MSP Guide: How to Safeguard Your Clients During a Ransomware Attack – Source: securityboulevard.com

As a managed service provider (MSP), you are tasked with keeping clients from malicious software infections and ransomware attacks. Even if you have done your best to avoid ransomware attacks altogether, you still need to be prepared and know what to do if a ransomware attack occurs. Spoiler: We recommend not paying the attacker, but realize sometimes that’s easier said than done. 

In this article, we’ll provide steps so that you can prepare a ransomware attack response checklist and know what to do if your client becomes the victim of an unexpected ransomware attempt or attack.

What is Ransomware?

Ransomware is a type of malicious software (malware) designed to extort money from its victims by preventing them from accessing their files or operating systems. 

Ransomware attacks are commonly enabled through phishing emails or malicious links hidden in attachments. After a successful ransomware infection, attackers typically encrypt the victim’s data and demand a ransom payment in exchange for the decryption key. If the victim does not pay the ransom, they may lose their data permanently.

Ransomware attacks can have a devastating impact on businesses and individuals alike. Aside from the financial losses caused by the ransom payment, businesses without ransomware protection in place may also experience:

• Downtime
• Loss of productivity
• Damage to reputation

Individuals may lose irreplaceable personal files, such as photos and documents.

Prevention is always better than cure, but if a ransomware attack was carried out successfully, don’t panic! Follow your ransomware recovery plan to limit the damage and minimize the impact on normal business processes.

What to Do When Your Client Suffers a Ransomware Attack

Ransomware attacks have become increasingly common in recent years, and businesses of all sizes are at risk. Hackers are discovering new security vulnerabilities all the time and have become adept at exploiting them.

If your client suffers a ransomware attack, it is important to act quickly and decisively to limit the damage and ensure system recovery, following a cyber incident response plan or ransomware recovery plan. Here are the steps you should take:

1. Isolate Infected Machines

When a ransomware attack occurs, prompt action is crucial to prevent the infection from spreading throughout the network. Isolating infected machines is the first critical step in containing the damage and minimizing the impact of the attack. 

By isolating infected machines, you effectively sever their connection to the network, preventing the ransomware from laterally moving to other devices and causing further harm.

To isolate an infected machine:

• Immediately Disconnect from the Network: Unplug the Ethernet cable or disable Wi-Fi and Bluetooth connectivity to physically isolate the machine from the network. This prevents the ransomware from communicating with other devices or servers.
• Power Down the Machine: If the machine is still operational, turn it off completely. This will halt any active ransomware processes and prevent them from further encrypting files or transmitting data.
• Secure External Devices: Remove any external storage devices, such as USB sticks or external hard drives, from the infected machine. These devices could potentially carry the ransomware infection and spread it to other computers if connected.
• Label the Machine: Clearly label the infected machine to prevent accidental use or connection to the network. This will help ensure that the machine remains isolated until it has been properly disinfected and cleared of ransomware.

2. Identify the Type of Ransomware

Accurately identifying the type of ransomware and attack style involved is crucial for determining the most effective recovery strategy. Different ransomware variants exhibit distinct behavior, encryption methods, and potential decryption solutions.

By identifying the ransomware strain, you can:

• Assess Encryption Strength: Determine the difficulty and feasibility of decrypting the affected encrypted files.
• Evaluate Decryption Tools: Identify available decryption tools or services specifically designed for the particular ransomware variant.
• Plan Recovery Approach: Tailor the recovery strategy based on the ransomware’s behavior, such as identifying potential backups or leveraging shadow copies if available.
• Seek External Expertise: If necessary, consult cybersecurity experts specializing in the specific ransomware strain or data recovery to obtain specialized guidance and support.

3. Inform Employees

Transparency and open communication with employees are crucial during a ransomware attack. Employees need to be aware of the situation to make informed decisions about their online activities and avoid actions that could further spread the ransomware.

It can also be a valuable learning experience. By understanding the threat and the impact of a ransomware attack, employees are less likely to click on suspicious email attachments or click on links from unknown senders and sources, which could further propagate the ransomware and spread malicious code throughout your computer system.

