The ultimate ransomware prevention and incident response checklists

The number of ransomware attacks in just the first half of 2021 was nearly double the total for 2020. As these attacks become more and more prevalent, there’s an increased need for prevention and response plans.

What is a ransomware attack?

A ransomware attack occurs when a cyber criminal gains unauthorized entry to a network or device and uses a specific kind of malicious software (malware) to encrypt and block access to sensitive data. Companies are usually the targets of these attacks as they possess large volumes of sensitive data, and in order to retrieve their compromised assets, they must pay a ransom by a certain deadline. If demands aren’t met, the hacker may expose or completely destroy the data, or increase the ransom.

These attacks, which are usually introduced via phishing email, tend to be extremely effective because companies lack a clear idea of exactly what data was compromised. And so, to avoid the loss of potentially crucial data, they end up fulfilling the ransom.

The best way to overcome a ransomware attack is to employ a strategy that prevents it from happening at all. If the worst does happen, your next best option is having an incident response plan in place that can help you maneuver it more assuredly. So, without further ado, let’s dive into checklists that will help you prepare both.

Ransomware prevention checklist

To ensure you have all the necessary lines of defense in place to prevent a ransomware attack from happening, your strategy needs to include:

  • Employee ransomware threat education
  • Up-to-date firewalls and antivirus software
  • Email filtering systems
  • Regular security assessments and data scans
  • Access controls
  • Ongoing monitoring of networks and devices

Employee ransomware threat education

Your organization should provide information security training for all employees that includes awareness about threats to security like ransomware attacks. And, because ransomware attacks are often delivered through phishing emails, training should specifically focus on best practices for spotting and handling emails from unknown senders, especially those containing links or attachments.

Install firewalls and antivirus software

Many companies already have firewalls and antivirus software installed across their networks and devices, as they are fundamental security measures, but it’s worth mentioning that in order to be effective, they need to be up-to-date, and this is something that often falls to the wayside.

Implement an email filtering system

Most email providers already offer spam filtering that catches a majority of questionable content and places it in the “Spam” folder before it hits your inbox, but because of the danger phishing emails pose, you want to make sure all questionable content gets caught and filtered out. An email filtering tool acts as an additional layer of security to your existing spam filters and analyzes any incoming emails for content that raises red flags. Typical phishing red flags include emails from unknown senders featuring common trigger words, links and attachments.

Conduct regular security assessments and data scans

This step is essential to any security strategy because it allows you to see all the sensitive data in your possession, across networks, operating systems, endpoint devices and even email, and identify potential vulnerabilities. In the context of ransomware attacks, this step is especially important because it helps paint a more detailed picture of what’s been compromised in the event of an attack. It also allows data to be categorized based on its level of sensitivity, which is helpful for assigning access controls.

Create access controls

Once data is classified, use access controls to ensure certain pieces of highly sensitive data can only be accessed by a select handful of designated users who need this secure information to complete day-to-day job tasks. This preserves the safety of data that would cause the most damage if compromised in a ransomware attack. Were ransomware to spread on a device belonging to a user who didn’t have access to sensitive data, the ransomware could only encrypt data that user has access to.

Continuously monitor sensitive data

After sensitive data has been properly discovered, classified and protected, it should be monitored at all times using an automated tool to look out for unusual or aberrant behavior. This can help to ensure that if a breakthrough attack were to materialize, action could be taken quickly to mitigate potential damage.

Incident response checklist

While you never want it to happen, the unfortunate reality is that cyberattacks are becoming more and more sophisticated, so it’s always wise to have a plan for the worst. To efficiently respond to a ransomware attack, you must be able to:

  • Shut down the infected system as soon as possible
  • Notify your organization immediately
  • Conduct root cause analysis
  • Have a high level of confidence in what was compromised
  • Bolster vulnerabilities for the future

Shut down the infected system or device quickly

With any sort of data compromise, time is of the essence. Shutting down the infected system or device in as quick a manner as possible can help contain the attack, but identifying the infected system is what slows things down. While telltale signs such as abnormal restricted access to files or a ransom note are clear indicators that a device has been infected, they often appear once the damage is already severe; at that point, the hacker wants you to know they’re there. With active monitoring in place, the minute unusual activity occurs, such as the deletion of code for security processes that could impact encryption, it’s much easier to identify patient zero before it’s too late.

Once a source system or device has been identified, it should be removed from your organization’s network and shut down or, per IBM, placed in hibernation mode for eventual forensic analysis, to prevent the ransomware from continuing to encrypt.

Notify your organization immediately

Because of the significance of end users’ roles in both preventing and enabling ransomware attacks, it’s important to notify everyone when one has occurred. Ransomware attacks often begin at the device level, so widespread awareness can ensure everyone is on high alert and another entry point for attack isn’t inadvertently created.

Conduct root cause analysis

Root cause analysis will help you identify the variant of malware, which is important for the greater containment effort and its eventual removal, as well as the infection vector that introduced the malware into your organization’s digital environment. As previously mentioned, phishing emails are often at fault for ransomware attacks, but unsecured browsers that leave the door open for other introductory cyber attacks like cross-site scripting or drive-by downloads are also commonly responsible.

Know what was compromised to the best of your ability

Refer to your most recent discovery scan to see what, if any, sensitive data was on the infected device. From here, you can determine how to move forward and engage with the hacker. If there’s any chance the compromised data contained something valuable, you should proceed to fulfill the hacker’s demands. If your scan shows that the infected device doesn’t contain sensitive consumer data and thus won’t be harmful to your organization if the hacker exposes or destroys it, there’s no need to pay the ransom. The intelligence provided by your pre-threat scan can benefit you in the long-run by deterring future hackers from targeting you.

Bolster vulnerabilities

Your root cause analysis findings should provide insight into how the ransomware was able to enter your organization’s digital environment, and it’s important to tighten up that source’s security measures so you don’t become a repeat target.

Spirion helps you effectively prevent and efficiently respond to a ransomware attack

Spirion’s suite of data security tools helps enterprises prevent malicious incidents like ransomware attacks using sensitive data discovery and intelligent data monitoring. When you’re able to automatically discover sensitive data wherever it lives across your organization, you can identify potential vulnerabilities and better secure your digital environment. From there, continuous monitoring can proactively detect and stop threats before they impact your data.

If a ransomware attack comes to fruition, your discovery scans can offer you a high level of confidence regarding what data was compromised so you can prepare the best response strategy possible. Let Spirion be your partner for all things data security. Contact us today.