of ransomware used. Each ransomware variation has its own publicly available documentation of many tactics, methods, and procedures (TTP) of an assault. Knowing which assault you are dealing with can help you get information on persistence, where to look for the danger, and how it spreads.
Then, you should identify the initial access. This will make it easier for you to plug the security vulnerability. Phishing, edge service attacks (such as those on Remote Desktop services), and illegal credential usage are typical first access routes. Drive-by compromises, vulnerabilities in publicly accessible software and websites, portable media, device upgrades, and supply chain breaches are some more initial access routes. However, this could be challenging and require experts or consultants’ help.
It is possible that your attackers still have a presence in your network even after an assault has ended. It would be best if you located any malware that is still active or persistent remnants that are still in contact with the command-and-control (C2) server. Disable any privileged or non-privileged accounts that your attackers have compromised, including Active Directory (AD) accounts. Make sure no new rogue accounts are being created as well. It is advisable to check other AD components, such as Group Policy Objects (GPOs), to see whether anything has been added or changed. Attackers frequently employ this strategy to spread the ransomware payload to all networks. It is vital to make a note of your findings before acting. You can warn the attacker by acting, which might prompt them to undertake a much more severe assault. You might be unable to fully assess the consequences of the data breach or retrieve your lost data.
Ransomware attacks sometimes exfiltrate your data in addition to encrypting your files. By threatening to publish things like confidential or humiliating material online, they will enhance the likelihood that you will pay the ransom. It is, therefore, essential to determine whether the attackers exfiltrated any data. On your firewall edge devices, keep an eye out for any indications of data exfiltration, such as significant data transfers. Additionally, keep an eye out for strange communications from servers travelling to cloud storage programs like Dropbox or AWS. Along with firewall logs, your cloud access security broker (CASB) solution will be your primary source for this information if you have one.
Recovery and post-incident review
The most crucial step for recovery is locating the backups and determining if they are available. Attackers will typically try to wipe out or infect the backups, so be sure to scan and check for integrity before attempting to restore the data.
If you cannot restore any backups, you may consider paying the ransom to retrieve your data. It is typically frowned upon, but if you are doing so, be sure to hire security experts with the necessary skills to negotiate first. However, keep in mind that negotiating takes time and should only be done to retrieve the data, with no guarantee that the attackers will not delete or release the data publicly.
Once confident that all the malware has been identified, you may start sanitising your systems. However, it may be better to build a new, cleaner and safer environment to migrate to. In the new environment, ensure that proper security controls are installed, and best practices are followed to reduce the risk of reinfection.
Lastly, conduct a post-incident review to understand what went right and what to improve on. This ensures that your reaction and recovery skills are always improving.
Final Word
Whether you have experienced a ransomware attack or not, it is best not to take this lightly. Build or reinforce your incident response (IR) plans and business continuity plans (BCP) to adequately protect your organisation from any malicious attacks.
If you’re interested in learning more about cybersecurity or are planning to upskill your employees, we are here to help! At Scrumic, we offer courses like our NSE 4: FortiGate Security and other CISSP courses in Singapore. Individuals passionate about cybersecurity can also get funded CISSP training with us. Contact us today to get started on your cybersecurity journey!