A ransomware attack will attempt to wipe your online backups and volume shadow copies to decrease the chances of data recovery . a response plan or were caught off guard , reach out to your security vendor for help or report the incident to your insurance company ; they may already have a list of expert security providers who can help you .
11 STEPS TO DEVELOP AN EFFECTIVE RANSOMWARE RESPONSE
Anthony Giandomenico , VP Global Security Consulting , Proactive & Reactive Services , Fortinet , and Aamir Lakhani , Global Security Strategist and Researcher , Fortinet , provide a checklist which suggests how organisations can effectively deal with a ransomware attack .
ortiGuard Labs ’
F research shows that organisations in almost all areas around the world are possible targets for ransomware attacks . Therefore , it is important to keep in mind that no sector is safe from ransomware . Organisations should consider this ransomware attack response checklist to effectively deal with an active ransomware attack .
1 . Don ’ t panic
Once you realise you ’ ve been targeted , you need to stay calm and act purposefully . If you couldn ’ t make
A ransomware attack will attempt to wipe your online backups and volume shadow copies to decrease the chances of data recovery . a response plan or were caught off guard , reach out to your security vendor for help or report the incident to your insurance company ; they may already have a list of expert security providers who can help you .
Further , consider the potential impact the security incident may have . Take into account not only the obviously compromised areas , such as data encryption and application removal but also additional areas of potential compromise . Try to get a running list of all possible areas that may be affected .
2 . Isolate your systems and stop the spread
First , identify the range of the attack . If the incident is already known to be widespread , implement blocks at the network level ( i . e . isolating traffic at the switch or the firewall edge ) or consider temporarily taking down the Internet connection . If the incident scope is confirmed to be more narrow , infecting only a few systems , isolate attackers at the device level by possibly pulling the Ethernet or disconnecting the Wi-Fi .
If available , endpoint detection and response ( EDR ) technology may block the ransomware attack at the process level , which would be the best immediate option with minimal business disruption . Most ransomware attackers find a vulnerability to get into your organisation such as exposed RDP , phishing emails , or other types of similar methods .
3 . Identify the ransomware variant
Many of the tactics , techniques and procedures ( TTPs ) of each ransomware variant are publicly documented . Determining which strain you are dealing with can give you clues on the location of the threat and how it is spreading . Depending on the variant , some decryption tools may already be available for you to decrypt your ransomed files .
4 . Identify initial access
Determining the initial access point , or patient zero will help identify and close the hole in your security . Common initial access vectors are phishing , exploits on your Edge services ( such as Remote Desktop services ) and the unauthorised use of credentials . Determining the initial point of access is sometimes difficult and may need the expertise of digital forensics teams and IR experts .
74 www . intelligentciso . com