Tips for preventing and preparing for ransomware attacks

What sounds like a bad crime movie has become a reality in the digital space: criminal gangs lock factory gates and only let us back in when we pay a ransom. In my work as a digital forensic scientist, I am repeatedly asked: what should I do to protect myself? And what if, unfortunately, it does happen?

It's about ransom extortion. Criminal gangs - usually organised in an astonishing division of labour - penetrate the IT infrastructure of an organisation (companies of all sizes, administrations, banks, clinics, ... in short: everyone) and encrypt the data and servers, thereby paralysing operations. Only when a ransom has been paid will a key be delivered in order to decrypt everything - which, however, does not always work.  Increasingly, highly sensitive and confidential data are being stolen with the threat of publication in order to increase the pressure of extortion.

Without the necessary preparation for instances like this, everything usually stands still for days or even weeks.  The damage caused and the expense to clean up the attack and restart operations are very high. Unfortunately, there are now many examples (here is just one) from across all sectors. But I think it's good that more examples are made public. One can only learn from them.

Firstly: attentive employees are the best protection. Perhaps even more importantly from the opposite perspective, even the securest technical precautions are not worth much if the employees are inattentive.

Not all employees need to become cybersecurity experts. It's more about maintaining an appropriate level of cautious behaviour. Just as I look left and right before I cross the street, I briefly think again about whether an admin would really send an email requesting my password.  This process should permeate throughout an organisation's culture: it is always better to quickly report something suspicious to the proper people, even if it means admitting to having clicked on that tempting link for a supposed competition.

Regular training – which can be a lot of fun with well-designed campaigns – and an open culture are essential for security – this cannot be overemphasised!

Secondly, secure processes and suitable security tools are also necessary. In particular, this includes sufficiently secure login processes and protection at the perimeter, i.e. where data flows in and out of the organisation. The good thing is that there is an extensive selection of suitable tools for each case. It is always the combination of the selected tool and its use in processes that are significant for security. A firewall is of no use if the defined rules are deficient. Even the most rigid password protection with multiple factors for authentication is of no use if the accounts are not deleted when an employee leaves.

Thirdly, the attention paid to security by suppliers and service providers also plays a major role. Many attacks do not directly infect my own IT infrastructure but are virtually tunnelled through my business partners. This is certainly the area that appears to be the most difficult. Standards such as IEC 62443 in the industrial sector and similar ones in other areas can be beneficial here. Each participant in the supply chain is accountable to ensure a sufficient level of security, and to communicate with each other in a trustworthy manner. This security in supply chains is also increasingly controlled.

In addition to these three compulsory areas, there are other measures that can also be very useful as a free choice or just as necessary, depending on the security requirements.

These include, for example, constant observation of references to new attacks and attack methods as well as vulnerabilities by security service providers, associations, or government agencies such as the Federal Office for Information Security (BSI) in Germany. Likewise, regular monitoring of relevant information sites and platforms for any extraction of data that is already ongoing or the publication of access to one's own organisation can provide early indications of attacks and threats. These sources of information can be found on the so-called dark web, i.e. the part of the internet that is not publicly searchable but can be accessed, or by using specialised security service providers.

It is not only ransomware attacks and other cyberattacks that can happen, natural events or technical errors can also lead to serious problems to normal workflow. In terms of risk and business continuity management, you should be prepared for an interruption – sometimes you also have to be prepared based on the relevant regulations. This does not only mean taking out business interruption insurance.

This always includes regular backups (i.e. storage of data, production programmes, formulas, etc.). This must be done independently of normal business operations, and there must be no feedback. In practical terms, an ongoing ransomware attack must not simultaneously encrypt the storage location of my backups, and the encryption software must not come in repeatedly by reloading the backups.  But here, too, there is a wide range of suitable options.

Last but not least: emergency plans and their regular practice are important – but are often missing in reality! In the event of an emergency, things can quickly become chaotic.  Here, too, there are a number of relevant standards in the individual sectors, and many tried and tested methods, approaches and support from associations or service providers. In general, information security affects not only the IT Dept., but all areas of the company.  Emergency plans therefore also include, for example, corporate communications.

In fact, in my work I see time and again that those organisations – for all the hassle and expense – that have good (and well-rehearsed) backup and recovery management have suffered relatively minor damage from ransomware attacks.

To protect against an attack:

1. Attentive employees

2. Secure log in processes and perimeter protection

3. Secure suppliers and service providers
 

Preparation in the event of an attack:

4. Backup and emergency plans (plus practice)