Ransomware is on the rise. Here’s how to recover from an attack.

Ransomware is on the rise. Here's how to recover from an attack.According to a recent survey, nearly 50% of all organizations have been struck by some type of ransomware in the last 12 months. Furthermore, CNN reports that $209 million was paid to ransomware hackers in just the first quarter of last year. If you think you won’t become a victim, think again. Even if you have a strong cybersecurity incident response strategy in place, it’s just as important to know what to do in the event that a threat slips by undetected.

If you find you’ve been hit by a ransomware attack, here’s what you need to do to mitigate damages and get things back on track as quickly as possible.

Step 1: Avoid clicking on anything unfamiliar.

It’s not uncommon for hackers to use pop up messages in an attempt to entice users into their trap. For instance, a dialog box might pop up containing a message that indicates your computer has been infected and instructing you to take certain steps to rectify the problem. Unfortunately, doing so will only make matters worse. Avoid clicking on anything that’s unfamiliar or even the slightest bit suspicious.

Step 2: Disconnect from the network.

The ultimate danger of ransomware is that it is designed to spread through the network as quickly and invasively as possible. To mitigate damages, you must take the appropriate measures to thwart the malware’s infiltration. As soon as you believe you’ve been infected, immediately disconnect your device from the network. If you are accessing the internet via WiFi, turn it off. If you are connected via an Ethernet cable, unplug it right away. The more quickly you cut off access to your network, the less havoc the hackers will be able to wreak.

Step 3: Save and troubleshoot.

As soon as you’ve disconnected from the network, the next step is to save any and all important documents or files you’ve been working on. Then, reboot your computer in safe mode. Once you’ve rebooted, run a virus scan. Hopefully your cybersecurity incident response strategy includes adequate virus protection that’s designed to both detect and eradicate any identified malware. In the absence of this type of security software, you may need to use another device to download the software, save it onto a flash drive and then run it on the infected device accordingly.

Step 4: Restore your system.

If your anti-virus software doesn’t do the trick, you may need to restore your system back to a previous period, prior to the ransomware infection. Provided this feature was never manually disabled, running a system restore from safe mode should be pretty easy and straightforward. To begin, simply choose Advanced Boot Options and then select Repair Your Computer. From there you should see an option for System Restore. Launching this will result in your device restarting in an older version.

Step 5: Examine your files.

The next step will depend on the type of ransomware that has infected your device. If you can’t locate your files (or the shortcut icons for them), that means they’ve either been hidden or they’ve been encrypted. To determine what type of mess you’re dealing with, start by finding your hidden files. Open your File Explorer and choose Computer (or This PC). Click the View tab and choose Hidden Items. If a list appears here, you should be able to restore your files easily by simply right-clicking each item, choosing Properties and unchecking “Hidden.”

If your files do not appear in the Hidden area of your computer, this unfortunately means your data has likely been encrypted. That means the hackers were able to lock up your data and they will only release what they’re holding “hostage” if you agree to pay their proposed fee (hence the term “ransomware”). This is why a cybersecurity incident response strategy that includes frequently backing up data to the cloud or external resources is so critically important.

Step 6: Don’t let it happen again!

If you’ve been unlucky enough to have been hit by ransomware, you’re not alone. Aside from being a huge headache and possibly costing your organization a good deal of money, this unfortunate event should serve as a lesson in how important it is to take proactive measures that will improve your level of protection against such attacks.

Start with a highly effective monitoring system, and then leverage tools like automated cybersecurity incident response to establish a closed-loop process. And, above all else, educate your employees on how to properly back up files and recognize the signs of potential malware. Taking the steps to prevent as well as being prepared to remediate an attack is key.

Is your organization as safe as it could be from costly ransomware attacks? Fortify your defense with our automation and orchestration platform, designed to pinpoint, isolate and destroy all types of cybersecurity incidents – including ransomware. Try it for yourself today.

How to Get Critical Systems Back Online in Minutes

What Happens in a Ransomware Attack?

