Are you prepared for a ransomware attack?

5 Questions you need to ask your organisation.

Ransomware is a type of malware that encrypts a victim’s data and demands a ransom, usually in the form of cryptocurrency such as bitcoin, in exchange for the decryption key to release the victim’s data. It’s likely that those reading would be familiar with some well-known ransomware strains of the past – most notably WannaCry in 2017 – which targeted Windows machines through a Microsoft exploit known as EternalBlue.

If you have fallen victim to a ransomware attack – Do NOT pay the ransom.

WannaCry hit over 125,000 organisations in over 150 countries. Fast forward a few years and ransomware has showed no signs of slowing down. A number of ransomware variants have appeared in recent years with ‘Ransomware-as-a-Service’ (RaaS) now readily available – the Ryuk variant being responsible for more than a third of all ransomware attacks in 2020.[1]

The impact of ransomware can be devasting if your organisation is not ready. To help you prepare, protect and limit the impact of ransomware – here are five steps / questions you need to ask your organisation:

  1. Do we have Security Training and Awareness?

Cyber-attacks are getting more and more sophisticated as a result of the rapid advances in technology. Analysts have found that 90 per cent of cyber data breaches reported to the UK Information Commissioners Office (ICO) were caused by user error in 2019. This was an increase over 2017 and 2018 which were 61 per cent and 87 per cent respectively.[2]

People have an important role to play in helping protect businesses they work for whereby they are your organisation’s first line of prevention against cyber-attacks. Well trained, vigilant and aware employees will be your company’s greatest defence in preventing any potential compromise of your business assets and data.

2. Do we have Incident Response plans / playbooks?

Create incident response plans and / or playbooks and test them to ensure that those involved in the incident response process understand and are aware of their roles and responsibilities.

Time is of the essence when reducing the impact of ransomware and restoring systems. The last thing you want to do be doing when falling foul to ransomware is having to ask questions such as “Have we told the people who need to know what has happened?” “Do they know what to do?”

3. Do we have a back-up plan?

Having regular and reliable back-ups limits the potential amount of data that will be lost as a result of a ransomware attack. Being able to restore a point in time prior to the attack taking place is imperative to restoring systems, accessing data and getting your business back on its feet.

This is the most crucial and important step / question to ask your organisation in relation to limiting the impact of ransomware and restoring your business-critical data. Copies of back-ups must also be validated and tested, including off-site and/or offline back-ups.

4. Patching & Vulnerability Management

It is imperative organisations install critical updates as soon as possible. In the leadup to the widespread impact of WannaCry – Microsoft identified the EternalBlue vulnerability and issued patches to remediate against this exploit months in advance.

The UK’s National Audit Office (NAO) revealed that the NHS was warned by its digital arm to patch its devices as early as March 2017.[3] So why were so many impacted worldwide? Organisations simply didn’t update their software.

Conducting regular vulnerability scans can help identify and protect against threats to your business whereby it is recommended to have at least one annual penetration test if possible

5. Have we assured our external third party supply chain?

Suppliers and/or external 3rd parties are often overlooked when considering security whereby this applies to Cloud data storage as well. The Ryuk RaaS made a name for itself by having a preference to target cloud data firms. An example of such is when a Wisconsin-based IT company was compromised. They provided cloud data hosting and access management to more than 100 nursing homes across the US and subsequently infected their clients network – rendering their data and systems inaccessible.[4]

Given that we are only as strong as our weakest link – it is important to make sure external 3rd parties and cloud providers have sufficient and appropriate security controls in place to mitigate cyber-attacks and are able to demonstrate this – whether through an internal security questionnaire or related-certification standard such as Cyber Essentials, IASME and/or ISO27001.