How to respond to a ransomware attack as an MSP

Prolific ransomware gangs are breaching organizations worldwide and recent studies reveal a steady rise in the total number of known victims over the last decade. Between ReVil, AXLocker, LockBit, Ryuk and RansomCloud attacks– the list of ransomware strains continues to grow. As businesses continue adopting new technologies to better services, efficiency and cost, hackers are inventing creative ways to breakdown traditional security layers. Evidently, the threat landscape is evolving.

According to Gartner research, ransomware recovery results in periods of downtime costing organizations ten to fifteen times more than the ransom. Should clients fall victim to a ransomware breach, successful recovery is achievable if industry best practices are followed. To respond appropriately, we must understand ransomware, attacker behavior - techniques, tactics and procedures (TTPs) - and the affected security infrastructure to thoroughly respond, recover and prevent similar attacks.

In this article, gain comprehensive knowledge on how ransomware works, best practices for preparation and mitigation tips for managed service providers (MSPs).

Ransomware is more than a type of malware. It’s a global threat with forty-one percent of attacks using phishing, the leading threat vector targeting organizations. In all ransomware intrusions, cybercriminals are motivated by monetary gain and seek to extort sensitive data from individuals and businesses alike. Nearly forty percent of victims who comply with the ransom never get their data back and seventy-three percent of those that pay are hit with ransomware again.

Let’s dive into how ransomware works, types of attacks and the common tactics used to thwart cybersecurity layers.

One of the most costly forms of malware, ransomware intrusions aim to deny users access to important files and data stored on a device or in the cloud. Once cybercriminals evade security layers, they get ahold of critical assets, encrypting valuable data and scrambling the user’s files. The victim no longer has access and is prompted with an online ransom demanding payment in exchange to unlock the files.

Successful ransomware intrusions capitalize on the victim’s fear and ignorance to extort money and pressure the user into handing over payment within a given timeframe. While most attacks follow a similar scheme, different ransomware variants encompass other steps and demand various forms of ransom payments, like cryptocurrency.

The most prolific types of ransomware afflicting the service provider industry, include:

A common kind of malware that encrypts data on the victim's device and then demands payment in return for its decryption is known as crypto-ransomware, often referred to as crypto-malware. Crypto-malware doesn’t only seek to steal data, but inconspicuously looks for cryptocurrency on the user’s device. Operating silently, crypto-malware can be disguised as a legitimate software

Cybercriminals frequently employ inventive techniques to introduce ransomware infections into service provider networks and clients attack surfaces, such as sending crypto-ransomware through email in a bad link, by account hijacking, or by taking advantage of software flaws.

Locker ransomware is a type of malware that encrypts a victim’s files and locks the user out of their own systems, demanding a ransom payment in exchange for regaining access. This kind of ransomware is designed to deny the user’s access to their files, systems or devices by encrypting them with a complex algorithm. Once encrypted, the ransom message prompts on the victim’s screen with instructions on how to make the ransom payment and the desired form of payment in order to restore access. Cybercriminals typically include a deadline and threaten to permanently destroy the files if the ransom is not paid. These threat actors use fear and instill urgency in their ransom demands to coerce victims into paying within a specific timeframe.

To gain initial access and catalyze malicious activity, locker ransomware infiltrate devices and networks via phishing emails, nefarious downloads or exploiting open software or operating system vulnerabilities.

Techniques and sub techniques represent “how” adversaries achieve tactical goals by performing actions in a cyberattack, as explained by MITRE ATT&CK. Examples of techniques, include adversaries compiling lists of email addresses, using email servers to support phishing operations or performing vulnerability scans on victims to target their existing weaknesses. Adversarial techniques shed light on how ransomware actors gain initial access into business networks and provide context into attacker behavior as they penetrate security layers. After a cyber event, this context combined with threat intelligence, security tool findings and analysis, helps security technicians gain a deep understanding of an attack and quickly develop an appropriate plan to expedite incident response activities.

Let’s review the top methods adversaries use to infiltrate computers, systems and networks.

Nearly ninety percent of all cyberattacks start with email phishing and reports show phishing victims with a total loss of $52 million in the U.S. Phishing attacks are one of the most prevalent types of cyberthreats that today’s MSPs face. A type of social engineering attack, phishing actors pretended to be a trusted source, duping victims into opening illicit emails, text messages and direct messages. The recipient clicks on a malicious like or opens an attached file which leads to the deployment of malware and exposes sensitive data.