What Happens in a Ransomware Attack?According to Cisco, ransomware is the most lucrative form of malware in history, and attacks are only expected to get worse, both in terms of the number as well as complexity. Hackers who once used ransomware as a tool to extort money from individuals are now leveraging advanced tactics to compromise data from large corporations with the intention of selling it for a profit.

We’ve talked at length about how to respond and recover to a ransomware attack, but it can helpful to understand what exactly such an attack entails. Insight like this can improve employee education. Knowing the various phases of an attack, along with best practices for preventing them, is key to avoiding costly and time consuming remediation.

That said, let’s take a look, step by step, at what happens when a ransomware attack is initiated.

Step 1 – Initial Infection (Estimated time: 1-2 seconds)

Most ransomware hackers gain access to a target network via social engineering, such as a phishing email. Educating employees on how to spot a phishing scam can dramatically reduce the risk to your organization by preventing successful breaches before they occur.

Step 2 – Execution (Estimated time: 0 – 5 seconds)

Once a malicious link is clicked or infected file opened, the ransomware is able to gain a foothold, quickly infiltrating the network and locking up files. In a matter of seconds, malware executables are released into the victim’s system where they begin to quickly wreak havoc.

Step 3 – Backup Corruption (Estimated time: 5-10 seconds)

The next step involves the ransomware virus targeting backup files and folders. This prevents the user from being able to backup corrupted files, which is what makes this type of malware so profitable. Victims often have no choice but to pay the fee or risk losing all of their data with no way to replace or restore it.

Step 4 – File Encryption (Estimated time: 10 seconds – 2 minutes)

Once the victim’s backups are successfully removed, the ransomware then executes a secure key exchange with the server, thereby putting encryption keys in place.

Step 5 – User Notification (Estimated time: 2-15 minutes)

With the victim’s backup files gone and the encryption successfully established, the final phase involves notification to the user and demand for the proposed ransom. In many cases, the user is given a specified amount of time in which to pay the fee or the amount will begin to increase.

Ultimately, your organization’s defense against these attacks will depend on your level of preparedness. Along with employee education, it’s equally critical to employ the right tools that will allow you to effectively monitor, detect, respond and eradicate these threats. Automated security playbooks, for example, initiate workflows which remediate affected devices while also preventing further propagation. Suspected attacks immediately trigger the playbook to automatically initiate remediation and mitigation procedures.

Best of all, you can try these playbooks for yourself, absolutely free of charge for 30 days. Simply click here to launch your Ayehu trial today.

How to Get Critical Systems Back Online in Minutes

5 Steps for Responding to a Ransomware Attack

5 Steps for Responding to a Ransomware AttackJust when you thought it was safe to go back to work without worrying about potentially becoming a victim of ransomware, the savvy criminals behind these attacks up their game (ex: WannaCry). The fact is while companies may now be well aware of the risks they are facing hackers continue to stay a step ahead, identifying newer vulnerabilities to exploit and finding more effective strategies for getting what they want. In fact, we often say it’s not so much a matter of if you will be attacked, but rather when.

That’s why having a response and remediation plan in place is so important. The sooner you are able to thwart the attack, the less likely you’ll be to have to pony up the ransom. If you’re not sure where to begin, here are five key steps that can help you bounce back quickly from a ransomware incident.

Prepare – Of course, the first step in developing a strong defense to ransomware should always be prevention, as much as possible. IT personnel should be diligent about patching any known vulnerabilities as soon as they’re discovered and also take the appropriate measures to ensure that any and all additional access routes are effectively contained. Also, routinely back up and safely store all important files.

Detect – Effectively guarding against today’s sophisticated cyber-attacks requires the use of advanced threat intelligence technology. These tools are designed to block breach attempts and also alert the security team of a potential incident so that it can be addressed as quickly as possible. Keep in mind that tools like anti-virus software aren’t always effective in detecting ransomware, particularly attacks that are initiated via social engineering.

