Ransomware Preparedness Assessment
Kroll’s ransomware preparedness assessment helps your organization avoid ransomware attacks by examining 14 crucial security areas and attack vectors.Contact Cyber Experts
Ransomware attacks on enterprises of all sizes, across all industry sectors, are on the rise. From our frontline vantage point, conducting over 3,000 incident response engagements a year, we know that every organization can be a victim because a successful ransomware attack is within the reach of cybercriminals everywhere. From our frontline vantage point, we know that every organization can be a victim because a successful ransomware attack is within the reach of cybercriminals everywhere.
Some threat actors are meticulous planners. They deftly map out internal networks to identify core business functions and sensitive data storage, even going so far as to research a company’s financial results to gauge how much they can afford to pay. At the other end of the spectrum, creators of “ransomware-as-a-service,” who simply ask for a percentage of the ultimate ransom, have opened the door to another class of attackers to pursue attacks with minimal risks against a wider range of targets.
Proactive Preparation Is the Best Protection Against Ransomware
While completely preventing ransomware attacks is nearly impossible, security and risk management professionals can take proactive steps to neutralize or mitigate their harm. Basic cyber hygiene remains fundamental. First, that means taking the time to accurately and regularly document the entire configuration of your network.
When a local government was victimized by ransomware, it impacted the municipality’s police and fire dispatch systems, online utility payment system, centralized accounting system and many other critical segments on its network. Unfortunately, the IT director was unaware of how many servers were on the network. This lack of awareness delayed the initial remediation, especially when combined with limited viable backups for restoration.
– Matthew Dunn, Associate Managing Director, Cyber Risk.
Second, data mapping inventories are more important than ever. Starting last year, many ransomware actors threatened to release stolen data to pressure victims into paying ransoms. Almost overnight, ransomware attacks morphed from mainly expensive operational disruptions to crises fraught with regulatory data privacy and breach notification issues. Knowing what kind of data you have and everywhere it is collected, used and stored is imperative.
Ransomware Protection: 7 Key Steps
In Kroll’s experience, seven fundamental security steps can deliver immediate layers of protection from ransomware:
- Institute least privilege policies for data/system access
- Delete unused email addresses
- Enforce strong password policies
- Implement multifactor authentication
- Create, update, segregate and protect viable backups
- Whitelist safe applications
- Accurately map network configurations
Responding to Ransomware
In the event that ransomware strikes, organizations should have a plan to take immediate action with six response steps that include:
Identify the Infection
The type of infection sometimes is stated in the ransom note, but can also be determined from numerous open-source sites. Kroll can also help pinpoint not only the ransomware type, but any other malware and persistence mechanisms still present in your environment.
Isolate Impacted Systems
Remove the impacted systems from other computers and servers within the network and disconnect from both wired and wireless networks.
Report the Incident
Report the suspected incident to the appropriate local law enforcement agency – e.g., in the U.S., that’d be your local FBI field office or through the FBI Internet Crime Complaint Center, the police or the national Action Fraud website for the UK, or via the ReportCyber website for Australia.
Retain Log Data
Because many log types roll off quickly, timely action is necessary to retain any potentially relevant event data for subsequent investigation.
Think Before You Pay
This involves decision-making processes that should already be outlined in your incident response plan. If applicable, contact your cyber insurance carrier for any ransomware-related coverage.
Restore systems and ensure your organization has prioritized effective backup policies and protocols.
14 Key Security Areas of a Ransomware Readiness Assessment
Kroll’s ransomware preparedness assessment aims to identify where your defenses are strong and where vulnerabilities exist that ransomware actors can exploit. Our methodology focuses on the cyber kill chain, a comprehensive examination that includes remote access configuration, phishing prevention, email and web protections, access controls and endpoint monitoring and end user awareness. At the end of our assessment, we will provide you with a prioritized, customized set of recommendations to help your organization deflect, detect or respond to a ransomware attack.
