Barrier Networks Euan Carswell on responding to ransomware: The most 5 important steps

Barrier Networks

Euan Carswell, SOC Team Lead at Barrier Networks, talks about the growing threat and “lucrative attack vendor”, of ransomware and ransomware-as-a-service and advises how companies should best protect themselves or limit the damage caused by ransomware attacks in five straightforward steps.

In a recent report from Chainalysis, it was revealed that ransomware earnings have surged over the last year, with adversaries grossing $1 billion from the threat in 2023 alone.

This massive figure highlights that ransomware has become today’s most lucrative attack vector, providing criminals with the potential to make huge earnings with very little effort.

Ransomware-as-a-Service operations have lowered the barrier of entry into cybercrime, meaning relatively novice criminals can hire box-packed ransomware attacks and use them to launch devastating attacks on organisations.

This has all turned ransomware into today’s cyber weapon of choice, but it also means organisations are under an increased risk of attack. With the potential to make such high earnings, all organisations are targets for ransomware actors – large, small, private or public sector.

In the face of this increased threat, it is essential that organisations prioritise their defences against ransomware. But, with no security measure being 100% bulletproof, this means organisations must also prepare their response to ransomware attacks when they do occur. Not all attacks can be prevented, but organisations can minimise their impact if they respond to them effectively.

So, how can organisations respond to a successful ransomware attack on their systems to limit its imp

  1. Have a team assembled

In the wake of discovering a ransomware attack, the first step is knowing who to call to inform them about the attack and work to limit damage.

This team of ‘incident responders should be listed in a physical and digital file along with their out of hours contact details – everyone knows ransomware most frequently strikes after midnight.

The team will vary depending on the organisation, but most cyber incident response teams will include the CEO, CISO, CFO, IT / security manager and the marketing and communications lead

2. Execute the incident response plan

Incident response planning is a vital part of cyber defences today. Not all attacks can be prevented, but their impact can be limited if organisations respond effectively. This is precisely where incident response fits.

Organisations should ideally have an incident response plan in place, which details how they will respond to attacks, the roles and responsibilities of the incident response team, plus steps that should be taken with regards to informing customers, partners and regulators.

As soon as a ransomware attack unfolds, the first step is to execute the well-rehearsed incident response plan to limit damages and contain the attack.

3. Don’t switch everything off

Upon discovering a ransomware attack, the knee-jerk reaction is often to switch everything off. But this can actually hinder forensics.

Disconnecting assets from the internet is fine, and segregating them from other network areas is also okay, but when infected machines are switched off, this deletes important memory data that can support forensics and provide information around how the criminals gained access to systems and what data they touched.

Avoid turning off machines.

4. Run forensics

Once the attack has been identified, it is important to run forensics to understand the attack path used to deploy ransomware and to ensure the attacker is no longer present on the network.

This type of forensics can be run internally, or via a third-party cyber expert, but the goal is to find out as quickly as possible how the attackers got in, what data they reached and how it was impacted, as well as ensuring they have left the network and no longer have a way to gain access again. The attacker must be locked out completely, with no opportunity to get back into systems.

The organisation must then begin restoring access to systems and recovering the encrypted data.

Restoring data can often be done via physical hardware backups or through data stored in the cloud, but in some cases it needs to be rebuilt entirely. This is a situation organisations must strive to avoid and it reinforces the importance of running regular backups, which are kept separate from the digital network and tested frequently to ensure data is being backed up successfully.

5. Learn from the incident

When organisations suffer ransomware attacks, they must learn from the incidents so they can improve their defences.

How did the attackers get it? What can we do differently to ensure it doesn’t happen again? Organisations need to use this intelligence to learn from attacks and work to improve their defences to limit their exposure to assaults happening again in the future.

Ransomware is today’s cyber weapon of choice and the chances of organisations facing attacks increases every day.

It is therefore essential that organisations bolster their cyber defences with knowledge around how to respond to attacks when they do occur.

This allows them to step into effective action immediately, reducing the chances of attacks causing long and lasting damage, while also safeguarding business continuity.

For more Barrier Networks news, click here


Related posts

Scroll to Top