Contain – One of the biggest reasons why malware is so harmful is that it can spread throughout a network very quickly, effecting as much damage in as little time as possible. The goal of any good ransomware response strategy should be to isolate and contain the virus before it has a chance to proliferate. This can dramatically reduce the potential damage the virus can inflict.

Eradicate – Once the ransomware virus is detected and contained, the next step is to eradicate it from the network. Any machines affected should either be replaced or thoroughly cleaned and continuously monitored thereafter.

Recover – As mentioned above, it’s critical to regularly back up your files. Once you’ve done so, deleting the infected files and restoring the good ones is easy. Your data remains safe and the criminals leave empty handed. As part of the recovery process, an investigation should be conducted to further identify sources of potential vulnerabilities as well as processes and policies that may need revision in order to prevent future attacks.

When it comes to ransomware and other types of cybersecurity threats, there’s no foolproof way to completely eliminate risk. The best way to protect your organization and prevent significant financial and reputational damage is to invest in the right technology. Automated cybersecurity incident response is designed to help with all five phases of ransomware response above – and all without the need for human intervention.

Keep your company a step ahead of hackers. Download your free 30 day trial of Ayehu today!

How to Get Critical Systems Back Online in Minutes

What is ‘WannaCry’ Ransomware and How Can You Keep Your Organization Safe?

What is ‘WannaCry’ and How Can You Keep Your Organization Safe?If you haven’t yet heard, there’s a new kind of ransomware and it’s wreaking havoc across the globe. It’s appropriately called ‘WannaCry,’ and it has thus far claimed some 350,000 victims in over 150 countries worldwide. As these numbers appear to be on the rise, IT professionals everywhere are taking notice, attempting to head the virus-spreading malware off at the pass before they become part of the statistic. Here’s what you need to know in order to keep your organization secure.

What is WannaCry?

WannaCry is a unique form of ransomware which uses a flaw in Microsoft software to deploy a malicious virus. Given the widespread popularity of Windows, it’s not surprising that once the vulnerability was exploited, it spread rapidly across many networks, affecting organizations in almost every industry. The fact that the vulnerability was so broadly available and the ability to spread quickly without human intervention created the ideal environment in which the “worm” could flourish.

Once deployed, the Wanna Decryptor program locks all of the data on a computer system and leaves the user with only two remaining files: the WannaCry program and instructions on what to do next. Infected users are given a few days to pay the proposed ransom or risk permanent deletion of their files. A Bitcoin address is provided to which the user is advised they must pay up in order to release their data from the malware.

How can organizations protect themselves?

While most organizations have virus protection in place that is supposed to protect against ransomware, the fact that this particular strain was able to bypass so many existing protective measures to affect hundreds of organizations across the globe, including the United Kingdom’s National Health Service and Telefonica in Spain. In other words, despite some of the most sophisticated defense mechanisms, many well-known enterprises were unable to prevent the virus.

As with any other type of cyber-attack, the best defense against WannaCry is a good offense. As hundreds of IT professionals are scrambling to pick up the pieces and recover from this most recent attack, it’s become even more evident that preventing threats is simply not always possible. The key then is to be able to respond as quickly as possible to mitigate damages, something that can’t be effectively accomplished without the help of machine technology – that is, automation.

A Secret Weapon…

Rapid automated response remediates devices affected by the WannaCry virus, then blocks the ransomware’s lateral and upward propagation, thereby protecting the entire enterprise network. Suspected ransomware attempts will immediately trigger a playbook to automatically initiate remediation and mitigation procedures.

Additionally, thanks to machine learning capabilities, the automated tool can initiate security controls, build indicators of compromise and implement them on the network infrastructure. This will facilitate faster identification of existing infections as well as helping to block future ones from occurring in the first place.

The WannaCry ransomware outbreak serves as an important reminder that no organization is safe from the risk of a cyber-attack. Its massive success also reminds us that despite our most valiant efforts, preventing such an attack is simply not always possible. As such, having the right orchestration and automation platform in place to quickly pinpoint, isolate and eradicate the problem is key.

