How to protect your business from ransomware attacks: Part 2

Before you read this article, we recommend checking out part one in the series – How to protect your business from ransomware attacks. Or, if you’d like the highlights:

• Ransomware attacks are on the rise. It’s time for all businesses, large and small, to prepare.
• It’s getting harder to protect your business from ransomware attacks without help because attackers are getting much smarter. They’re even teaming up for ransomware-as-a-service models on the dark web.
• There are three stages of ransomware attack: before the event; after the breach but prior to a ransom being issued; and after a ransom has been issued. In the last article we focused on the first stage – protecting your business before the ransomware attack. Ideally, you’ll never move out of this stage, however, if you do – it’s not game over. There are still steps you can take to minimise the damage and cost of fixing the issue.

Let’s take a look at this now.

Ransomware stage two: protect your business after a breach, but before the demand.

Despite all your best intentions and measures, it can happen to the best of us: your network has been breached, or you suspect it’s been breached. Don’t panic – you’re still in control of the situation (if you’ve done all your preparatory work).

For ransomware attacks, there’s usually a period of at least two weeks when the attacker will spend time investigating your systems and resources, without making their presence known.
They’re using this time to steal your data and plan their attack. The smartest attackers dig around for whatever is either:

• the most valuable, or
• is going to cause the most trouble for your business.

We call this leverage. Theoretically, that’s what you’re going to pay the most for when the demand is issued.

During this phase, a managed detection and response (MDR) service is critical. Think of it as your eyes and ears to monitor what’s happening in the environment. WiIth the right MDR service in place, you should be able to:

• identify any unusual activities in your network.
• eject the baddies from your network.
• take immediate steps to plug the gaps.

If you act early during this phase, the cost of fixing the incident is still likely to be low. The longer the attacker is in your network, the worse the outcomes are going to be.

Ransomware stage three: what to do if a demand is issued.

The worst-case scenario for any ransomware incident is stage three: your business has been issued with a demand or ransom. For businesses without the appropriate controls, it may even be the first awareness that anything is wrong. Trust me, that’s a bad place to be.

Once you reach this point, it’s time to focus on back ups, restoration and disaster recovery plans. We highly recommend seeking the help of a professional to get you through it, if you haven’t already. They will help you sort through the critical steps of:

• backing up your data, including defining the frequency (should be at least daily) and the systems covered
• revisiting your business continuity plan and preparing to activate it
• taking steps to recover and get back to normal operations.

You should also report the ransomware attack against your business to the ACSC as soon as possible.

Should I pay the ransom to get my data back?

Ultimately, it will be up to your business to decide whether or not you pay the ransom, with the hopeful goal of ending the attack and recovering your data. Note the word “hopeful” – when you’re dealing with criminals, there’s no guarantee paying the ransom will actually fix things for you.

We would never recommend paying a ransom, and neither does the ACSC:

There is no guarantee you will regain access to your information, nor prevent it from being sold or leaked online. You may also be targeted by another attack.

It’s a stark reminder that the best protection for your business against ransomware attacks is always going to be prevention, followed by early intervention – with the support of the right MDR provider defending your environment.

Looking for help with ransomware and other cyber security threats?

If you need some help making sense of the noise around ransomware and other cyber attacks, Macquarie Cloud Services is at the frontline of Australian cyber security response. Our managed security services are provided by some of the most skilled cyber security professionals in the country, from one of the most technologically advanced SOCs in the world. This includes more than 200 staff cleared by the Australian Federal Government to manage classified government data, which we’ve done for more than a decade.

We’d love to discuss working together to protect your business against ransomware attacks. Contact us on 1800 004 943 or email enquiries@macquariecloudservices.com to find out more.