Written by: Jay H.
In the recent report issued by the Herjavec Group, 39 percent of victims listed on the data leak websites run by ransomware groups broadly fell into the manufactured goods category.
That was more than double any of the other industries listed. The following biggest targets were technology firms (18%), public sector and legal services (16%), then finance (11%), healthcare (6%), and education (4%). Clearly, manufactured goods firms are at great risk.
The report found that the most common ransomware variants included Conti, REvil, Advaddon, Cl0P, Darkside, Doppelpaymer, Babuk, and Netwalker. Many of these variants are human-operated rather than automated, making defending particularly difficult for organizations.
Bad actors typically deliver ransomware through phishing campaigns. These campaigns require their victims to download and open the infected files, usually delivered via email. Given this, human error accounts for 88 percent of all data breaches. Employee education goes a long way and can save your organization thousands!
Responding To Ransomware
When responding to a ransomware incident, the Herjavec Group provided the following tips:
- First things first: Disrupt any active infections by removing the infected device from the network until it can be re-imaged or cleaned. Do this by unplugging the network cable or turning the device off altogether.
- Paying the ransomware: Sometimes it works, but it isn’t recommended by Herjavec Group (or Design2Web IT) or law enforcement. This can embolden adversaries, and decrypting large amounts of infected data may be slower than restoring from backups, especially on network volumes.
- Leverage your proactive resources: Restore data from back-ups and re-image the infected devices. Re-image the machine from known-good images to eliminate the detected ransomware and any other malware that someone may have downloaded simultaneously.
- Eradicate the source of the infection: If you suspect that attackers delivered the malware via email, it may be helpful to find the source email and delete it from all mailboxes to prevent reinfections.
- Be prepared: Have an Incident Response team on retainer so they can step in and respond most effectively and efficiently during an active infection.
To prevent ransomware from encrypting your files, the Herjavec Group provided the following suggestions:
- Deploy advanced web and email gateway protection.
- Block potential adversary threat vectors such as adware, known bad domains (blacklists for C2 servers), and unknown/unclassified domains by leveraging web content filtering appliances or firewall features. While this can cause minor impacts to business, being intentional about which appliances and firewall features you implement will generally only result in tolerable restrictions.
- Implement advanced endpoint protection, including behaviour-driven analysis.
- Ensure your endpoint protection examines traffic for behaviours, rather than just file-matching.
- Deploy a Microsoft Group Policy to restrict software’s ability to run from %appdata% and “temp” folders. These are generally used by malware because all users can write to these locations predictably, and permission cannot be restricted without affecting system function. However, there are few-to-none reasons why software should install or have to run from these directories. If the malware can’t run, it can’t do any harm.
- Restrict web browsing and email use by privileged users such as administrators. Have separate accounts for administration and day-to-day computing.
- Implement Privileged Access Management best practices. Minimize the permissions to network file shares. Give the ability to write/modify files only to the users that require it and only to the necessary locations.
- Carry out a policy that no one should store corporate information on local hard drives, USB drives, or other local storage. Files stored on the network are typically backed up and can be restored with minimal disruption to the business.
- Educate the people using your devices to recognize spam and phishing emails and what to do if they receive them.
- Prepare for the worst, and have an Incident Response plan ready. The worst time to decide what to do about an attack is after it has occurred.
MSPs: Strengthening Your Cyber Defences
Working alongside a trusted managed IT service provider such as Design2Web IT will fortify your manufactured good firm’s cyber defences. Our services include monitored malware and ransomware protection, amongst other areas. Contact us today to learn about how we can protect your business from the largest cyber threats.
Comments are closed.