Want to give your enterprise this added level of protection? Launch your free trial of eyeShare today.

eBook: 5 Reasons You Should Automate Cyber Security Incident Response

C-Suite Priorities: Protecting against ransomware with cyber security incident response

C-Suite Priorities: Protecting against ransomware with cyber security incident response

This article was originally published as a guest post on the Cyber Security Buzz blog.

Security executives are under increasing pressure to keep sensitive networks, systems and data safe from threats which are rapidly increasing in both frequency as well as complexity. It’s no surprise, then, that CSOs and CISOs often find themselves in the hot seat when it comes to the topic of cyber security. Their roles are changing along with the new daily challenges they face, and as such, they are working tirelessly to remain abreast of the latest cyber-threat news.

In particular, with ransomware steadily on the rise and cyber criminals developing new and improved ways to expose and exploit vulnerabilities, IT leaders have no choice but to re-examine their cyber security strategies to ensure that they are strong enough to withstand the variety of incoming threats they face. By investing in an incident response plan as the first line of defense, executives can provide the added protection of instant identification and isolation of the threat before it has a chance to wreak havoc.

The fact is, as the landscape of cyber threats continues to evolve and expand, it’s becoming abundantly clear that traditional preventative approaches to network and data security are no longer effective. In fact, even Gartner believes that detection and response are the foundation of a successful cyber security strategy. No organization is immune to potential attack and without the ability to quickly pinpoint and remediate a successful breach, the outcome could be nothing short of devastating, both from a financial as well as a reputational standpoint.

Compounding the problem is the increasingly widespread adoption of cloud technology and the IoT. Simply put, migration to the cloud fundamentally changes IT security. In a cloud or hybrid environment, the focus must shift to monitoring and managing incident response. Likewise, with more and more connected devices being incorporated into the workplace, the risk of potentially becoming a victim of a ransomware attack increases exponentially. Now, instead of a few vulnerabilities, the office becomes a potential gold mine for hackers, which means much more work for security professionals.

What’s the solution? While preventative measures, such as firewalls and malware monitors have their place, the best defense an organization can take against security breaches is a more robust incident response strategy that covers all bases. Specifically, a system that integrates with, enhances and extends the capabilities of existing systems and applications to create a more holistic, streamlined and highly-effective process.

A strong cyber security incident response strategy should be able to not only detect the signs of ransomware, but automatically analyze, isolate and contain the threat so that it cannot cause any additional damage. The isolated virus can then be eradicated and the recovery process can automatically begin, effectively mitigating damages. This type of approach essentially closes the loop, creating a much more impervious defense against cyber-attacks, regardless of when, where and how many points of entry exist. Best of all, this can be handled entirely without the need for human input, solving the staffing shortage and addressing skills gap in one fell swoop.

With the worldwide expenditure on enhancing detection and response capabilities expected to be a key priority for security buyers through 2020, the time for security executives to begin shifting their focus is now. By investing in a robust, automated cyber security incident response plan as the first line of defense, executives can provide their organizations the added level of protection they need to effectively thwart would-be attackers and manage threats in a way that will limit damages as much as possible.

To read the original published article, please click here.

How to Get Critical Systems Back Online in Minutes

Cyber Security Incident Response – A View from Inside the C-Suite

Cyber Security Incident Response – A View from the C-SuiteToday’s security executives are under increasing pressure to keep sensitive data, networks and systems safe from ever-evolving, ever-increasing threats. It’s no surprise that CIOs and CISOs are in the hot seat when it comes to cyber security incident response, and their roles are changing along with the new challenges they face on an almost daily basis. And despite drastic differences in terms of size, industry and even geographical location, there are certain consistencies that are present across most C-suite security professionals the world over.

Executive Perspective

The seemingly endless stream of news reports about successful cyber-attacks on large corporations and high-profile organizations combined with the subsequent backlash that follows – both financial and in terms of reputation – is certainly something that keeps security executives up at night. What once was of significant concern only for certain sectors, such as finance, is now something that leaders across all industries are beginning to take more seriously. Beyond the monetary impact, the underlying sensitivity centers primarily on loss of productivity and brand reputational damage.