4. Change Login Credentials

Ransomware often exploits vulnerabilities in login credentials to spread laterally across a network. Ask all employees to reset their passwords for all systems, including email, network access, and any other critical applications. 

If you haven’t done so already, implement multi-factor authentication (MFA) whenever possible, adding an extra layer of security beyond just passwords. Encourage employees to use strong, unique passwords and consider using password managers to generate and store secure passwords securely and establish a regular password reset policy to enforce periodic changes, reducing the risk of compromised credentials remaining active for extended periods.

5. Take a Photo of the Ransom Note

The ransom note displayed by ransomware often contains valuable information about the attack, such as the type of ransomware, contact details for the attackers, and instructions for payment. The ransom note and ransom demands can help identify important data, like the specific ransomware variant, which is crucial for determining the best recovery strategy and seeking appropriate decryption tools.

In some cases, the ransom note may provide contact information for the attackers, which could be useful for law enforcement or cybersecurity experts investigating the incident. It also serves as evidence of the attack and may be required for insurance claims or legal proceedings.

6. Notify the Authorities

According to the Cybersecurity and Infrastructure Security Agency (CISA), in the United States, victims of ransomware incidents can report the incident to the FBI, CISA, or the U.S. Secret Service. You should also contact your local FBI field office and report the incident to the Bureau’s Internet Crime Complaint Center.

You may also, depending on the severity of the attack, take a proactive approach and share the information with cybersecurity organizations, security researchers, or even members of the public. Reporting incidents provides valuable data for analyzing ransomware trends, identifying patterns, and developing more effective prevention strategies.

It is important to do everything in your power to not pay the ransom demanded by the attackers. Even if you do pay, there is no guarantee that you will get your data back. In fact, paying the ransom may only encourage the attackers to target your organization again in the future.

7. Implement Security Updates

After successfully containing a ransomware attack and restoring data from backups, you have to update your systems, including your antivirus software, anti-malware software, and firewalls, and run the latest security patches to prevent another attack.

Use specialized anti-malware software designed to detect and remove malware that may have bypassed antivirus protection and configure firewalls to block malicious traffic and prevent unauthorized access to the network. You should also regularly review and update firewall rules to address emerging vulnerabilities and potential attack vectors.

If you aren’t doing so already, regularly conduct vulnerability scans to identify and prioritize remediation of weaknesses in the network and systems.

8. Recover Your Data 

Once the attack has been mitigated, you can start the recovery process. Before initiating data recovery, verify the integrity and accessibility of the backups to ensure they haven’t been compromised by the ransomware. Your recovery strategy should include identifying the affected systems and prioritizing the restoration process.

Once data has been restored, thoroughly validate it to ensure its integrity and accuracy to prevent the introduction of corrupted or incomplete data. It’s also a good time to evaluate your backup schedule to ensure that it’s sufficient and will minimize data losses if another attack occurs.

Always store backups securely, preferably in an offline location or cloud storage service that is isolated from the production network, to prevent ransomware from encrypting or deleting backups.

Prevent Ransomware Attacks

One of the best ways to prevent these attacks from reoccurring is to implement cybersecurity awareness training. Employees should be aware of:

• Common phishing tactics: Recognizing suspicious emails, links, and attachments that may contain malware.
• Social engineering techniques: Understanding how attackers manipulate human behavior to gain access to sensitive information or systems.
• Importance of password hygiene: Creating strong, unique passwords and avoiding password reuse across multiple accounts.
• Safe online practices: Exercise caution when browsing the internet, clicking on links, and downloading files from unknown sources.
• Reporting suspicious activity: Promptly reporting any unusual activity or potential security breaches to the IT department.

Use best cyber hygiene practices, including restricting user access, implementing MFA, and performing regular backups and patching to keep your cybersecurity defensive posture as strong and up-to-date as possible.

Regular maintenance and updates of security systems, coupled with a robust backup strategy and accompanying solution, are the best ways to keep your clients safe and mitigate the damage of a ransomware attack.

*** This is a Security Bloggers Network syndicated blog from Blog – Coro Cybersecurity authored by Kevin Smith. Read the original post at: https://www.coro.net/blog/msp-guide-how-to-safeguard-your-clients-during-a-ransomware-attack