“Your mission, Jim, should you decide to accept it, is to come up with a response to these demands within twelve hours.”
What would you do if all the IT screens in your organisation refused to show anything except a demand for several hundred thousand pounds in cryptocurrency, with the threat that your confidential corporate data would be released to the world if payment is not received?
As part of any contingency planning, threats to network security should be anticipated and planned for in advance. Ransomware, where the corporate data is encrypted into unusable gibberish is one of the most common forms of attack, and also one of the most lucrative for the threat actors. The Darkside cybercriminal organisation is one of the newest threat actors, working as an organised criminal business, with subcontractors licensed to use semi-customised malware in exchange for a share of the takings, i.e., the ransom (Ransomware-as-a-service RaaS, https://www.zdnet.com/article/darkside-the-ransomware-group-responsible-for-colonial-pipeline-cyberattack-explained/). The current average Darkside ransom payment is $1.9m (£1.3m) – this is an extremely profitable business. Recent events, such as the infrastructure attack on the Colonial pipeline, have thrown the scale of the criminal activity into sharp focus. And organisations like the Ransomware Task Force are engaging with governments to take tougher action on cybercriminals that prey on small businesses with such devastating effect. But for now, most organisations are on their own.
When faced with a dilemma such as the one posed by an attack from a Darkside, Conti or REvil ransomware variant, it is critical that there is an incident management plan in place.
The decisions regarding the response to a ransomware attack such as this need to be made in advance, and the sequence of events and chain of command firmly and clearly established. Any response to a cyberattack needs to have been tested and rehearsed – simply having a response plan on paper is not sufficient. In many ways, it may be worse than having no plan at all, as it provides that comforting feeling that everything has been catered for when in fact nobody actually knows what to do.
Following a cyberattack, there are typically two immediate responses which conflict with each other. The first is to attempt analyse the source of the attack, with a view to prevent a recurrence, to identify any stolen data and to uncover compromised systems. The second is to work on getting the affected systems back up and running as soon as possible, to keep the business operating. These two responses are in conflict as rebuilding systems will destroy useful data that identifies how the breach occurred, while taking time to understand what happened to prevent it happening again means the organisation suffers a prolonged outage.
First Response as a cybersecurity services and incident response partner, is in a strong position to assist. Our Incident Response Specialists can follow the trail, and discover exactly where and how the breach occurred. With many years’ experience of such incidents, we can identify weaknesses, and prevent attacks happening in the first place, or again.
First Response has a wealth of experience in recovery procedures and operations and can assist you to get up and running as quickly as possible.
However, prevention is always better than cure, and First Response can become your managed security services provider, helping to configure your security infrastructure, including 24/7 proactive monitoring and remediation solutions, as well as establishing an incident response plan to ensure your business is in the best possible position to deal with the unexpected..
If you are concerned about the threat of a ransomware attack, or are interested in how cybersecurity monitoring and management could benefit your organisation, call or email us now for a discussion about your requirements for a more secure environment.