Greater Risk = Greater Investment

Another hot topic behind closed doors of the C-suite is that of investment. Obviously, with the increased risk and greater awareness of sophisticated, complex and persistent threats, there is a much greater need for a strong cyber security incident response strategy. More and more security professionals are recognizing that traditional security methods are no longer adequate against today’s cyber-attacks. Furthermore, the focus is shifting from reaction and remediation to prevention. Still, a good number of executive remain unaware of the actual time and money being invested into security within their firms. As the landscape continues to change and evolve, however, this trend will likely also shift to reflect that.

The Rise of Ransomware

Not surprisingly, security practitioners at the executive level are working hard to remain abreast of the latest in cyber-threat news. With malicious programs like ransomware on the rise and cyber criminals developing new and improved ways to expose and exploit vulnerabilities, IT leaders have no choice but to re-examine their cyber security incident response plans to ensure that they are strong enough to withstand the variety of incoming threats they face.

Perhaps somewhat alarming, a recent study found that the vast majority of security executives who have not yet been targeted by a ransomware attack insist that they wouldn’t pay the ransom, yet nearly half of those who have been targeted actually did end up ponying up the demanded fee. This can be avoided by investing in an incident response strategy that features automation as the first line of defense, thereby providing the added protection of instant identification and isolation of the threat before it has a chance to wreak havoc.

Other areas of concern among C-suite security executives include the growing risks associated with increased adoption of the IoT, the need for greater awareness over security spending and the importance of leveraging automation as part of a comprehensive and heavily fortified cyber security incident response plan. Those interested in the latter can experience it for themselves with a free 30 day trial by clicking here.

eBook: 5 Reasons You Should Automate Cyber Security Incident Response

Protecting Against Ransomware: Don’t React. Prevent.

Protecting Against Ransomware: Don’t React. Prevent.





*This article was written by Ayehu Founder & CEO Gabby Nizri and originally published on CIOReview.

If there’s ever been a group of individuals who were dedicated to their craft, hackers would win the award, hands down. It seems these crafty criminals are finding new and improved ways to access the sensitive data they’re after on an almost daily basis. In 2016, the latest form of security threats to take center stage has been ransomware. If you’re not yet aware, this is a malicious program that, when deployed, locks up a device and holds all of its data ransom unless and until a specified amount of money is paid to the perpetrator. For an individual, this can be frustrating and costly. For an organization, it can be nothing short of catastrophic.

The key to avoid falling victim to a ransomware attack is to take a proactive approach, preventing rather than reacting. Here’s how.

Back up your data. First and foremost, you should be backing up your critical data to an external drive or via a secure backup service on a regular basis. The fundamental basis of ransomware is the encryption and disabling of personal and/or proprietary information. If the malware is successful but your data has been sufficiently backed up, the hackers will have zero leverage to collect on their demands.

Use technology to your advantage. The reason cyber criminals are so successful is because they are remarkably tech-savvy. They spend all of their time identifying vulnerabilities and taking advantage of these weaknesses to pursue their criminal intent. They’ve also found ways to assault their victims at an alarmingly relentless rate. The best and only effective way to combat this is to leverage technology in much the same way. Start with solid monitoring system and fortify the process with automation.

Conduct regular audits. If you’re not making a concerted effort to identify areas where your organization might be most at risk, you can bet those who seek to do you harm will. Stay a step ahead of the game by conducting regular audits and tests to determine where you are most vulnerable and then adjust your approach accordingly. This will improve the chances of correcting potential weaknesses before they become a point of entry for hackers.

Develop and document best practices. Use the information you’ve gathered throughout the above steps to develop, document and hone a series of best practices for future protection against ransomware and other similar cyber-attacks. Remember to stay abreast of new methods and directions that cyber-criminals are using so that you can adjust your strategy accordingly.

