Everything You Need to Know About Ransomware Incident Response
Subscribe Here to receive Blackpanda thought leadership, webinar invitations, and cyber intelligence direct to your inbox.
Ransomware is a type of malware that targets an organization’s data. Attackers use it to hold valuable information hostage through encryption, requiring a ransom payment for it to be restored. Ransomware affects millions of businesses globally and is currently growing at unprecedented rates — both in terms of the likelihood of a ransomware attack against your organization and of the average ransom amount requested. Ransomware is often designed to spread across a network and target database and file servers, and can thus quickly paralyze an entire organization.
The motivation behind ransomware attacks is primarily economic, as companies are often willing to pay millions of dollars to the attackers in order to have their files unlocked, systems restored, and business operations resumed smoothly.
With cybercriminals continuously upgrading their malware and with their strategies becoming increasingly sophisticated, attackers are developing resources to conduct cyber attacks of enormous magnitude and impact.
Stay-at-home notices introduced during the COVID-19 pandemic have contributed to increased organizational cyber vulnerabilities with employees using personal devices connected to home or shared networks which are far less secure than organizational ones. Combined with bad cyber hygiene and a lack of general awareness of cyber best practices, organisations are truly at risk of a cyber breach.
Here we talk about everything you should know about ransomware incident response: how it works, its history, its workings and impact, as well as some major ransomware incidents and the cyber criminal gangs that were responsible for them, and how to respond to a ransomware attack.
History of Ransomware
While Ransomware has been making headlines for at least the past three years as a novel attack vector, the first recorded ransomware attack occurred almost thirty years ago. In 1989, a program dubbed “AIDS Trojan'' was distributed via floppy discs to unknowing attendees of a research conference. Believing the discs were research tools, these victims inserted the malware into their computers and watched their files become encrypted with the attackers demanding ransom by mail in exchange for instructions to decrypt their systems.
One of the biggest innovations that supported the explosion of ransomware was the emergence of cryptocurrencies such as Bitcoin’s rise in 2010. This provided an easy and untraceable method for receiving payment from victims which created the opportunity for ransomware to become a lucrative and low-risk undertaking.
With the growth of ransomware came developments in its supply-chain as cyber criminal groups began to offer Ransomware-as-a-Service packages whereby malware programs are leased to clients around the world in exchange for a portion of their profit from ransom payments.
Read about the Top 5 Ransomware Incidents in Asian History
The Largest Ransomware Attack in History
The biggest ransomware attack ever registered occurred in May 2021, when CNA Financial (“CNA”)—one of the largest insurance companies in the US—announced that it had been hit by a sophisticated and debilitating ransomware attack.
Whilst CNA declared that it did not lose access to any sensitive client data, over 15,000 company devices were encrypted and corporate networks were disrupted, forcing CNA to temporarily shut down its services.
CNA worked with private sector companies and US government agencies to secure its systems and contain the malware. To end the attack, CNA paid the attackers USD 40 million in Bitcoin – the largest recorded ransom payment ever – despite FBI guidelines discouraging companies from paying ransom demands, as payment strengthens attackers’ capabilities and increases the effectiveness of such attacks in the future.
The CNA Financial attack occurred within weeks of another ransomware incident hitting oil transportation company Colonial Pipeline, which paid USD 4.4 million to cyber criminals group DarkSide to stop the attack and release its data. These cases are not isolated, and they serve as high-visibility examples of a pervasive ransomware problem that affects organizations of all sizes across the globe.
Read about the CNA financial cyber attack.
Another ransomware gang that has been rising on the global cyber crime scene is eastern european group Indrik Spider, which is behind the recent DoppelPaymer attacks which affected community colleges, police, emergency services in the US, a German hospital, and Kia Motors, amongst others.
The DoppelPaymer ransomware strain is a relatively new and high-risk cyber threat. Being an evolved BitPaymer, it is able to encrypt entire networks within minutes from penetrating an endpoint. With large ransom demands and widespread targets, organizations in the APAC region should be on guard.
Everyone is at risk
The biggest misconception that exposes small and medium-sized enterprises to cyber attacks is the sense of “security through obscurity”. Start-Ups and SMEs tend to believe that they will never be targeted by cyber attacks because they are not important enough. This concept is no longer valid, as nowadays most hackers are looking to target the most vulnerable companies rather than the biggest ones.
Potential targets are identified by “hunter” bots that look for digital windows and doors left open or unlocked. This has meant that today, 43% of all cyber attacks are against SMEs, which lack structural preparedness and organizational cyber security awareness, but also the financial resilience needed to survive an attack.
Preparation is the key to survival. Educating employees on cyber best practices and ensuring that all systems are appropriately patched and protected is key to building resilience against cyber attacks. Further, having a well-rehearsed incident response plan and playbook allows for immediate response, such that in the event of a breach, response becomes an act of muscle memory.
Read about how Start-Ups and SMEs should develop their cyber security preparedness in order to maintain a confident attitude in the Asian and global markets and survive in an ever-changing cyber-threat panorama.
How to Respond to Ransomware
Whilst it is impossible to fully eliminate the risk of cyber attacks, steps can be taken to significantly reduce the chances that these may happen.
Aside from some simple steps that every organization can take to improve their cyber security posture, it is important to have a good incident response plan to ensure that when risks occur, you know exactly what to do. At Blackpanda, we act like “cyber firefighters”, always on call and ready to roll out to compromised client systems just like firefighters do when a fire breaks out. We take this approach from our military origins, which inspire us to treat each cyber security matter in a similar light to a physical security one.
Here is a simple checklist of pre-breach, mid-breach and post-breach actions that you, in collaboration with a trusted digital forensics and incident response provider, can do to ensure that you are handling a cyber incident in the most secure and efficient way.
Use an EDR Service
Prepare an Incident Response Plan and Team
Purchase a Cyber Insurance Policy
ACTIVE BREACH RESPONSE
Disconnect or Shut Down Computing Devices
Contact a Trusted IR Team
Document All Significant Events and Actions
Deploy EDR Services
Regularly Patch and Update
Ensure Effective Backups Exist
Tighten Security Configurations
Have a Plan and Team in Place for Future Breaches
Ongoing Cyber Awareness Training for Employees
Insure Against Future Cyber Losses
Ransomware is the biggest cyber threat organizations face today. Whilst good cyber hygiene and employee awareness is a good first step to reduce your company’s exposure to ransomware, the risk is still very high and cannot be eliminated.
The best way to build ransomware resilience is to have a good cyber incident response plan in place. Blackpanda’s planning consulting and table top exercise services help organizations develop the best cyber strategy for their particular industry and location.
To catch threats already in your networks before they can cause serious damage, carrying out frequent compromise assessments is essential, and in the event that you may already be experiencing a ransomware attack, Blackpanda is ready to intervene with tailored and APAC-focused incident response.
To learn more about our ransomware preparation services, or to report a breach, contact Blackpanda.
Interested in speaking to a DFIR specialist?