sb-nz logo
Story image

The do's and don’ts of responding to ransomware

11 May 2017

Ransomware may have had a killer 2016, but according to some cybersecurity researchers, encryption malware is just getting started. This year, ransomware is expected to increase both in volume and variety as hackers continue churning sophisticated new strains of encryption malware. And while you might not be able to prevent every single one from slithering through the cracks, a smart incident response strategy for ransomware can help prevent significant loss and business downtime.

To that end, here are the dos and don’t of ransomware incident response (IR):


Abide by the principle of least privilege: Before there is ever even a need for IR, we recommend applying the principle of least privilege (POLP). In other words, limit end-user admin rights to local drives, or remove them altogether. This can help preclude more widespread infections throughout the network, and reduces the likelihood of an unauthorized executable running in the first place. With cloud computing coming to the fore, this is becoming an increasingly viable option.

Quarantine infected machines: Traditionally, ransomware needed to call home to a command and control server in order to get the encryption key. However, some strains of ransomware now come preloaded with a public encryption key. This makes it more difficult to intercept these attacks early, and increases the likelihood of successful data encryption. Once encryption malware is successfully executed, infected systems must be quarantined to prevent lateral movement on the network.

Execute your premeditated IR plan: First and foremost, hopefully you have an IR plan for ransomware. If you don’t, take this as your wake-up call to create one. Make sure that every person, from the intern to the CEO, knows his or her role in this plan – there is strength in numbers, but only if everyone works in harmony. Remember, the only way to ensure adequate data protection in a ransomware intrusion is to have a clear pathway to remediation.


Pay the ransom: Last year, a Kansas hospital paid a ransom only for the criminals to come back and demand a second. This institution was hardly the only organization to pay up in vain – it’s to be expected of cybercriminals. And yet, a study from IBM revealed that 70 percent of businesses that get hit with ransomware end up paying. Our advice? Do not pay. Take that money you might lose, and instead invest into IR that will preclude you from having to fork over hundreds, if not thousands, of dollars.

Make DR your IR: Last but not least, do not make your disaster recovery plan your IR plan. DR plays a role in data protection, but it is not the be-all end-all of IR because it does not guarantee business continuity. Rather, DR is a sort of last resort in the event that there is no quicker path to recovery (and there almost always is).

Article by Matt Williams, Faronics.

Story image
Red Hat to acquire Kubernetes-native security provider StackRox
Red Hat will further expand its security offering, adding StackRox's complementary capabilities to strengthen integrated security across its open hybrid cloud portfolio.More
Story image
The current state of ransomware — and its future
Discoveries made by analysts at Sophos have unearthed a new development: ransomware code appears to have been shared across ‘families’, and some of the ransomware groups seemed to work in collaboration more than in competition with one another. More
Story image
Sophos Rapid Response puts out the ransomware fire
“Attackers are using a range of techniques and whichever defence has a weakness is how they get in. When one technique fails they move on to the next, until they find a weak spot."More
Story image
SASE vs zero trust – or the best of both worlds
Zero trust and SASE work together by converging a least-privilege access strategy with an architecture that simplifies how highly distributed users, BYOD, and cloud resources are secured.More
Story image
IronNet expands Asia Pacific presence with new strategic partnership
“The combination of M.Tech’s extensive network in Asia Pacific and our unparalleled expertise in threat intelligence and detection will help more enterprises across the region to proactively identify and take down known and unknown threats before they happen.”More
Story image
Alibaba Cloud and LGMS tackle hybrid and multi-cloud security
Alibaba Cloud and LGMS, a cybersecurity consulting company, are teaming up to tackle the challenge of security around digital transformation and hybrid cloud.More