Be prepared to fight fire with fire. Cyber-attacks aren’t limited to business hours. Hackers are working around the clock to find points of entry, and in many cases, will attack at times that they feel they’ll be least likely to be detected. Unless you can afford to employ an army of security professionals to work 24/7/365, your best chance of preventing an attack is to automate your incident response strategy. This will ensure that any and all threats are immediately identified, prioritized and addressed any time, day or night.

Have a plan in place to mitigate damages. Of course, despite our most valiant efforts, there’s no magic formula for completely eliminating the chance of a cyber-attack. Even with the right monitoring system in place and a highly skilled staff of security professionals at the helm, there’s always a chance that a threat might infiltrate your network. Make sure you have a solid plan in place to initiate rapid remediation so that if and when a ransomware attack makes its way in, it can be isolated and its progression halted as quickly and effectively as possible to mitigate potential damages.

Unfortunately, experts believe that incidents of ransomware and other similar security threats are only going to continue to increase, both in complexity and frequency. And considering the fact that everyone, from individual consumers to enterprise-level corporations and even government agencies are being victimized, it’s obvious that nobody is safe. The best way to protect your business and prevent your sensitive data from becoming compromised is to proactively plan ahead, stay informed and be adequately prepared to do battle if and when the time comes.

eBook: 5 Reasons You Should Automate Cyber Security Incident Response

Cyber Security Incident Response: Dealing with Ransomware

Cyber Security Incident Response: Dealing with RansomwareIf you haven’t heard of the latest form of cyber-attacks, the time to get acquainted with what’s known as ‘ransomware’ is now. With this type of threat, hackers obtain access to a user’s system and lock it up, offering to release control back to the user in exchange for a monetary payment. Just as its name suggests, this new type of online crime essentially holds the victim’s information hostage for ransom, and unfortunately, it’s something that both individuals and businesses must prepare for. Here are some basic steps you can take to beef up your cyber security incident response plan accordingly.

Prior to an Attack

As always, when it comes to cyber security incident response, the best offense is a strong and well-planned out defense. The following steps will help you be more prepared in advance for a potential attack:

  • Adopt a system that is capable of detecting ransomware quickly and effectively
  • Fortify any threat detection system with automation for enhanced protection
  • Educate all team members on what ransomware is, what signs to look for that will help identify a potential attack and who to notify in the event of an incident
  • Always ensure that all important data is properly backed up and stored in a separate location
  • Ensure that all members of your incident response team – from IT and legal to executives – have a clear understanding of their roles and responsibilities should a ransomware attack occur

During an Attack

Unfortunately, despite our most valiant efforts and solid cyber security incident response plans, threats may sometimes make it through the detection process. The key is taking the appropriate actions to help mitigate the potential damages that could occur as a result of an attack. If you find yourself dealing with a ransomware attack, don’t panic and focus on the following:

  • Do NOT pay the demand for ransom (and make sure all team members are aware of this policy)
  • Immediately disconnect any and all systems impacted by the attack from the network
  • Take appropriate steps to remove the virus if possible
  • If the virus is successful in its attempt to encrypt files, remove those files that have been affected and replace with backups

After an Attack

The other important component of a strong cyber security incident response strategy is dealing with the aftermath once an attack has occurred. Hopefully, provided you’ve followed the appropriate protocol, the damages will have been limited and no serious impact will have been incurred. A good post-attack strategy will also help you improve your incident management practices in the future.

  • Notify the appropriate authorities and regulatory agencies
  • Analyze how the attack occurred and identify areas where security should be improved
  • Review your current incident response plan and make necessary adjustments
  • Document and communicate any and all changes to team members for future reference

Like it or not, ransomware is a real and present danger to businesses in every industry today. A well-defined cyber security incident response plan can help protect your organization from becoming the next target of would-be criminals and keep your systems and sensitive data safe from falling into the wrong hands.

Want to beef up your IR plan and make it safer against threats like ransomware? eyeShare is the perfect solution. Download your trial today to get started.

How to Get Critical Systems Back Online in Minutes