How to quickly regain control after a ransomware attack

With the number of ransomware attacks continuing to climb worldwide, businesses are focused on taking steps to avoid falling victim. Rigorous defence measures and user education sessions are being rolled out to reduce risks and lower the chances of disruption.

However, while such steps are necessary, attention also needs to be given to how an organisation would gain control of its IT infrastructure should an attack take place. Security experts warn ransomware attacks are inevitable and are no longer an ‘if’ but ‘when’ it will happen to us.

Initial reaction

In the days and weeks following a ransomware attack, businesses can lose trust in their overall IT infrastructure. It can be unclear which systems have been compromised and what data has been accessed by the criminals. Security teams may also be unsure exactly how the ransomware malware infiltrated the network or whether data was compromised.

In many cases, IT teams react to a ransomware attack with a complete shutdown of all systems on the network. This approach is taken to prevent the further encryption of data and the lateral movement of the attackers.

Even though such an approach may succeed in limiting an attack, it also brings business activity to a screeching halt. A better strategy ensures the rapid recovery of access to business-critical applications while also not interfering with network’s clean-up and data restoration.

Such a strategy is essential for businesses that do not pay the ransom demand. They will be under immense economic pressure to act quickly. Therefore, they need to rapidly ensure that the attackers have been removed from the network and data backups have not also been encrypted.

Adopting the principle of least privilege

In response to the growing threat posed by ransomware, businesses are increasingly embracing the concept of least-privileged access achieved through zero trust. This means they begin from a starting point of zero access permissions for each employee or system and then define permissions using specific policies. This means that access to information and resources is only granted when there is a legitimate purpose.

A zero-trust-based strategy can help to quickly establish the permissions for granular application-level access for business-critical systems, even in a worst-case scenario such as a ransomware attack. This can ensure the rapid return of employees to business operations. At the same time, the infected systems are cleaned up in the background.

 Regaining control

To quickly and effectively recover from a ransomware attack, some key steps are required.

The first is building a zero-trust overlay to help the business continue operating. Systems and data vital to operations are identified, and staff access is provided based on their role.. If they don’t need access, it is not granted.

Next, the IT team should gain insight into all data streams and their context within the business. A multi-layered security approach that supports the clean-up of individual clients and scans end-user devices for hidden malware should be implemented.

Only scanned devices should be allowed access to the required applications via the zero-trust framework. If all outgoing traffic from employees and servers is monitored after the systems have been restarted, the attackers’ command and control traffic may be detected.

Third, the IT team will need to detect potential attack surfaces. Due to the growing number of systems exposed to the internet, attack surfaces are constantly expanding, and the IT team may lack the insight of exactly what is vulnerable.

This problem is significant and widespread. For example, according to a recent survey published by Zscaler, more than 202,000 common vulnerabilities and exposures (CVE) were found within 1,500 companies where more than 400,000 servers could be openly controlled via the internet. In addition, almost half of the companies surveyed used outdated protocols, which increased the possibility of attack.

The survey also found more than 60,500 exposed instances on Amazon Web Services, Microsoft Azure Cloud, and Google Cloud Platform. Outdated infrastructure components that are no longer administered also represent loopholes for attackers.

Preparation is key

While there is no question that preventative measures are vital, businesses also need to have response plans to cover what will happen when an attack occurs.

By taking advantage of a zero-trust strategy and identifying which critical infrastructure components will be needed first to keep the business functioning, IT teams will be best placed to recover from a ransomware event quickly. Failure to do this could result in weeks or months of disruption and loss.


Steve Singer
Steve Singer is Regional Vice President and Country Manager - Australia and New Zealand for Zscaler.