Ransomware has emerged as the biggest cause of major recovery in the UK, with over 50 new variants emerging since the start of 2016 and with new families continuing to surface. Antivirus protection alone cannot guarantee complete safety and due to the amount of revenue being generated by cyber-criminals, experts are predicting continued growth in both the sophistication of targeting and in the volume of attacks.
It is not just large organisations with deep pockets being targeted with ransomware attacks - SMEs are also vulnerable. We've seen an example of this recently, whereby the computer systems of an Austrian hotel were locked by ransomware, meaning new keycards could not be programmed until the ransom was paid. The hotel decided to go public following the attack to warn others to not take the threat landscape lightly.
The reality is that the pervasiveness of cyber-attacks, particularly ransomware, means that SMEs must now look at their business with the view that an infection will take place, rather than might. Outright prevention of ransomware attacks is practically impossible. Attacks are evolving too quickly and software-based solutions are locked in an arms race to keep up. So what steps can SMEs take to prepare themselves for a ransomware attack?
Keep up to date with security news and updates
Knowing what to look out for is half the battle. Keep up to date with the latest developments in malware and obviously, keep up to date with the latest antivirus software updates and patches.
Communicate risks with your staff regularly
All it takes is one uninformed employee to open an infected attachment for your whole business to be affected. Make sure your team is clear about how to identify potential phishing emails as well as the recommended procedures to follow in the case of a breach or infection, as this can help to get incidents under control quickly, reducing the amount of damage caused.
Additionally, employees can take advantage of initiatives such as the government's Cyber Essentials Scheme (CES). For SMEs, which might not have the dedicated in-house IT staff to address cyber-security challenges, the CES provides advice and guidance for those looking to take their first steps into cyber-security or simply improving existing processes. In the current environment it is imperative these resources are utilised.
Planning and testing
Companies should plan for impacts and test for scenarios. Impact-based planning works on the assumption that while there are an infinite number of possible disasters, the number of potential consequences at the operational level is much smaller. Scenario-based planning asks users to anticipate the consequences of a disastrous event and to create solutions ahead of time.
With that being said, certain threats do warrant having a specific response plan in place and this is the case for ransomware. Once this plan has been established, it is vital to then test that plan. Full scale DR testing may not be possible for every SME, but exercises such as a tabletop test that involves organisations responding to simulated disruption by walking through their recovery plans, outlining their responses and actions, should be carried out as a minimum.
If your organisation has not done so already, I would advise making a ransomware attack the focus of your next test to see how your team would cope, and to help create a step-by-step runbook for dealing with a real attack in the future.
Backing up and recovering
With plans and tests in place, in the instance that your organisation is infected with ransomware you usually have two options: recover the information from a previous backup or pay the ransom, the former being the preferred option. [Though in some instances it may be possible to crack the encryption with decryption tools, some of which are available from https://www.nomoreransom.org/ ] When recovering, the main objectives are to minimise the amount of data loss and to limit the amount of IT downtime for the business.
Traditional disaster recovery services are not optimised for cyber-threats. Replication software will immediately copy the ransomware from production IT systems to the offsite replica. Replication software will often have a limited number of historic versions to recover from so by the time an infection has been identified, the window for recovery may have passed. Therefore, recovering from ransomware is often a lengthy process that requires reverting to backups. This often involves trawling through historic versions of backups to locate the clean data. Partnering with a specialist can dramatically reduce this process, ensuring faster recovery and ultimately greater peace-of-mind.
We expect the trend of increasing ransomware attacks to continue, but the steps to help mitigate these threats are simple. Keep detection and prevention products like antivirus up to date; have an informed workforce who can identify potential attacks and react quickly if infected; and have an incident response plan in place with effective backup and test that plan to make sure it works.
Contributed by Peter Groucutt, managing director, Databarracks