Expanded security for SAP Business Technology Platform is here. Read More
Search

12 Days of AppsMas: SAP Security: 4 Steps to Respond to a Ransomware Attack

By: Maaya Alagappan
December 15, 2021

Ransomware groups continue to keep organizations on their toes and they’re not slowing down for the holidays. A joint alert from Cybersecurity and Infrastructure Security Agency (CISA) and the FBI shares that cybercriminals have conducted increasingly impactful attacks against U.S. entities on or around holiday weekends over the last several months. The German Bundesamt für Sicherheit in der Information- stechnik (BSI) also issued warnings about ransomware attacks during the next few weeks. In our last blog, we went over 10 proactive steps organizations can take to prepare for a ransomware attack. Today, we’ll jump into the steps to take should your organization fall victim to a ransomware attack.

For more on how to mitigate the threat of ransomware to your SAP applications and up-leveling your SAP security, read our whitepaper or watch our on-demand session with SAP CISO, Richard Puckett and Onapsis CEO Mariano Nunez.

If an organization experiences business disruption from what could be a ransomware incident, it’s important to follow the business continuity plan (BCP) and incident response (IR) runbooks already established. Organizations should also work closely with government agencies and CERT organizations like Cybersecurity and Infrastructure Security Agency (CISA) in the United States or the German Bundesamt für Sicherheit in der Information- stechnik (BSI). These organizations can offer knowledge, assistance, and lessons learned from other incidents they have encountered.  

To minimize impact of an attack, the business incident response plan should be fully vetted, with a pre-defined, cross-functional response team with identified key leaders across IT, finance, legal, and communications as well as scenario runbooks with clear deliverables. Organizations should also consider having third-party recovery service teams on standby should a ransomware event occur. When the time comes for action, an organization’s incident response should incorporate, at a minimum, the following steps: 

1. Identify which systems were affected

Scope to identify which systems were affected to see whether those compromised systems can be isolated. If the systems can be isolated, then isolate them immediately to prevent incoming and outgoing connections, preventing lateral movement of the initial infection. If systems cannot be isolated, refer to the BCP that incorporates the business processes supported by the affected systems, fall back to the backup process, and power off the affected systems. 

2. Evaluate affected systems

Evaluate the affected systems to identify their optimal restoration and recovery processes. 

3. Prepare an initial assessment

Prepare an initial assessment of the facts that were captured during the initial reconnaissance and analysis. Internal and external teams — such as the SAP Basis team who are responsible for keeping the SAP landscape healthy and up to date, the security operations team, or the third-party incident response team — identified in the BCP should be activated to provide further context and insights into the attack across the IT landscape. 

4. Leverage forensic techniques

If the systems cannot be recovered initially, leverage traditional forensic techniques in order to capture as much system evidence as possible. This should include a system image, a system memory dump, whenever possible, and images or logfiles of affected devices. For SAP applications that are part of scope, organizations must be able to fully assess the history of what happened at the application layer, as it’s vital to consolidate information coming from the diverse application logs as well as from the database itself. Furthermore, this consolidation should also consider the context of SAP applications in order to be impactful and actionable in the event of a response. 

Ransomware is constantly evolving and is becoming increasingly lucrative for cybercriminals. These threat actors have the means and will to exploit critical vulnerabilities, running malicious software through unpatched, unprotected SAP application layers. To protect your most critical business applications and avoid being a victim of ransomware this holiday season and the future, SAP and Onapsis recommend that organizations follow the steps outlined in our joint whitepaper and on-demand session with SAP CISO, Richard Puckett and Onapsis CEO Mariano Nunez.
 

More SAP Security Resources

More 12 Days of AppsMas Blogs

Tags
appsmas ransomware SAP Security
About the Author
Maaya Alagappan
Maayaa Alagappan is a marketing professional with a strong focus on data privacy and risk management. She leverages her expertise in cybersecurity to craft strategies that not only protect sensitive information but also build trust with customers. By aligning security practices with marketing goals, Maayaa helps organizations enhance their brand’s reputation and ensure compliance in an increasingly digital marketplace. Her unique blend of marketing and cybersecurity knowledge makes her a valuable asset in developing campaigns that prioritize both customer engagement and data protection.
More about this author
Back to Blog
Further Reading
SAP Patch Day: October 2024
Get the latest SAP security updates for August 2024. Find out about the HotNews and High Priority Notes, and the vulnerabilities...
Read More
Assessing Your SAP Implementation: Tips from Onapsis Research Labs
Learn how the S_ICF authorization object in SAP ABAP systems enhances security by restricting access to RFC destinations,...
Read More
SAP Patch Day: September 2024
Get the latest SAP security updates for August 2024. Find out about the HotNews and High Priority Notes, and the vulnerabilities...
Read More

©2024 Onapsis | All rights reserved