Social engineering describes a wide range of cybercriminal activities carried out through human relationships and interactions. Social engineering schemes involve psychological manipulation to deceive users into giving up confidential information, access credentials or sometimes money. For example, employees could receive an illegitimate email from what seems like a phony email address from a company executive. Unsuspectingly, the user clicks on a link, opens a file attachment or gives the email sender access credentials - initiating the installation of ransomware.

In cloud compromise intrusions, adversaries gain unauthorized access od cloud-based systems or services, resulting in compromised data or ransomware deployment. With increasing adoption of cloud computing, ransomware groups are targeting cloud environments, including cloud storage repositories, to gain access to sensitive information belonging to individuals and companies. Once in the cloud, ransomware operators encrypt critical data causing it to be inaccessible to authorized users. Following the data’s encryption, users receive a ransom note demanding payment in exchange for the decryption key.

According to M.I.T Sloan School and U.S. Secret Service, if a business suspects they have been hit with ransomware, they should never pay the ransom. Organizations who pay the ransom are more likely to be reattacked.

Instead, follow these industry-leading tips for responding to suspected ransomware intrusions:

Ransomware likes to spread and attempts infect as many systems as possible. Disconnect machines and systems known to be infected to prevent data from being tampered by the attackers.

Compile a list of all impacted or high-valued assets that are at-risk. Once gathered, conduct an incident response assessment to better understand what is infected and how the infection got in.

Which devices, systems or accounts did the infection originate from? How is the attacker connected to compromised devices? Where, when and by what means did the infection spread? These are questions that security technicians can use to build a timeline of events that led up to an attack and the threat actor’s activities during the infection.

Because ransomware groups are aware that businesses would attempt to recover from backups rather than paying the demanded ransom, they frequently target backup systems. Avoid connecting any backups to the infected machine, and stay vigilant for and quarantine any potentially impacted backups.

Make sure the current antivirus solution is configured for optimal protection. Consider enabling real-time protection, applying relevant patches to vulnerabilities, blocking ransomware communication and shutting down uninfected systems.

Reach out to trust IT security connections and rely on publicly available resources and databases, such as CISA.gov and MITRE ATT&CK CVE, to research if the vulnerability is known and take advantage of industry-leading tools. Likely, there is someone else who has already encountered the same ransomware intrusion, and knows how to remove it.

Here are some key tips for effective ransomware recovery:

Ransomware removal and Disaster Recovery (DR) security tools allow you to rapidly eradicate ransomware artifacts, secure client data and quickly restore them to a production-ready state following a cyber incident. Creating an incident response plan helps outline step-by-step actions to identify, quarantine and reduce the impact of an infection. The plan can delegate responsibilities to specific team members to improve efficiency of incident response efforts during an attack.

Ensure robust backup and recovery solutions are implemented to protect client data. Regularly backup critical data to cloud storage or offline environments to safeguard highly valued assets away from the network in case of infection. Collaborate and communicate with clients to define clear expectations for recovery and realistic timeframes, setting recovery time objectives (RTOs) and recovery point objectives (RPOs).

Gather information about the attack by examining event logs, network traffic, and system artifacts. These findings combined with forensic analysis and threat intelligence, can be used to improve security controls and stop future attacks. For example, data from event logs are essential for examining incident investigation and are used to construct a comprehensive picture, revealing patterns, trends and anomalies in a system.

Conducting a post-incident evaluation helps service provider technicians and IT security teams pinpoint areas for improvements after a successful recovery. The evaluation will clarify any inefficiencies in the incident response process and identify necessary changes. Review and update security policies, practices and security awareness training to improve cyber resilience. Stay up to date of emerging ransomware trends and continue bring awareness to clients in support of their cybersecurity efforts.

Government entities, like CISA.gov, provide incident report forms to report new, undiscovered cyberthreats. Collect as much information as possible about a threat, including event logs, indicators of compromise (IOCs) and other insights. Reaching out to government entities about emerging threats helps the cybersecurity community, service providers and businesses alike, proactively unite against cybercrime.

Preventing ransomware is always preferred rather than remediating it, but that’s easier said than done. Investing in a reliable, industry-leading cybersecurity and backup solution can identify, detect and response faster to suspicious activity and is worth the investment in folds.

Acronis Cyber Protect and Acronis Cyber Protect Cloud deliver integrated security, backup, disaster recovery and management in a single solution. The solutions leverage AI-based anti-malware and ant-ransomware to provide unmatched cyber protection, reducing operating costs and increasing profitability. Learn more about our detection and response capabilities with Acronis Security + EDR.