sb-nz logo
Story image

The do's and don’ts of responding to ransomware

11 May 2017

Ransomware may have had a killer 2016, but according to some cybersecurity researchers, encryption malware is just getting started. This year, ransomware is expected to increase both in volume and variety as hackers continue churning sophisticated new strains of encryption malware. And while you might not be able to prevent every single one from slithering through the cracks, a smart incident response strategy for ransomware can help prevent significant loss and business downtime.

To that end, here are the dos and don’t of ransomware incident response (IR):


Abide by the principle of least privilege: Before there is ever even a need for IR, we recommend applying the principle of least privilege (POLP). In other words, limit end-user admin rights to local drives, or remove them altogether. This can help preclude more widespread infections throughout the network, and reduces the likelihood of an unauthorized executable running in the first place. With cloud computing coming to the fore, this is becoming an increasingly viable option.

Quarantine infected machines: Traditionally, ransomware needed to call home to a command and control server in order to get the encryption key. However, some strains of ransomware now come preloaded with a public encryption key. This makes it more difficult to intercept these attacks early, and increases the likelihood of successful data encryption. Once encryption malware is successfully executed, infected systems must be quarantined to prevent lateral movement on the network.

Execute your premeditated IR plan: First and foremost, hopefully you have an IR plan for ransomware. If you don’t, take this as your wake-up call to create one. Make sure that every person, from the intern to the CEO, knows his or her role in this plan – there is strength in numbers, but only if everyone works in harmony. Remember, the only way to ensure adequate data protection in a ransomware intrusion is to have a clear pathway to remediation.


Pay the ransom: Last year, a Kansas hospital paid a ransom only for the criminals to come back and demand a second. This institution was hardly the only organization to pay up in vain – it’s to be expected of cybercriminals. And yet, a study from IBM revealed that 70 percent of businesses that get hit with ransomware end up paying. Our advice? Do not pay. Take that money you might lose, and instead invest into IR that will preclude you from having to fork over hundreds, if not thousands, of dollars.

Make DR your IR: Last but not least, do not make your disaster recovery plan your IR plan. DR plays a role in data protection, but it is not the be-all end-all of IR because it does not guarantee business continuity. Rather, DR is a sort of last resort in the event that there is no quicker path to recovery (and there almost always is).

Article by Matt Williams, Faronics.

Story image
Imperva unveils new data security platform built for cloud
"The cloud has revolutionised IT, offering organisations a strategic opportunity to rapidly pursue new market initiatives and adapt their operations in the face of new business challenges."More
Story image
Almost a third of malware threats previously unknown - HP report
A new report has found 29% of malware captured was previously unknown due to the widespread use of packers and obfuscation techniques by attackers seeking to evade detection. More
Story image
Infrastructure-as-code, and how it can secure the cloud
Bridgecrew recognised IaC early on as one of the best ways for modern teams to delegate security ownership to individual contributors while distributing it across existing frameworks within CI/CD pipelines. This attribute meant that IaC was invaluable in securing cloud-native environments.More
Story image
Kroll completes Redscan acquisition, expands cyber risk portfolio
With the addition of Redscan and its extended detection and response (XDR) enabled security operations centre (SOC) platform, Kroll expands its Kroll Responder capabilities to support a wider array of cloud and on-premise telemetry sources.More
Story image
Financial malware activity dropped in 2020 as creators honed their wares
Cybercriminals used the time to plan more malicious propagation techniques, both new and evolved from previous methods.More
Story image
Claroty discovers vulnerabilities in Ovarro TBox RTUs
The vulnerabilities could enable attackers to break into the systems and run code, crash systems, and meddle with configuration files, amongst other malicious actions.More