Prevention

Identify specific techniques attackers are using A 5.7
Workforce education
Remove vulnerabilities / Attack surface reduction
Business Continuity Planning (BCP)
Ransom payment policy

Workforce education

ISO 27002 A 6.3

Education programs should address the following:

Use caution when opening links or attachments by considering:
- Do I know the sender?
- Does this look suspicious?
- Is this something that I should open or a link I should follow?
Use a Virtual Private Network (VPN) to gain the benefits of implemented security controls.
Do not provide personal details when answering emails, phone calls, texts, or other messages,
Contact the IT department as soon as possible if you receive suspicious communication.
Validate IT resources and communications to ensure communications from new contacts are not an attempt at social engineering.
Alert the IT department before traveling internationally.

See also the Guidelines for Regular Users from the Europol No More Ransom project.

Attack surface reduction

Backup and restore

Regularly back up your systems, online and offline. Up to date backups are the most effective way of recovering from a ransomware attack.
Ensure that you create offline backups that are kept in a different location (ideally offsite), from your network and systems, and/or in a cloud service designed for this purpose.
Perform tests on the critical information restoring process

Coverage

Periodically check your coverage (know what you are not monitoring) as part of your vulnerability management (VM) program A 8.8
Identify critical information assets
- Store sensitive data in compartmented locations.
- Ensure that critical assets are isolated through network segmentation A 8.22

Testing and plugging for vulnerabilities

Regularly run penetration tests
Scan for vulnerabilities in installed software
Scan your operating systems
See that all software is up to date and available patches are installed A 8.8
Know indicators of ransomware and block them from executing (e.g. by scanning mails for executable attachments)
Disable the execution of email attachments
block malicious websites, applications, protocols, etc. through content inspection
Implement blacklisting/whitelisting rules based on live threat intelligence feeds
Use anti-spear-phishing software that inspects links and attachments at the mail server
Keep antivirus and anti-malware products up to date
Disable scripting and macro's (e.g. MS Office macros)
preventing activation of OLE packages in Microsoft Word
Disable Windows PowerShell
Use RDP (Remote Desktop Protocols) only when absolutely necessary, and then only with MFA
Block access to high-risk category websites (adult material, games, gambling, advertisements, peer-to-peer file sharing)
Monitor data exfiltration: many ransomware campaigns come with the threat of releasing data to encourage businesses to pay the ransom
Implement measures such as hard disk encryption, inactivity timeouts, privacy screens, strong authentication, Bluetooth disability and removable media control and encryption (e.g. USB drives).
Disable (or constrict) use of removable media
Implement a process to remotely disable access to a device that has been lost or stolen.
permit the installation of apps from official sources only
Turn on local firewalls
develop effective use policies for use of public Wi-Fi networks

Identity and Access Management

Manage account permissions, especially for administrative rights on endpoints (A 5.15, A 5.18). This includes:
- Restricting write permissions for servers
- Restricting admin users and privileged accounts
- Granting users the lowest-level system permissions that still allow them to do their job
- Removing abilities for users to install and run unapproved software applications / use Application whitelisting
- Limiting administrative tools on workstations
- creating separate user accounts for privileged and non-privileged activities
- Organise access rights based on the principles of least privilege, need to know principle and segregation of duties
ensure the use of unique passwords, esp. for accounts with elevated rights
Use enhanced passwords and change them on a regular basis
Use multi-factor authentication (MFA)
Train your staff
Consider cyber liability insurance

Business Continuity Planning (BCP)

A 5.29, A 5.30

Employ a comprehensive data backup and recovery plan for all high-value data
Backups should be isolated on external storage devices or in the cloud, disconnected and inaccessible from any potentially infected computer once the backup is completed. See also BCP_Bedrijfscontinuïteitsplanning

Ransom payment policy

if your files are encrypted, what do you do?

During the attack

Remove infected systems from the environment, by disabling physical network ports or removing the network cable.

Check the Europol No More Ransom project , specifically to see if a decryption solution is available with the Crypto Sheriff tool or on their Decryption Tools page.

Infected… What to do next?

Immediately disconnect, but don’t switch off the infected device(s) from all network connections, whether wired, wireless or mobile phone based.
In very serious cases, consider whether turning off your Wi-Fi, disabling any core network connections (including switches), and disconnecting from the internet might be necessary.
Reset credentials, including passwords (especially for administrator and other system accounts), but verify that you are not locking yourself out of systems that are needed for recovery.
Report the incident to your national police or other competent authority.
Preserve any evidence, in coordination with the competent authorities investigating the attack: create a forensic image of affected systems (or a system snapshot), create a RAM dump of the affected systems, and preserve any netflow or other network traffic logs.
Visit www.nomoreransom.org to check whether your business was infected with one of the ransomware variants for which we have decryption tools available free of charge. If that’s not the case, proceed with the recovery steps.
Safely wipe the infected devices and reinstall the OS.
Before you restore from a backup, verify that it is free from any malware. You should only restore if you are very confident that the backup and the device you are connecting it to are clean.
Connect devices to a clean network to download, install and update the OS and all other software.
Install, update, and run antivirus software.
Reconnect to your network.
Monitor network traffic and run antivirus scans to identify if any infection remains.

After the attack

Inspect your environment to:

confirm the attackers no longer have a presence in your system
know if they have stolen data or caused other harm

Harden your systems against a similar attack rebuild or recover systems impacted by the attack.

rebuild systems from known-good baseline images to counter undetected threats.
scan systems with an up-to-date anti-malware solution to remove malware and related artifacts.
block malicious domain(s) and IP addresses. This should be performed at all appropriate network filtering and domain name server devices such as firewalls, web proxies, switches, and DNS servers.
terminate malicious processes on the compromised endpoint(s) identified.
quarantine affected endpoints from the network.
lock affected compromised account(s) until the credentials can be rotated.
changing affected account(s) password(s) as soon as possible to prevent an attacker from leveraging the credentials to access services.
determining whether other users received malicious communications and removing them from all mailboxes.
blocking the sender’s email address (if applicable).

9.6 KiB Raw Blame History Unescape Escape