Ransomware Resilience: How to prepare and respond in a crisis

Ransomware is different from most other crisis situations so including a scenario for this in your incident response plans will make a huge difference in knowing what to do rather than being caught in blind panic. You should include a ransomware table top exercise as part of these plans.

74% of all data breaches involve the human element, therefore educating everyone in your organisation about cyber security and the threats to be aware of is vitality important. This needs to be done regularly, not just a one off event. Regular monthly phishing simulation tests and educating people on things such as social engineering will reduce risk significantly.

Cyber criminals are acting on vulnerabilities within hours of them becoming publicly known and ransomware gangs in particular are taking advantage of targeted victim systems within as little as 48 hours. It is therefore imperative that patching and vulnerability management keeps pace with these threats.

Every system in your organisation, including desktops and servers, should be running a next generation endpoint protection and response solution. This should be capable of isolating the system to limit further damage and impact in the event of a critical situation such as a ransomware event.

49% of all breaches that occurred in 2022 involved the use of stolen credentials.

Humans make bad choices when it comes to choosing passwords. So in conjunction with a robust organisation password policy, make sure you are enforcing the use of strong passwords combined with MFA where possible on all systems.

Administrators of systems in your IT infrastructure should use dedicated admin workstations for performing all administrative tasks. Admin credentials should only be used for privileged tasks and not for every day use.

They should be stored in a secure vault and rotated regularly (at least weekly, but ideally after every use).

Log, Log, Log as much as you can! This means all key business applications, operating systems, network devices, firewalls, key infrastructure and end user compute systems. If you operate purely in the cloud or have a hybrid setup then logging is essential.

Think about using network segmentation and segregation, which are highly effective strategies an organisation can implement to reduce the impact of a network intrusion. Using a network detection and response system to collect and analyse network traffic for unusual patterns of behaviour will also help, but if this is not possible then collecting logs from key network systems (firewalls, network devices etc) and sending them to a centralised SIEM will be your next best option.

Make sure that everyone who works remotely uses an always on VPN when accessing your organisation’s network. Authentication should incorporate MFA and ideally an MFA solution that incorporates anti-phishing defences.

Your organisation’s backup solution should have redundancy built in to the design. 

Recovery tests should be run regularly to ensure the integrity of the data, and ease of access / recovery drills for all key systems should be run at least once a quarter.