The Aftermath of a Ransomware Attack: How to Recover and Better Prepare

The recent Kaseya VSA ransomware attack compromised approximately 60 MSPs and 1,500 of their respective clients’ systems, resulting in more than one million individual lockups. Even if your organization wasn’t affected by this most recent attack, there is ample reason to be vigilant: With 304 million attacks worldwide in 2020 alone (a 64 percent increase from 2019), the prevalence of ransomware attacks has warranted concern in recent years.

And, they’ll cost you: there was an alarming 171 percent increase in ransomware payouts between 2019 and 2020 – with the trend continuing today. While the downstream impact of this attack has been a focal point for many, the uptick in ransomware attacks – regardless of the network being targeted or the ransom amount – shows a trend in exploiting unsuspecting (and often under-trained) employees for efforts of much larger scale than consumer-level scams. This calls attention to the nascent ways that attackers can exploit security vulnerabilities, as ransomware evolves in severity.

When it comes to the recent Kaseya attack, there are lingering questions that need to be answered: Is it over? What is stopping threat actors from doing it again or something else?

We can agree that these are not ethical humans we are dealing with. They are financially motivated actors that may already have a foothold in your environment. Knowing the likelihood that your system will be compromised – a matter of when, not if – IT leaders must prepare for a surge in attacks of this nature, while planning for recovery in tandem.

How to Recover and Better Prepare

When remediation is necessary, incident response teams (DFIR) are typically engaged and should provide information on the initial infiltration method and post exploitation techniques used to deploy the ransomware. As you recover and learn more about how the attack unfolded, keep these considerations in mind:

1. Initial Infiltration: How did the bad actor enter your system? Typically, this happens in the form of phishing or weak remote access controls. Remember, ransomware is the final payload. Before the ransomware is deployed, the attackers need to infiltrate, use tools to move laterally, and exfiltrate network information as reconnaissance and critical data for extortion (in most recent cases). Understanding the moves that have been made will go a long way for your security beyond the initial incident.
   
   How you can be proactive moving forward: Mitigate risk with foundational capabilities like security awareness, secure email gateways, and multi-factor authentication. Limiting remote access and closely monitoring any remote entry points will also give you solid footing to identify bad actors early for remediation. Deception techniques are also a valid way in identifying potential malicious behavior early.
   
   
2. Post Exploitation: What should you do immediately after the attack? After exploitation, 30-day efforts should focus on hunting for malware that may be sitting dormant that would have been used as a delivery mechanism for the ransomware. This can come in many forms, but recently we’ve sought out modular malware like Dridex, Trickbot, Emotet, Qakbot, and others. If these are not discovered and eradicated, the attacker can once again use them as a backdoor to do more damage. In some cases, we have seen a new ransomware attack six months after the original attack caused by the same backdoor technique. It could be the same group, or even a scenario where compromised devices were sold to the next financially motivated bad guy on the dark web with a “100% guarantee that this victim will pay.” Once some remote access trojan or other attacker is in your environment, there are some things you can put in place to mitigate future damage.
   
   How you can be proactive moving forward:
• Antivirus protection provides a basic layer of defense, despite being weaker and more outdated than other methods. Make sure it is updated and always on.
• Patching is absolutely critical. The current state of patch management programs is pretty bad: Your vulnerable systems will be the first to be targeted, if not actively monitored and updated.
• Invest in an application audit. Understanding what “normal” looks like for your applications will better alert you to what is deemed suspicious. While application whitelisting may cause reservations for some IT teams, if a company has a handle on what apps are running and required from a business standpoint, it helps security prioritize what is a true threat. Audits increase confidence to ensure there is important context surrounding what is whitelisted and any exceptions.
  
  
3. Monitoring Nefarious Activity: What haven’t you considered? Once the environment is sanitized, it’s time to start taking proactive steps to avoid similar vulnerabilities in the future. By thinking about how an attack is carried out, you can better map the ongoing security you need to prevent and remediate others.
   
   How you can be proactive moving forward: Technology can only take you so far when protecting against increasingly adaptive, creative, and sophisticated attackers. Learn to think like the bad guys by investing in continuous threat hunting. With a spirit of resourcefulness and deep industry expertise, threat hunters notice patterns, build connections between real-world events, investigate interactions on the dark web, and more to catch things that other alerts and solutions miss.