Ransomware Controls, Processes and Technologies
Kroll cyber experts will first focus on controls, processes and technology solutions to reduce the likelihood of ransomware-based attacks. During this step, we will:
- Analyze relevant firewall and network device configurations for security weaknesses
- Review user activity logging and audit configurations to aid potential investigative efforts
- Review network and endpoint security monitoring solutions and processes
- Evaluate email and web filtering options and configurations to prevent phishing attacks and malicious payload delivery
- Review access and privileged access controls and processes
- Evaluate vulnerability and patch management controls and processes
Remote Technical Interviews
Kroll will conduct up to four remote interviews with technical teams to assess the secondary defensive measures in place to protect the organization against email-based attacks. This review will encompass:
- Remote access controls
- Email and web controls
- Application whitelisting and audit controls
- Endpoint protection controls
- Employee awareness and training
- Backup and audit logging controls
- Incident response
- Business processes related to vendor management
A Solid Foundation to Protect Against Ransomware
In Kroll’s experience, ransomware protection starts with fundamental security practices bolstered by customized strategies informed by what we are seeing on the frontline. With Kroll’s help, your organization can build smarter defenses, close exploitable gaps, better safeguard sensitive data and more quickly respond and recover from an attack. Call Kroll today for your customized ransomware protection assessment.
Increased Cyber Resilience with a Cyber Risk Retainer
Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.
Frequently Asked Questions
What is ransomware?
Ransomware is a type of malware that uses encryption to attempt to hold data to ransom, leading to significant disruption and financial costs for organizations in many industries. By infecting systems on a network and locking down machines, ransomware prevents employees from being able to access devices and the data stored on them. While many ransomware actors customize their attacks around individual organizations, there has been a rise in “ransomware-as-a-service” in which actors can launch an attack with fewer risks and target a higher number of potential victims.
What is ransomware preparedness?
Ransomware preparedness is the approach taken by organizations to proactively defend themselves against potential attacks by ransomware groups. A successful ransomware preparedness strategy should bring together key security practices with tailored approaches that have been developed through a structured risk assessment.
Will a ransomware preparedness assessment prevent all ransomware attacks?
Unfortunately, it is impossible to completely prevent all ransomware attacks. However, by taking specific and strategic actions, security and risk management professionals can succeed in reducing organizational risk, neutralizing attacks and mitigating the potential damage and disruption. A critical part of this is basic cyber hygiene, including regularly documenting an organization’s entire configuration of networks.
What steps can my organization take to reduce the risk of ransomware attacks?
In addition to working with a trusted security partner, companies can enhance their resilience to ransomware attacks by taking the following steps:
- Ensure least privilege policies for data/system access are in place
- Delete email addresses that aren’t in use
- Implement clear password policies
- Ensure multifactor authentication is in use
- Create viable backups and ensure they are updated and segregated
- Ensure that safe applications are whitelisted
- Map network configurations as accurately as possible
How can assessments help organizations to defend against ransomware?
A ransomware assessment enables organizations to evaluate key aspects of security and critical attack vectors in order to better manage and mitigate ransomware attacks. This type of assessment helps companies to create more robust defenses, address areas open to exploitation, ensure the security of sensitive information and put themselves in a position to respond to attacks more swiftly and efficiently.
What specific areas does a ransomware preparedness assessment cover?
An effective assessment should look at a wide range of critical security areas and attack vectors. These include firewall and network device configuration, user activity logging and audit configurations, backup and audit logging, endpoint protection, application whitelisting, and audit and third-party vendor management. A ransomware preparedness assessment should begin with addressing controls, processes and technology solutions in order to minimize the potential for attacks. This should cover aspects such as looking for security weaknesses within firewall and network device configurations and assessing user activity logging and audit configurations, as well as checking access and privileged access controls.
What is the duration of a ransomware risk assessment?
The duration of a risk assessment is defined by the specific risk profile of an organization. As part of the scoping part of the process, a potential risk assessment provider should be able to give you an overview and an insight into how long it will take.