
Subscribe & Follow
How CISO's should remediate a ransomware attack

It’s impossible to read the news without seeing at least one headline blaring about a breach, hack or attack. In the USA, the Colonial Pipeline experienced a Darkside ransomware attack that affected more than 10,000 gas stations.
Virgin Active was hit by a hack in early May 2021 and took weeks to re-establish its systems.
Vastaamo, a platform that provided therapy to thousands of patients, lost its data to hackers thanks to an unexpected security flaw. The hackers sent ransom demands to patients – pay up, or your personal information is public knowledge.
As Osler points out, the criminal networks and masterminds behind digital attacks are doing their jobs and have every motivation to do these jobs extremely well.
The sheer volume of events is a concern. The threat actors and the methods they use are increasingly sophisticated and complex, taking advantage of even the slightest gap in a company’s defences. Many attacks are extremely malicious, and some are driven by intentions other than just money or data. But, and this is really important, don’t panic and don’t pay the ransom.
Transparency is key, as is full insight into how serious the compromise may be, and the challenge that lies ahead. Next step – contain the breach.
Determine which servers and systems have been infected and contain them as quickly as possible to minimise the damage and the spread. Notify the teams and get people off the network as fast as possible – from the mobile device to the server mainframe.
Once you’ve contained as much of the breach as possible, you need to identify the source. It’s absolutely critical to identify how this got into the organisation and the level of access that the hackers have. Even if you switch everything off and rebuild everything from scratch, you still need to know how they got in so you don’t add that vulnerability straight back into the business. Find patient zero.
“If you pay, the hackers will look at other companies in your sector and simply replicate their success story with someone else,” says Osler.
“And they may come back to you for more. Payment is a risk; non-payment is a risk. Either way, you’ve been hacked and you need to have plans in place to protect your business and your information.”
This means that your BCP and DR strategies need to be tested, as far as they can be, rigorously. That you have put clearly defined processes in place for remediation, and that your detection systems are as cutting edge as they can get.
Learn lessons from the attack and use failure as an opportunity to learn from mistakes, to close loops and to add in additional controls. Double-check the policies, see what worked and what didn’t, and adapt internal training and systems to improve your security posture as thoroughly as possible. Most importantly, don’t panic and pay. Plan, protect, and plan some more.”
Related
How healthcare facilities can guard against ransomware attacks 19 Dec 2024 Cybercrimes Act: What you need to know 30 Oct 2024 How AI is shaping the ransomware threat landscape 16 Jul 2024 Achieving cyber resilience with the NIST cybersecurity framework 24 Jun 2024 Ransomware: What is an organisation's obligation to prevent fraud? 6 Nov 2023 #CybersecurityMonth: Cyber-attack insurance is a complicated necessity 11 Oct 2023
