Your business has been hit with a ransomware attack and suddenly, you find yourself scrambling to access your critical data so you can resume business operations.
Restoring your data after a ransomware attack is probably the first thing that comes to mind, but ensuring your network is safe for the future is equally critical for complete recovery. Beyond recovering your data, the way you handle the aftermath of a ransomware attack is crucial to safeguarding your organization.
If you’re wondering what steps to take to secure your network, you’ve come to the right place. As an experienced ransomware recovery service, we know first hand how malware and ransomware affects your business and network. We use this knowledge to understand and plan preventative measures by learning from past cyber attacks.
Unfortunately, repeated attacks are a frequent issue that ransomware victims face. In 2018, 54% of organizations surveyed had been victims of a ransomware attack. On average, survey respondents affected by ransomware were struck twice according to The State of Endpoint Security Today survey conducted by Sophos.
Repeated ransomware attacks often occur simply due to a lack of security knowledge and action.
At Proven Data, we have assisted businesses of various sizes with over 3,000 ransomware incidents. From these ransomware incidents, we collect forensic artifacts and analyze those artifacts to understand how the attacks occurred. When you have knowledge of how the attack happened, then you are able to put preventative measures in place.
Through our experience on the front lines, we have developed custom tailored solutions that efficiently and effectively protect a business in the short and long-term.
Whether you choose to work with Proven Data or not, you should know the required steps to give you the peace of mind that your network is safe from another ransomware attack.
By the end of this article, you will:
- Understand the methods used to detect and analyze a ransomware attack
- Know the steps to contain, eradicate and recover from the attack
- Be prepared with proactive measures to take to avoid future ransomware attacks
- Have a breakdown of the types and cost of cyber security services available for comprehensive protection
Crucial steps to take when you’re hit with ransomware
When a ransomware attack happens, time is critical. You want to know how you can quickly lock down your network and begin restoring data.
In a perfect world, there would simply be a switch you flip and the ransomware threat disappears. Unfortunately, it’s not that simple, but there are methods used by security professionals to get your organization back up and running again.
Effective incident response activities follow security frameworks like the National Institute of Standard and Technology (NIST). NIST recommends that you think of your network security and incident responses as a continuous chain of events. It is important that you are constantly increasing and improving the protection of your network, especially after an attack.
In this article, we outline the 4 step process of incident response activities after a ransomware attack:
- Detection and Analysis
- Containment, Eradication and Recovery
- Post-Incident Activity
This diagram illustrates how all the steps work together throughout the incident response process to improve your security. But how does this process work specifically after a ransomware attack?
We’ve broken the steps down for you below:
Many organizations find themselves as victims of ransomware attacks because they fail to take proactive cyber security measures. Response time is critical when your data has been compromised and being prepared ahead of time with an incident response plan increases the success and speed of recovering from an attack.
The preparation stage includes taking steps to defend your data before an attack happens. Comprehensive preparation includes implementing cyber security policies, procedures, and products.
2. Detection and Analysis
The second step following a ransomware attack is to detect and analyze malware, back-doors, or other active threats on your network.
Some of the methods used to detect and analyze a ransomware attack include:
- Endpoint Detection and Response (EDR)
- Rapid Response Triage Investigation
- Deep Dive Investigation
Below, we break down the process and costs of these methods:
Endpoint Detection and Response (EDR)
Endpoint Detection and Response (EDR) is a software solution that rapidly detects and responds to malicious threats on your network. EDR software records system activities and events in real-time on your network which are then used to provide security teams with visibility to discover those threats.
Endpoint Detection and Response (EDR) Costs
An EDR solution typically costs between $3 – $7 per user per month.
Rapid Response Triage Investigation
If you don’t know how the ransomware attack occurred on your network, you won’t know where to start to close any potential vulnerabilities.
A Rapid Response Triage Investigation will help you better understand the incident. Triage is simply the gathering of digital evidence for an investigation. This type of rapid digital forensics investigation is the most basic method.
Ransomware threat actors are continually changing their tools and attack methods, so this investigation is critical to understanding your specific situation.
The Rapid Response Triage Investigation can help you:
- Determine how the incident occurred (e.g., tools and attack methods used, vulnerabilities exploited)
- Identify what user accounts were utilized by the threat actor and for how long
- Attempt to geo-locate the logins from the system
It typically takes, on average, 5 hours to complete the analysis. When the Rapid Response Triage is completed, you will understand how the attack occurred and the recommended steps to close the vulnerability.
In some cases, anti-forensics was performed by the attacker, or you formatted the original infected device. This means that the forensic artifacts needed for the analysis no longer exist.
Rapid Response Triage Investigation Costs
The Rapid Response Triage Investigation costs between $1,000 – $2,000 per system analyzed, depending on which forensic artifacts are available, and billed hourly.
Deep Dive Investigation
A Deep Dive Investigation is a more comprehensive type of digital forensic investigation. Although it requires more hours, a deep-dive investigation can help determine if any files were accessed or removed from the network, which is a common result of ransomware attacks.
If you were attacked by Maze, Ragnarlocker, Lockbit, Sfile2, or Sodinokibi ransomware, the attackers most likely removed data from your network and will try to use it as extortion leverage. This list keeps growing as ransomware attackers have even recently formed an extortion cartel.
The deep-dive analysis can help you understand your exposure by telling you which files or folders were accessed during the attack. In some cases, the investigation is mandatory if you are a medical organization and are storing regulated data on your network, such as Protected Health Information (PHI).
