A ransomware attack need not be tragic for midsized enterprises.
That is according to Paul Furtado, senior director, midsized enterprise security at Gartner, speaking at the Gartner Security and Risk Virtual Summit. He said a midsized enterprise is defined as a company with up to 1001 employees, with revenues of $50m to $1bn. Furtado said these businesses typically have an IT budget of less than $20m, and fewer than 30 people working in IT with no cybersecurity leader.
Furtado explained the issue of ransomware is continuing to be a problem as costs go up, and ransomware can sit dormant on your network for around three days and often executes outside of working hours. In terms of what businesses can do, Furtado said ransomware can be handled in the same way as malware, as it comes into the network in the same way, propagates in the same “and we can defend against it in the same way.”
Looking at steps for ransomware response, Furtado recommended the following:
- Isolate the System(s) – Unplug but do not power it down, as you may need the device, but make sure it cannot connect to other devices on the network
- Identify Port of Entry – Identify how it got in, and close that method, so it is not moving around
- Prepare a New Device From Image – Do a restore from a gold standard image, you don’t want to risk something sitting on the system that you may miss
- Scan Backups to Ensure No Infection – Scan backups so ransomware is not part of the backup set
- Restore Files to a Time Prior to Infection
- Investigate all Systems in Contact with the Impacted Resource – What other devices did that machine connect to, as we need to go through exercise on all devices
- Conduct a Post-Incident Review – This is not about a pass or fail, but identifying gaps and how you can tackle the problem, and what you can do to further improve your security moving forward
Furtado also recommended keeping third parties close for when this does happen, as you will need guidance from legal counsel and bring them in early in the discussion. He also recommended bringing in a managed security services provider or a managed detection partner as part of your security team, as they can help contain and minimize the impact.
He also recommended keeping incident response partners, a cyber insurance provider and law enforcement informed too.
“Keep in mind ransomware prevention is both doable, and manageable, yes it is scary, but you can handle it,” he said. “Stick to doing the fundamentals well and it is very important to go back and not over complicate the process, do the basics right.”
Commenting on the debate on if a ransom should be paid or not, Furtado said it is up to the company, and it depends on your ability and the impact to the business, and to pay and get the decryption key or to try and recover from backups. “When you do pay, there is no guarantee you’re going to get all of your data back,” he warned. “Also, you’ll be a target for future attacks, and keep in mind any cryptocurrency transaction you do is part of public record.”