Introduction
With new cases reported nearly every day, ransomware has become an inescapable part of the security conversation. Attacks are seen in organizations of every size and industry, and victims can suffer a loss of productivity, revenue, and confidence, in addition to the costs of recovery, and the threat of confidential information being leaked or sold.
It doesn’t have to be this way.
Ransomware is a threat that can be handled by adopting recommended defensive and resilience practices and technologies, and leveraging information and advice shared within a community of vigilant protectors.
Rapid7 is proud to be a part of that community. We have some of the foremost thinkers, researchers, and engineers actively engaging in the conversations around ransomware and encourage them to use our platform to help inform as many security professionals as possible.
What is ransomware?
Bad Credential Hygiene Makes It Easy for Attackers to Breach Systems
The 2022 SANS Report is Out
How does ransomware happen?
Groundbreaking Research on Double Extortion
Responding to the ransomware threat
It’s important to remember that there is no silver bullet to preventing ransomware, but there are plenty of silver linings. For instance, a main component to a solid prevention plan includes instituting best practices within your workforce that can defend against any number of attacks.
Typically, a robust ransomware prevention and remediation plan has three parts to guide your organization’s actions: before the attack, during the attack, and after the attack.
Before the attack:
The key to prevention is minimizing the attack surface a bad actor has to work within. That means proper workforce training to prevent phishing exploitation, credential theft, or visiting compromised websites.
It is also critical to have a robust backup regime that allows you to restore your data back to a time before the attack. Finally, make sure you have a full incident response plan in place. This includes asking frank questions about your preparedness, understanding what measures you will take to identify ransomware before encryption takes place, ways to contain those breaches, how to recover lost data, and eradicate an existing threat. Make sure your incident response plan is available offline.
During the attack:
Once an attack is underway, the single most important goal your team should have is mitigating the impact. This means operationalizing your incident response plan, restoring data from backups, issuing new assets that are clean and free of exposure, and remediating initial access and execution vectors to prevent repeat attacks.
One of the biggest questions businesses face at this point is whether to pay the ransom. It is a complicated question rife with competing interests, viewpoints, and legal ramifications. We explore this question in depth in our Ransomware Playbook and offer alternative solutions to simply paying the ransom.
After the attack:
Once the worst is over, it is critical that your team debrief to determine how well your plan worked and whether there are gaps or weaknesses that need to be addressed. There are also several remediation and mitigation steps to take, including rebuilding systems from a known-good baseline, quarantining endpoints, changing credentials, and locking compromised accounts.
How can we help?
There’s no one single solution to ransomware that can completely inoculate your organization from the threat and protecting every entry into our networks from ransomware can feel like an uphill climb. But while we may all be targets, we don't have to be victims. There are many internal and external tactics and products that, when used together, can give you the best line of defense available.
Attackers are working together, training each other, spreading their knowledge, and sharing their tactics and technologies. The good news is so are we. At Rapid7, we have industry-leading vulnerability risk management — InsightVM — and incident detection and response — InsightIDR— solutions that can help you understand and reduce your attack surface, identify risks, detect ransomware, and eradicate it within your networks as quickly and cleanly as possible. We are constantly and consistently improving these offerings to evolve alongside the threat of ransomware so you can be assured that our solutions will keep up with your internal efforts. When it comes down to protecting yourself from ransomware, you are not alone.