RISE with SAP Featuring Snohomish PUD Register
Search

Understanding & Defending Against Ransomware Attacks

What is Ransomware and How Does It Work?

Ransomware is a type of malware (malicious software) that encrypts a victim’s files or locks their computer, effectively rendering them inaccessible to the user. The attacker then demands a ransom payment in exchange for restoring access to the files or device.

Ransomware can infect a computer system through a variety of methods, such as malicious email attachments, fake software updates, or drive-by downloads from compromised websites. Once the ransomware is executed on a victim’s device, it can begin to encrypt files or lock the device.

The Different Types of Ransomware

There are several different types of ransomware, each with their own characteristics and methods of operation. Some of the most common examples include:

Encrypting Ransomware

This type of ransomware encrypts the victim’s files or data, making them inaccessible without a decryption key.

Locker Ransomware

This type of ransomware locks the victim’s computer or device, preventing them from accessing their files or using their device.

Scareware

This type of ransomware displays fake warnings or pop-ups on the victim’s device, claiming that their computer is infected with a virus or other malware. The victim is then prompted to pay for a fake anti-virus software to remove the supposed threat.

Doxware

Also known as leakware or extortionware, this type of ransomware threatens to publish or leak the victim’s sensitive information, such as personal files or confidential data, unless the ransom is paid.

Mobile Ransomware

This type of ransomware targets mobile devices, such as smartphones or tablets, and can lock the device or encrypt its data.

RAAS (Ransomware-As-A-Service)

RaaS is distributed through a network of affiliates, who use pre-packaged ransomware kits to launch attacks in exchange for a percentage of the ransom payments.

Common Threat Vectors for Ransomware Infection

Some common sources that can often lead to a ransomware attack include:

  • Internet-Facing Vulnerabilities and Misconfigurations
  • Phishing
  • Precursor Malware Infection
  • Third Parties and Managed Service Providers

Signs of a Ransomware Attack
and How You Can Detect It

Some common signs that may indicate a ransomware attack include:

Encrypted Files

If you are unable to access your files and notice that their file extensions have been changed or they have been renamed, it may indicate that they have been encrypted by ransomware.

Pop-up Messages

Some ransomware displays pop-up messages or alerts on the victim’s screen, which may demand payment in exchange for decryption keys or threaten to delete the files.

Locked Computer or Device

If your computer or device becomes unresponsive or is locked, it may indicate a ransomware infection.

Slow or Unresponsive System

Ransomware may cause your system to slow down or become unresponsive due to the resource-intensive encryption process.

Missing Files

Ransomware may delete or move files as part of its attack, leaving you with missing files or folders.

Unusual Network Activity

Ransomware may use your network to communicate with the attacker’s servers or to spread the infection to other devices on the network, leading to unusual network activity.

Best Practices for Protecting Against
Ransomware Attacks

Regularly Backup Your Data

Backup your important data regularly, preferably on a separate device or in the cloud. This will allow you to restore your data in the event of a ransomware attack without paying the ransom.

Keep Your Software Up-To-Date

Keep your operating system, software, and applications up-to-date with the latest security patches and updates. Vulnerabilities in outdated software can be exploited by attackers to launch ransomware attacks.

Educate Employees

Educate employees about the risks of ransomware attacks and provide training on how to identify and avoid phishing emails and other common attack vectors.

Implement Access Controls

Implement access controls to limit access to sensitive data and resources, and consider using multi-factor authentication to add an extra layer of security.

Protecting Business Critical Applications Against Ransomware

Onapsis protects the application layer with the Onapsis Platform and serves an essential part of our clients’ plans to protect their SAP and Oracle applications from ransomware:

  • Onapsis provides automatic visibility into critical vulnerabilities, missing important patches and security updates, misconfigurations–identifying all open doors–which is a crucial component for ransomware prevention. Once all possible entry points are identified, they can be closed/addressed, which reduces an organization’s attack surface.
  • Through continuous monitoring and real-time alerts, Onapsis helps monitor real-time attempts to access critical SAP and Oracle systems.
  • With code analysis prior to moving into production, and in transport, Onapsis can help identify malware or new vulnerabilities before they are released to the public. Code vulnerabilities may appear to be low risk, but we have seen examples like SolarWinds where a small risk can turn into a large security incident. Onapsis generally sees one critical vulnerability per 1,000 lines of code, but our clients generally have millions of lines of custom code. It’s important to close those open doors to prevent any access to business-critical systems.

Developing a Ransomware Incident Response Plan

Protecting against and preparing for Ransomware can be challenging, but the most important best practice is to be prepared and have a plan. According to SANS, there are six steps in order to properly handle a security incident: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned.

  • Preparation: Preparing for a security or ransomware incident begins with research of existing processes, who within the organization should have access to information, and who needs to be involved should an incident occur.
  • Identification: Identifying your most valuable data, where it is located, and how you will operate should this data be inaccessible is the next step.
  • Containment: Developing a plan for how you will contain a given security incident or ransomware attack is the next critical step.
  • Eradication: Planning for how your team will eradicate ransomware is another vital step in your incident response plan.
  • Recovery: If any sensitive or proprietary data was lost or encrypted, this step aims to recover that data and ensure it is no longer in the wrong hands.
  • Lessons Learned: What part of this response plan worked? What didn’t? This is the time to truly evaluate the effectiveness of your response plan and communication.

Annual Tabletop Exercises

CISA Tabletop Exercise Packages (CTEPs) for example, can be a starting point or foundation for your organization’s preparedness. Simulated ransomware attacks enable an organization to identify gaps in incident response plans. This can not only help the IT and security teams feel prepared, but the board and other stakeholders. Practice and preparedness helps teams be measured instead of chaotic in the event of an incident.

Read The Whitepaper Watch On Demand Webinar

Steps Your Organization Can Take to be More Prepared for Ransomware

01. Review your incident response plans (or start developing one) and continuously evaluate whether it is sufficient should a security event arise.

02. Conduct tabletop exercises with stakeholders in your organization at least once a year.

03. Patch known & exploited vulnerabilities and address misconfigurations.

04. Establish visibility for your organization’s full attack surface and anticipate how threat actors may seek to take advantage of any weaknesses.

Steps Your Company Can Take to Recover from A Ransomware Attack

In the event your company has already fallen victim to a ransomware attack, CISA guidance recommends these steps. Here is some high-level guidance to begin to recover:

01. Isolate Infected Systems: Immediately isolate infected systems from the network to prevent the ransomware from spreading to other devices.

02. Assess the Damage: Assess the extent of the attack and determine which systems and data have been affected. Conduct a thorough investigation to identify the source and scope of the attack.

03. Restore Data from Backups: Restore your data from backups, if available. Ensure that the backups are clean and do not contain any malware.

04. Implement Additional Security Measures: Implement additional security measures to prevent future attacks. This may include updating software, implementing access controls, and training employees on cybersecurity best practices.

05. Conduct a Post-Incident Review: Conduct a post-incident review to evaluate the effectiveness of your response and identify areas for improvement. Use this review to update your incident response plan and improve your security posture.

Recent Ransomware Attacks in the News

SAP Patch Day: July 2024

Read More

SAP Patches High-Severity Vulnerabilities in PDCE, Commerce

Read More

Five things security teams need to know about the latest MOVEit Transfer bug

Read More

In today’s world, people want to know what’s going on with their personal data

Read More

Cybercriminals target SAP vulnerabilities

Read More

Ready to eliminate
your SAP cyber security
blindspot?

Let us show you how simple it can be to protect your business applications.

Request A Demo

©2024 Onapsis | All rights reserved