As an industry leader in security intelligence and analytics, LogRhythm, continues to successfully empower organisations around the world, to effectively detect, respond to and neutralise damaging cyber threats.
As ransomware has been thrust into the spotlight in recent times, LogRhythm has recognised the increasing demand companies and individuals have posed. Until recently, most ransomware attacks were simply opportunistic; mostly affecting individual users’ and small businesses, and ransom demands commonly equating to a few hundred pounds for an individual computer. But now, attackers have set their sights on larger organisations that have the budgets to pay bigger ransom demands; in addition to attacking more important files and computer systems that are critical to an organisation’s everyday operations.
Now more than ever, it is important for companies to be fully prepared for the likely possibility of an attack, and here, LogRhythm details the five key steps all professionals should incorporate into an organisation’s cyber security strategy.
Step One: Patching
Firstly, organisations need to patch aggressively so vulnerabilities are eliminated and access routes are contained. Adequate protection of endpoints also needs to be introduced, with tools that can automatically detect and respond to infections before the likelihood of becoming big incidents.
Step Two: Detection
In the event that an organisation is hit with an attack, it is possible to minimise the damage if the malware is detected early by using threat intelligence sources to block, or at least alert, on the presence of anomalies associated with ransomware in network traffic. Make sure emails are analysed for malicious links and payload; employing rules that search for files executing from common ransomware folders to spot ransomware before any files are encrypted.
Step Three: Containment
Once the ransomware has played its role on one device, there are steps which organisations can take to contain it locally. Having an endpoint protection system that is able to look for the execution and kill the process is usually the best means of containment. The local host needs to be blocked and isolated from the network, preventing additional files on the network from being encrypted.
Step Four: Eradication
Once an organisation is aware of a ransomware incident, and it has been contained, it then needs to be eradicated. The best option is to simply replace machines that have been affected. Indeed, it’s difficult to know if residual files are hidden on the system and able to re-infect devices. However, for network locations such as mailboxes or file shares, sometimes it is more relevant to clean those locations; removing the malicious email message or ransomware instructions.
Step Five: Recovery
For recovery, the number one task is going to be restoring from backup. In most ransomware investigations, organisations usually want to complete the recovery phase by conducting a full investigation into what specific infection vector was used against the system.
Ransomware attacks against organisations are just starting to ramp up. The ramifications of a successful attack are far more extensive than just the cost of the ransom. Organisations can suffer the effects of lost productivity, loss of business, inconvenience to customers, and potentially, the permanent loss of data. An organisation’s success in defending against a ransomware attack is largely dependent on the level of preparation and the tools deployed to monitor systems and to detect, shut down and contain suspicious activity.
Find out more in LogRhythm’s eBook ‘Ransomware Threat: A How-To Guide on Preparing for and Detecting an Attack Before it’s Too Late’
You can also find out more about LogRhythm’s product and solutions offerings by visiting their website: www.logrhythm.com