Deep Dive Investigation Costs
A Deep Dive Investigation costs between $3,000 – $6,000 per system analyzed and is billed hourly. This cost varies depending on the hours required and if a report is needed.
It is important to note that the deep dive analysis also includes the rapid triage analysis, so both are not needed if you opt for the deep dive.
3. Containment, Eradication and Recovery
Now that you understand the detection and analysis methods used to investigate a ransomware attack, the next step is containing, eradicating and recovering from the attack.
These three steps together are used to remediate a ransomware attack.
If the attack is ongoing, containment activities are essential to ensure the attack is stopped before additional damage occurs.
Containment includes stopping malicious processes, removing files, or closing the vulnerabilities discovered in the Rapid Response Triage analysis.
Upon completion of the Rapid Response Triage analysis, you will receive a written summary and recommendations to guide you in removing the security vulnerability which was exploited.
If you do not have an IT resource to complete the required work, or prefer to have an expert handle it for you, we can help.
Remediation Assistance Costs
Remediation assistance can cost between $97 – $297 per hour and most issues can be solved in 3 hours or less on a small network.
Eradication refers to the removal of all the malicious elements from the affected network.
Eradication activities may include resetting passwords, removing malware and backdoors, or closing ports.
After the EDR software detects a threat, further action is typically required.
Following a ransomware attack, a security monitoring period of at least two weeks can allow you to take action and investigate threats that are detected.
Security monitoring allows for rapid containment and removal of any active threats in real-time before they inflict further damage.
Security Monitoring Costs
Security monitoring costs between $2,000 – $4,000 per week and depends on the number of hours spent monitoring and the number of devices.
After the incident has been successfully contained and threats are removed from your network, you can start the recovery process. Recovering from a ransomware attack may include restoring off-site backups or exploring other options for ransomware recovery.
Now that you have removed the active threats and closed the security vulnerability, you want to use the experience to strengthen your security for the future.
4. Post-Incident Activity
Following the NIST framework, the next step to securing your network after a ransomware attack is implementing measures to decrease your risk of a repeat ransomware attack.
Below, we break down the types and costs of post-incident actions you can take.
Security Architecture Assessment and Roadmap
Security architecture assessment refers to looking at how your current information security controls are protecting the confidentiality, integrity, and availability of the data your business uses and stores on your network.
When we identify weak areas of concern, we are able to design a solution to help better protect your organization against cyber threats.
The solution comes in the form of a security roadmap. A security roadmap helps you to position your security controls alongside your business goals to help you maximize your cyber security protection.
With a strong roadmap, you can clearly understand your current IT infrastructure and the path you should take to accomplish your security goals.
Security Architecture Assessment and Roadmap Cost
The assessment and roadmap is billed hourly and typically costs between $1,500 – $5,000 depending on the complexity of your network. This is normally a one-time cost and can be modified throughout the lifetime of your business.
Endpoint Antivirus Protection
Endpoint antivirus helps prevent and remove malware, viruses, worms, bots, and trojans.
If it’s in your budget to keep endpoint antivirus software beyond the initial analysis period, that is recommended for the most comprehensive protection. However, you can still achieve excellent protection on a lower budget with a standard endpoint antivirus solution.
Endpoint Antivirus Protection Costs
Endpoint antivirus costs between $3 – $5 per user per month on a workstation and $5 – $8 per server per month.
Advanced Cyber Security Offerings
If your organization’s budget allows, there are many more advanced cyber security services available.
Advanced cyber security offerings include:
- Penetration Testing: $3,000 – $20,000 depending on the size of your network and the complexity of testing
- Firewall Upgrade & Configuration: $1,500 and $15,000, depending on the size of your network
- Email Protection: $2 – $4 per user per month
- Vulnerability Assessment: $1,500 – $6,000 for a network with 1-3 servers and $5,000 – $10,000 for a network with 5-8 servers
- Incident Response Plan: $2,000 – $5,000 depending on the size of your network
How do I improve my cyber security today?
Now that you know the methods you can use to secure your network after a ransomware attack, you want to know the next steps you can take. We outline 4 ways to protect your data for free on our cyber security blog page.
Our Proven Data experts have successfully assisted with over 2,000 cyber incidents so we have observed many ways cyber criminals are able to inflict harm to a business.
According to former FBI Special Agent Patrick Gray of the Computer Crimes Division in our Operation Cyber Aware documentary, “…if [threat actors] get stymied at one vector trying to get into your network and do something, they’re going to find another way…but they’re always going to be out there…and they’re going to be targeting you.”
Experts like Mr. Gray firmly believe that the most robust cyber defense requires a layered approach to maximize the protection of your business. We agree, having first hand experience helping many clients recover from attacks due to lack of proactive cyber defenses. We are committed to helping you find the most effective cyber security protection for you.
The average cyber security budget in 2020 is an additional 5.6% to 20% of your total IT budget, accounting for company size and IT infrastructure. For example, if you are spending $10,000 per year on IT expenses, you should be spending an additional $560 – $2,000 on proactive cyber security solutions.
In the 2020 Sophos State of Ransomware report, they found that the average cost of ransomware remediation was a whopping $622,596. It’s clear to see that the cost to recover from a cyber incident is far more than investing in preventative measures when you account for business disruption, ransom cost, rebuilding of systems, and other remediation efforts.
Reliable security protection is a long-term investment for your business that requires continual updates and attention to protect yourself from evolving threats.
Contact one of our cyber security experts today to develop a plan that best fits your security needs and budget.