Ransomware is an ever-evolving form of malware designed to encrypt files on a device and block user access, rendering any files and the systems that rely on them useless. These attacks are rampant across all industries, and it is highly likely that your company will be the target of ransomware. Consequently, it is crucial to understand what ransomware really does and how your company can navigate the fallout.
Ransomware Attackers Do Not Discriminate The average person only hears about ransomware when a news story comes across their feed talking about a large organization that has been the victim of an attack. This narrative is misleading and excludes a very important fact: it does not matter the size of your organization, how much data you have, or what industry you are in, everyone is at risk of an attack.
Over the past three years, Entara’s Professional Services team has completed over 100 projects and nearly 40,000 hours of work helping companies of all sizes recover from a ransomware attack. We have worked with hospital systems, school systems, manufacturing firms, marketing firms, and more. Throughout each of these projects we have learned that it does not matter who the organization is, what matters is what its employees do.
The attack surface for ransomware is due to human error, not technology. Ransomware attacks traditionally start with a phishing campaign. All it takes is one employee clicking on a link in a malicious email and a bad actor can work their way through the organization’s systems by way of one workstation. From one workstation bad actors can get your domain admin, move to your domain controllers, and start disabling your security tools. They will case your infrastructure so when it is time to execute an attack they can move very quickly. Before you have time to react, they will disable your backups, delete snapshots from your storage arrays, and encrypt anything they can gain access to.
Factors That Affect the Length of Your Remediation
There are several proactive actions your company can take to reduce the fallout and business disruption from a ransomware attack. First, do not be low hanging fruit. Implement an endpoint detection and response (EDR) tool, implement privilege access management, and remove local and domain admins as your daily drivers. Small actions like this improve your security hygiene and dissuade bad actors from targeting your organization. Make your environment not worth their time. Second, in the event of an attack, immediately lock down your internet access and pause any retention policies and schedules for storage level snapshots and backups, if you have them. Finally, bring in trusted advisors to guide you through the remediation roadmap as soon as possible. Time is money during a ransomware attack, so it is important you bring someone in who knows exactly what to do and can immediately execute actions to contain, restore, and harden your systems.
Each ransomware attack is split into verticals. The first and second verticals are Containment and Forensics. Typically, in the first two days following an attack, we will shut down inbound and outbound internet and deploy an EDR solution with a forensic provider to start working on getting the threat actor out of your environment. The forensic provider will monitor all telemetry from the installed EDR agents as well as work with Entara to perform forensic log collections to start understanding what mechanisms the threat actor leveraged to compromise the environment. In parallel Entara will work to regain control of your active directory by evaluating all your accounts, removing unnecessary elevated permissions and changing passwords across the organization and platforms.
The third vertical is Restoration. During this vertical your company has the option between three paths to recover the environment: we can restore your systems from a backup or snapshot, if you have them, we can pay the ransom and decrypt your systems, or we can rebuild from scratch. These options decide your fate of restoration and how long it takes to get your company back up and running. Sometimes your only option is to pay the ransom and decrypt the systems, or even rebuild from scratch.
The last vertical is Hardening. During this time Entara uses information from the forensics team to ensure as many possible avenues for accessing your organization are closed off and easy vulnerabilities are removed from your environment.
Mitigate Your Risks
Implementing basic cyber security best practices will help mitigate your risk. Join us in our next Talk In with Tintri as we discuss strategies you can implement to mitigate your organization’s risk level and help you recover in the event of an attack.
Click here to register for our next webinar with Tintri about what you can do to mitigate the risk of ransomware.
Watch our first webinar with Tintri here or below to learn more about how to navigate the fallout of a ransomware attack.
Entara sets the standard as the world’s first eXtended Service Provider (XSP). We deliver exceptional, security-focused IT solutions for our clients, including IT managed services, security integration services, and breach remediation and recovery services. We’re built from the ground up to provide the strategic vision, platforms, processes, and people to travel with our clients on the path to their best IT future.
Entara has been formally recognized as one of Chicago’s Best and Brightest Companies to Work For® each year from 2017-2021. We were also named to the Security 100 list by CRN in 2022 and consistently ranked by MSPmentor as a Top 200 Global IT Managed Services provider and Top 100 Global IT Security Managed Services Provider. For more information, please visit https://www.entaracorp.com/.