If there’s something weird and it don’t look good, who you gonna call? – BOXX Hackbusters™

Happy Halloween from BOXX!

If there's something strange in your neighbourhood, who you gonna call? Ghostbusters! If there's something weird and it don't look good, who you gonna call? Ghostbusters!

These are some of the lyrics of one of my favourite all-time childhood movies. It was the inspiration for the concept of BOXX’s in-house breach response team – the Hackbusters! Having an insurance company being able to write a claims cheque, but in the heat of an attack you want and need immediate access to experts who can help you respond and recover from this digital car crash.

Ransomware continues to be one of the most disruptive cyber threats facing organizations today and has been further underscored by the COVID-19 pandemic. Our Hackbusters were recently asked to respond to a ransomware attack. Their speed to the scene and expertise helped our client avoid a million-dollar incident.

In this latest blog, we’ve invited Jack Brooks, Senior Director at the BOXX Hackbusters to share some insights and in particular:

1. How should firms immediately respond to a Ransomware attack?

2. What are some of the vital steps that are sometimes missed?

3. What simple steps can firms take to reduce their risk of being ransomed?

1. What immediate steps should a firm take if they were victim to a ransomware attack?

“Who you going to call…?”

If you have access to I.T. security experts, call them immediately. They are the experts and will give you the best chance to respond and recover from the attack. I’ve heard Vishal say before that "it’s not the incident that may kill your business but how you respond to it," and he’s quite right.

Gather the team and scope the incident.

Gather the incident response team and make sure they are ready to tackle their roles in the response efforts. Identify which applications, networks and systems were affected, and determine how actively the malware is spreading.

Contain the incident

First, disconnect (wired and WIFI) the infected system(s) from the network to ensure the attack does not spread to other computers and devices. Then, ensure backups are secured and free of malware. Every incident will generate some evidence, such as log files. Document this evidence as soon as possible and check it regularly. In some cases, if the incident is detected quickly enough, the encryption can be stopped. Some ransomware varieties use weak encryption that has a publicly available decryption mechanism provided by a security vendor or researcher.

Eradicate malware and recover from the incident.

This involves wiping infected systems and restoring lost data from backups. Be sure to change all account, network and system passwords after removing a device or system from the network. Change passwords again once the malware is removed completely from the network.

Perform post-incident activities.

Engage specialist data privacy lawyers to assess possible regulatory and breach notification requirements, if applicable.

2. What vital steps do some firms miss out?

We unfortunately see a number of firms face a second ransom attack soon after their first one. It’s vital that firms invest the time and resources to analyze how the attack happened and apply appropriate actions to ensure the same vulnerability is not compromised in the future and the systems are thoroughly checked for residual malware.

Employee education is also vital. For example, if the ransomware was the result of an employee clicking on a malicious link, the company should perform additional security awareness training.

Also, revise security policies if necessary. I.T. teams should also analyze how the ransomware incident response plan performed. If certain steps did not go as planned, review the plan, and update where needed to improve efficiency.

3. What simple measures can firms take to reduce their risk of being ransomed?

There are three key things that every size of business can take to keep themselves safe: