Professional Documents
Culture Documents
Practical Guide
to Combatting
Ransomware
forcepoint.com
Practical Guide to Combatting Ransomware 2
Table of Contents
03 Introduction
10 Summary
forcepoint.com
Practical Guide to Combatting Ransomware 3
Introduction
What is Ransomware?
Ransomware is a type of malware that The first documented example
encrypts an organization’s files. The of ransomware occurred in 1989
attacker then demands a ransom payment when 20,000 diskettes were
in return for the decryption “key” and may infected with malware that hid
also threaten to publish the organization’s directories and encrypted the
data if the ransom is not paid. names of the files.
The perpetrator demanded a
How Does it Get In? An Existential Threat
Ransomware attacks are typically carried Times have changed. The global cost ransom of $189 for the antidote
out using a piece of malware that is
disguised as a business document.
of ransomware in 2020 was put at
$20 billion, with an average attack
to the virus.
costing over $4 million1. Every 11
The user is tricked into downloading or
seconds a business will be attacked by
opening, either as an email attachment
ransomware in 2021. In 2020, 36% of
or as a link to a document on a compro-
victims paid the ransom. 17% of those
mised website.
who paid never recovered their data2.
Introduction
Maersk 2017: NHS 2017: Travelex December 2019: Redcar and Cleveland Garmin 2020:
All end-user devices, including In May of 2017, the WannaCry A ransomware attack forced the Council 2020: Smartwatch and wearables
49,000 laptops and print ransomware attack infected company to take down its websites 135,000 people were without maker Garmin reportedly
capability, were destroyed. more than 200,000 computers across 30 countries in an attempt online public services after paid criminals $10 million
All 1,200 applications were across 150 countries by sending to contain the virus and protect Redcar and Cleveland‘s website via an intermediary for the
inaccessible and approximately phishing emails to vulnerable, data. Many of these were still and computers were targeted decryption keys that enabled
1,000 were destroyed. Around older-version Microsoft system offline two weeks later. In August in February. The attack on a it to return production systems
3,500 of 6,200 servers were networks. The attack left the 2020, the company went into council‘s computer systems is to full working order after a
destroyed. Chairman Jim NHS with a £73million IT bill. administration, citing a combination estimated to have cost more ransomware attack took out
Hagemann Snabe told the World of the ransomware attack and than £10m. websites, customer support, and
Economic Forum in Davos that the coronavirus pandemic as key user applications.
ransomware cost Maersk between reasons for its failure.
$250 million and $300 million.
forcepoint.com
Practical Guide to Combatting Ransomware 5
Introduction
top five most dangerous pieces of malware → The prevalence of un-patched and out-of-
date software and devices that are particularly
were recorded in 20203 were ransomware. vulnerable to attack.
→ The careful targeting of specific organizations by
the cybercriminals using highly sophisticated and
advanced attacks.
3 Safetydevices.com forcepoint.com
Practical Guide to Combatting Ransomware 6
This advice is taken directly from the NCSC’s extensive guidance, published in Mitigating Ransomware forcepoint.com
Practical Guide to Combatting Ransomware 7
Step 1:
Each attack probably only gets used once, so it has a very Backup Data
short time to live. Next time it is used, a change is made to the The most important part of any ransomware security strategy
attack and it is targeted at a new victim. is regular data backups. Most companies do this, but
Both processes are important. Restore drills are the only way
to know ahead of time whether your backup plan is working. If
changes made to an attack each time it is used. you test your backup and restore drill regularly you can reduce
Identify Information Flows the impact of the attack by having a safe, recent restore point.
Identify each of the key information flows into the organization, In addition, look to deploy an advanced protection solution
from email and Web browsing to file sharing and remote that uses techniques such as transformation to ensure Update and Patch
working. Each information flow needs to be robustly guarded. incoming files are safe. These techniques don’t suffer from Ensure operating systems, security software, applications,
the shortcomings of detection-based defences and can be and network hardware devices are fully patched and updated.
Consider Segregating Networks relied upon to only deliver safe, malware-free files. Advanced
Pay particular attention to the information assets and protection can be deployed on every information flow into the Many attacks take advantage of known vulnerabilities that
personnel within the business. An effective backup organization to protect from sophisticated attacks. manufacturers have patched. Failing to apply the patches
strategy will help mitigate against the threat of an attacker quickly/in a timely manner leaves the door wide open to
encrypting your data, but it won’t stop the attacker from attackers.
publishing your data if they do get in and steal it. Move Beyond Detection to prevent highly
evasive attacks by carefully selecting a set Train Staff
It may be necessary to physically segregate networks to Nine times out of ten, a ransomware attack begins with a
provide an additional layer of defence for high-value data of preventing controls that do not depend seemingly innocent business document arriving as an email
and key staff members. on the detection of threats. Gartner “Beyond attachment, a download from a compromised website, or an
Detection: 5 Core Security Patterns to upload from an untrusted or unprotected workstation.
Invest in Advanced Protection
Ransomware attacks are getting more targeted and Prevent Highly Evasive Attacks.“ Attackers make extensive use of social engineering
sophisticated every day. They are now being focussed techniques to persuade unwary staff into opening these
Published: 25 March 2018
specifically on individual organizations. documents, so it’s vital to ensure every member of staff is
educated to the potential danger.
forcepoint.com
Practical Guide to Combatting Ransomware 8
Step 2:
Restore from Backup At a broader business level, the plan specifies the
Wipe all infected workstations and endpoints, reinstalling the stakeholders who need to be informed that an attack has
operating systems and application software from scratch. taken place. In regulated environments, there will be a legal
Respond Verify your backups have not been infected and restore your
data from backup. Then reconnect to the network.
requirement to inform the relevant regulatory bodies as well
as any customers who may be impacted.
You should change the administrator access credentials for “Emergency response exercises failed to
any system that hosts critical data assets such as customer provide employees with decision-making
Unplug Immediately details and monitor these systems closely for signs of activity
Immediately unplug all infected workstations and devices from
that might indicate the attackers are still moving laterally
experience in dealing with cyber-attacks”
the network. Make sure this includes any tablets and mobile
inside the network or that the infection is still active.
devices that have been affected, ensuring both wireless and US Gas Pipeline Shut After Ransomware Attack, InfoSecurity Magazine
wired connections are disconnected. 19th February 2020.
forcepoint.com
Practical Guide to Combatting Ransomware 9
Step 3:
Review the Incident Response Strengthen Boundary Protection
You executed an Incident Response Plan. How effective Existing detection based anti-malware defences need to be
was it? Were you able to contain the disruption and damage reviewed in the light of the attack. Office documents, images,
Review done by the attack? How long was it before you were able to
resume “business as usual?” What lessons can you learn and
apply going forward?
and Adobe PDF files are all capable of carrying concealed
malware.
forcepoint.com
Practical Guide to Combatting Ransomware 10
Summary
forcepoint.com
Practical Guide to Combatting Ransomware 11
About Forcepoint
forcepoint.com/contact Forcepoint simplifies security for global businesses and governments. Forcepoint’s
all-in-one, truly cloud-native platform makes it easy to adopt Zero Trust and
prevent the theft or loss of sensitive data and intellectual property no matter
where people are working. Based in Austin, Texas, Forcepoint creates safe, trusted
environments for customers and their employees in more than 150 countries.
Engage with Forcepoint on www.forcepoint.com, Twitter and LinkedIn.
© 2022 Forcepoint. Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.
All other trademarks used in this document are the property of their respective owners.
[A Practical Guide to Combatting Ransomware] 28FEB2022
forcepoint.com