Featured Product
This Week in Quality Digest Live
Risk Management Features
Gleb Tsipursky
Returning to the office harms diversity
Gene Kaschak
Lean supply is not just about the size of inventory
Dwayne Duncum
Understanding and implementing effective controls of workplace hazards is every employer’s responsibility
Etienne Nichols
Even if it’s not required, it’s critical

More Features

Risk Management News
Demonstrating a commitment to keeping people safe and organizations running
Aug. 25, 2022, at 3:00 p.m. Eastern
Now is not the time to skip critical factory audits and supply chain assessments
Extends focus on data-driven explainability and adds customizability
Google Docs collaboration, more efficient management of quality deviations
Major ERP projects take six months longer than companies were told
Three webinars to increase participation and understanding within the world of quality assurance
Partnership bolsters defense against growing cybersecurity risks

More News

Bryce Austin

Risk Management

Eight Defences and Responses to Ransomware Attacks

If all companies followed these recommendations, ransomware would become a thing of the past.

Published: Wednesday, December 22, 2021 - 13:03

There were seven people seated around the table: The CEO, the VP, the CFO, the special agent from the FBI, the owner, the forensics technician, and the company’s CISO (chief information security officer).

“Don’t pay,” was the CEO’s vote. Same for the VP.

“Pay it,” was the owner’s response. The CFO nodded in agreement.

“Paying could be a violation of Federal law,” stated the FBI representative.

The CISO had a hard time getting words out, as this was the largest ransom that he had dealt with at the time. $1.2 million was a lot of money. “I don’t see another option given the status of our backups,” he said. “Either we pay the ransom, or we begin liquidating the assets of the company as soon as possible. Which is the lesser of two evils?”

The CISO negotiated the ransom down to $410,000. The Bitcoin took several hours to amass. The cybercriminals delivered a decryption key, but 30 percent of the company’s data was gone forever—some of their hard drives filled up during the ransomware encryption process, and the encryption software kept running after the drives couldn’t hold any more data. Every file encrypted after that point was irretrievable. The total recovery took three months to ensure that no backdoors were left in the company’s systems, and the lawsuit to get the insurance company to cover the incident lasted almost two years.

Stopping ransomware includes three key areas: cybersecurity hygiene of your employees, proper practices by your IT department, and your data backup strategy. Here are eight ways to prevent a ransomware attack, and eight ways to recover from an attack if you fall victim to one.

Eight ransomware defenses to help prevent attacks

1. Add multifactor authentication (MFA) on all of your company’s email accounts and on all external access to your network (e.g., VPN, TeamViewer, WebEx). This will help prevent a cybercriminal from taking over an email account using a compromised username or password.
2. If your company uses Windows Active Directory, do not log in to computers with Domain Admin accounts. There is an attack called “Pass the Hash” that will steal encrypted (i.e., hashed) credentials left behind. If you must log in with a Domain Admin account, change the password.
3. Patch your PCs. And your workstations and servers. Every month. No exceptions. That includes conference room PCs, loaner PCs, HVAC computers, all of them.
4. Patch your networking gear. Firewalls, switches, UPSs, phone system, everything.
5. Install good antivirus software everywhere. All PCs. All Macs. All servers. Everywhere.
6. Geofilter your internet traffic and emails. If you don’t do business with a foreign country, block traffic and emails to and from it. It keeps out lazy cybercriminals. No, it won’t keep out the cybercriminals that VPN into your country before attacking you, but it’s surprising how many cybercriminals don’t take the time to do that.
7. If you are part of a company with many workstations, use the Microsoft Local Administrator Password Solution (LAPS) to randomize the local administrator password on all PCs. If you have the same initial local admin username and password for every workstation, then if one machine gets compromised, it’s very easy for them to all get compromised.
8. If your users have local admin credentials, you may want to rethink that. Today. Right now. If a cybercriminal compromises a computer, they normally inherit the permissions of the user for that computer. If that user is a local administrator, the bad guys are going to use that access to do more damage.

Eight ransomware responses

In case you fall victim to ransomware, you need the following. Please note that most of these should be done before the attack takes place:
1. Create offline backups. These are backups that are kept off of your network. Cybercriminals try to delete your backups. If your backups are not on your network, the bad guys can’t destroy them.
2. Test restore procedures. If you try to restore your backups only when you need them, you are rolling the dice every time you are in a real bind.
3. Have an offline restore methodology. Don’t begin a restore with your network still attached to the internet. Ransomware cases often unfold where the cybercriminals still have hooks into a company’s network, and they destroy the used-to-be-offline backups as soon as the restore process begins.
4. Create workstation reimages. You need a clean workstation image to restore workstations quickly if you suspect they have been compromised.
5. Prepare for server rebuilds. You need a clean server image to recreate your servers quickly.
6. Pre-negotiate an incident response-team contract. Find a cyber-incident response company and get a contract in place. That way you will know how to “call in the cavalry” quickly as opposed to going through contract negotiations in the middle of a crisis.
7. Maintain 35-percent free drive space on all network drives. Ransomware often bloats the data on the drives it encrypts. As soon as a drive fills up, the encryption process will keep trying to move forward, but every file it encrypts after the drive is full will be unrecoverable.
8. Understand your liability insurance. If you have cybersecurity liability insurance, call your insurance company ASAP. There are many stories of insurance policies with a clause stating that the customer must inform their insurance company of a suspected incident within 24 hours of the initial discovery. If they take a few days to confirm that the incident was real, it can be an expensive mistake.

If all companies followed the specific recommendations above, ransomware cybercriminals would become a thing of the past. With proactive action and a good cybersecurity awareness training program for your employees, cybercrime is a solvable problem.


About The Author

Bryce Austin’s picture

Bryce Austin

Bryce Austin is the CEO of TCE Strategy, an internationally-recognized professional speaker on technology and cybersecurity issues, and author of the book Secure Enough? 20 Questions on Cybersecurity for Business Owners and Executives (TCE Strategy, 2017). He is the named chief information security officer for companies ranging from 40 employees to S&P 500 organizations. Austin actively advises companies on effective methods to mitigate cyber threats. For more information visit www.BryceAustin.com.


This is valuable information

The offline backup you mentioned means ransomware can be disregarded.

I keep a system image with which to rebuild everything on my hard drive, and I keep an IDrive backup to ensure that my critical files cannot be lost.

Great article.

Great article. Thanks, Bryce!