fbpx

Ransomware Defense: Detect and Respond to Attacks

Ransomware is malicious software that blocks access to a computer system or the data it holds until the victim transfers a specified payment to the attacker. There were 493.33 million ransomware attacks worldwide in 2022, making ransomware one of the most serious cyber threats faced by businesses today. In this guide, we’ll discuss common ransomware attacks and how to defend against them.

If you’re concerned about ransomware, secure your data with Veeam Ransomware Protection today.

Ransomware is a growing threat for modern businesses

Ransomware attacks are so common now that most people already have at least a basic idea of what ransomware is, but they may not fully understand how it works or why it’s so serious. According to the UK Economic and Social Costs of Crime report, the overall cost of cybercrime in the UK alone is measured “in the billions.” Globally, the cost of ransomware attacks specifically is projected to reach $265 billion by 2031.

While some victims of ransomware are lucky enough to be able to have their data decrypted, there are many flavors of ransomware out in the wild for which decryptors are not available, meaning the organization has to restore backups to recover from the attack. If they don’t have backups, or their backups were also attacked, the cost in terms of lost data and time for the business can be severe. Our 2023 Ransomware Trends Report highlights how serious a ransomware attack can be for some organizations.

Understanding ransomware defense

Ransomware defense is something that requires a variety of strategies. It starts with basic cybersecurity best practices and involves using more focused strategies and technologies to detect and respond to ransomware attacks, including ones that are in progress.

Traditional firewalls and antivirus software can prevent some attacks, and training all your employees how to spot phishing emails, malicious websites and potentially dangerous executable files can go a long way toward preventing attacks. However, modern ransomware defense tools can go a step further than that, monitoring network activity and filesystem activity to identify signs of an attack such as unusual communication patterns or file access/encryption activity.

Network administrators can apply a number of security and IT tools for their ransomware defense. Endpoint protection, intrusion detection systems (IDS) and intrusion prevention systems (IPS) can be combined with behavior-based analysis techniques to spot attacks quickly so any damage can be mitigated.

Each of these strategies is unlikely to be enough, in isolation, to secure a corporate IT system from ransomware. By combining defense techniques, passive scanning and proactive defense measures it’s possible to reduce the attack surface and increase the likelihood of any remedial measures being successful in the event an attack does take place.

Key components of ransomware defense

Effective ransomware defense requires a multi-pronged approach.

Network security and monitoring

Firewalls and intrusion detection systems (IDS) are the first line of defense against a variety of attacks, not just ransomware. A firewall scans incoming and outgoing network activity and blocks connections it considers to be unauthorized.

Unauthorized activity could be a port scan, where an attacker attempts to connect to ports at random to try to find out what services are running on a server. Alternatively, it could be an attacker attempting to log in to a server by brute force or to simply perform a denial of service attack on a server by sending a huge number of requests in quick succession.

Intrusion detection systems are similar to firewalls in that they also detect malicious activity. These tools then take action based on a set of predefined rules. For example, they may trigger other tools to run or alert the systems administrator so they can analyze the problem and manually intervene.

Ransomware defense is an arms race, and it’s not possible to rely solely on static rules and malware definitions. Even heuristic virus scanning is not guaranteed to identify all malicious code. Therefore, it’s important to use real-time monitoring and behavioral analysis to identify changes in activity on your systems. Using this form of monitoring increases the likelihood of suspicious activity being picked up. 

For example, real-time monitoring can watch out for a large number of files being accessed or changed in a short period of time. It can also pick up on files that haven’t been used for a long time suddenly being opened. Even if it turns out this activity is not ransomware, it could be some other security issue, such as an insider threat.

Incident response and recovery

Security tools are just one part of the equation. Even with sophisticated tools in place, there’s still the risk of a security breach taking place and having a clear and effective incident response plan in place is vital to minimize damage in the event of an attack.

A ransomware incident response plan includes several steps:

  • Determine which systems are affected.
  • Disconnect devices from the network where possible.
  • Power down affected equipment if necessary.
  • Review system logs to determine how the attack happened.
  • Identify the ransomware and determine if there’s any other malware on the system.

Depending on the nature of the attack, the steps you follow may vary. Administrators must weigh the potential cost of leaving infected devices switched on (therefore allowing the attack to continue) versus powering off the system and losing any evidence stored in volatile memory.

Where recent backups are available and are known to be protected/isolated from ransomware, it may make sense to leave the infected systems powered on but disconnected from any Wi-Fi or LAN connections to analyze them.

Data recovery is just one part of the equation. Ideally, the attack will be contained quickly to prevent it from spreading. In many cases, ransomware gains access to a network through something like a targeted phishing attack on an employee’s laptop, and from there, the malicious software spreads to network drives and other systems, looking for anything it has permission to access and write to.

Identifying the attack quickly means the malware has less time to spread and infect drives. Depending on the system it initially infected and how well-configured file access privileges are on the network, the damage may be limited to just the user’s machine and a few non-mission-critical network shares.

Taking a systematic approach to containment and recovery

Systems administrators should always remember that ransomware can act in many different ways.  Some ransomware simply encrypts files; other malicious scripts will delete the victim’s data after a set time if the ransom is not paid. There’s also some particularly dangerous ransomware that scans files looking for potentially valuable data and sends that data to the attacker who threatens to leak it if the ransom is not paid.

