Nynox Insight: What to do when Ransomware’d
Recently there’s been a lot of articles in the media about institutions that experienced ransomware attacks. But, what to do to minimize the impact if you were to fall victim to such an attack? Follow these instructions and tips:
What happens during a ransomware attack?
Ransomware organizations or “families” like LockBit, Conti, BlackBasta and many others try to find their way into your network via the use of phishing attacks or by exploiting public-facing applications.
After they’ve successfully infiltrated the environment, they will try to elevate their privileges to further compromise the network. After which they try to move laterally to gain persistence and to figure out what measures you have in place to counteract their attack .
Finally, when they have compromised enough of your environment, they will execute their attack and start encrypting or in wo There is also a high chance that data has been exfiltrated and that you will be “Double-extorted”.
This means that after they have encrypted your data, they will tell you to not only pay a ransom to unlock everything but also to not have your data exposed to the internet before a certain timeframe has expired.
“Do NOT pay the ransom. There’s no guarantee they will follow their end of the bargain and you’re also fueling their next attacks.“
What can be done to prevent this from happening?
Train everyone in your company to spot phishing emails and to make them aware about the risks of clicking on things they shouldn’t.
Take an inventory of all assets, software and data that is being used within your company. Authorized devices and software will be patched and hardened. This can be done at regular intervals throughout the year. We do this by implementing Tenable vulnerability management at customers to easily create an inventory.
Implement MFA, schedule regular backups and have endpoint protection in place. SentinelOne is what we manage as an XDR solution at several of our customers.
Segment/isolate your network into smaller zones. If a device in that network zone is breached it is isolated in that specified network.
Limit what a person can do on an endpoint to only what is required of his/her role in the company. Most employees do NOT need administrator privileges on their device.
What needs to be done if you were to fall victim to a ransomware attack?
Do NOT pay the ransom. There’s no guarantee they will follow their end of the bargain and you’re also fueling their next attacks.
Isolate the affected hosts. Meaning no external or internal connections can be made from this device. Only shut down the machine if you have no other options. Doing this has several drawbacks: volatile data is lost, recovery on this host is not possible and ransomware will start encrypting again once the machine is turned back on.
Reset passwords where possible
Block any connections to malicious C&C IP’s
Collect all available logs/create images to investigate later
Re-image the infected hosts
How does Nynox protect its customers?
Our round-the-clock managed Security Operations Center (SOC), built on a central logging service, helps you defend against cyberthreats. The core of our Blue Team service.
Endpoint protection secures endpoints or entry-points against potential threats and breaches. An endpoint in an IT infrastructure is any device that is connected to the network.