Data breaches of this type can be particularly damaging to any business, so it’s important to tread carefully when responding to a ransomware attack. Rather than rushing to the data restoration stage, take some time to thoroughly sanitize any systems that were infected. Depending on the severity of the attack, it may be more efficient to simply wipe or reimage those systems.

To reduce the risk of an attack happening again, change all your system’s passwords and review any firewall rules, block lists and malware detection systems you have in place to ensure they’re properly updated and functioning correctly. Provide training to staff members about phishing and social engineering attacks.

Once you’re confident the malware is completely removed from your network, you can start the process of restoring critical data from backups. Be sure to scan the backups themselves before restoring them to ensure they aren’t infected. If the infection was caught quickly, this is unlikely. However, if you’re performing frequent backups, it may be that your most recent one is infected and you need to restore one of your older “cold” or “off-site” backups instead.

Avoiding ransom payments

While there have been some high-profile examples of ransomware attackers targeting large organizations and demanding huge sums of money from them, most ransomware attacks are opportunistic. The attackers often ask for smaller sums, between $700 and $1,500, on the assumption that if they make the ransom relatively affordable, the victim is more likely to pay it because they simply want to get their files back as quickly as possible.

The most frequent methods for ransomware payments are cryptocurrencies such as Bitcoin, Litecoin or even Dogecoin. These tokens are chosen because they’re widely available on mainstream exchanges, so victims should find it easy to acquire them. Attackers also find it easy to use “tumblers” to obfuscate the history of the coins they receive, making it easier for them to convert those coins to real money at a later date.

Paying a ransomware attack can be a tempting option for a time-strapped business owner who is faced with that dreaded lock screen on their computer. However, before deciding between data recovery and just paying up, it’s important to consider the impact of each choice. The only guarantee you have that paying the ransom will get you back your data is the promise of the ransomware developer — someone who is unethical enough to choose that way of making money. In addition, even if you get your data back, there’s no guarantee that the remaining malware won’t be used to infect you with something else in the future if you haven’t sanitized your systems.

Another thing to consider is the ethical issues surrounding paying for ransomware. Cryptocurrencies are often used to fund drugs, money laundering, human trafficking and terrorist activities. When you purchase cryptocurrencies, you’re indirectly supporting such activity, and paying the ransom is also rewarding cybercrime.

In some parts of the world, making a ransomware payment could actually be illegal because doing so could involve paying an entity that is the subject of financial sanctions. This isn’t true in every country, but it’s something to be aware of. If you have been a victim of a ransomware attack and are considering paying a ransom, seek legal advice before doing so.

Continuous improvement and learning

It’s easy to feel embarrassed if your organization has fallen victim to a ransomware attack. You may be wondering how it happened and if you could have done something to prevent it. Always remember that even huge organizations with dedicated IT teams and large budgets have fallen victim to cybercrimes. Try to learn from the incident, and build new strategies to beat ransomware.

If you’re able to do so without breaching non-disclosure agreements or sharing corporate data, go public about the attack and help others learn from it. Share information about what went wrong, and start a discussion about how you (and others) can better defend themselves. 

Another possible option is to run simulated ransomware drills to test your readiness and identify areas where people may need additional training or where your IDS or other systems are lacking.

Interconnections with other ransomware aspects

Here, we’ve focused primarily on ransomware defense, but there are other related issues:

  • Preventing attacks from happening in the first place
  • Responding to attacks if they’re identified
  • Recovering data after an attack

All of these things combine to form an effective anti-ransomware strategy. There’s a lot of overlap between them. A good ransomware defense strategy may use similar tools to ransomware prevention, and part of your ransomware defense strategy will include having a rapid response plan in space. However, developing each strategy individually is worthwhile so you can feel confident you have robust security and backup systems in place.

Strengthening your organization’s ransomware defense

If your organization is concerned about the potential impact of ransomware, take this opportunity to review your defense strategy.

Creating a comprehensive strategy

Review your existing cybersecurity measures, and perform a full security audit. Consider running incident simulations to identify potential holes in your security. 

After this review, draft a plan that integrates prevention, protection, defense and response to cover every eventuality you can think of. Don’t simply copy someone else’s plan; be sure to tailor the plan to your organization’s specific needs.

Leveraging technology and collaboration

Ransomware is such a pervasive issue today that there are many tools available for monitoring and intrusion detection, as well as threat intelligence. Don’t try to make your own tools. Take advantage of the wealth of expertise that’s already out there and collaborate with others in the industry. Together, we can beat ransomware.

Ransomware doesn’t discriminate

Ransomware is an ever-present, opportunistic threat. It’s just as likely to infect an individual home user as it is a multinational corporation. That’s why it’s so important for those who are concerned about protecting their data to be proactive about ransomware defense.

By building a multifaceted ransomware defense strategy that combines prevention, protection, response and recovery, it’s possible to build a resilient cybersecurity framework that can effectively combat the ever-evolving threat landscape of ransomware attacks.

If you’d like to know more about how we can help protect your organization’s data, download our 7 Best Practices for Ransomware Recovery whitepaper.