Guidelines for addressing ransomware attack incidents

To effectively respond to ransomware attacks, businesses first need to have a thorough and accurate understanding of ransomware. This solid foundation helps optimize the prevention of such attacks. The following is a guide on how to mitigate ransomware incidents, helping businesses minimize negative impacts from ransomware attacks.

1. Enabling and delegating preventive measures

Ransomware Attacks require rapid and decisive response to minimize damage. Hence, authorizing IT or information security personnel to enact urgent prevention measures is critical. This approach expedites the response process, rather than adhering to traditional authorization procedures that can be time-consuming.

Empowered IT or information security staff should be capable of making quick decisions in the initial stages of an attack, such as disabling specific services or disconnecting devices from the network. Delegating them to independently implement emergency measures (minimizing jurisdictional disputes) is crucial. Delegating authorization for each individual measure separately can be time-intensive, heightening the risk of further attack spread.

In addition to internal efforts, organizations should proactively seek support from external experts, including authorized entities such as the National Cyber Security Centre and cyber security monitoring and response units. Delegating key personnel to engage and collaborate with external experts should commence immediately to ensure swift and efficient responses in the event of an attack.

2. Forming a crisis management team

When facing a ransomware attack, promptly assembling a Crisis Management Team (Incident Response Team - IRT) is paramount. The IRT may receive support from external cybersecurity experts to ensure optimal effectiveness in handling the incident.

The IRT plays a pivotal role in:

Coordination and assignment of responsibilities/tasks:

• Identifying specific roles and responsibilities for each team member.
• Assigning tasks tailored to the capabilities and expertise of each individual.
• Ensuring close coordination among relevant departments.

Feasibility assessment:

• Analyzing the attack situation to determine severity and scope of impact.
• Assessing potential remediation solutions and selecting the most optimal approach.
• Considering data and system recovery capabilities.

Deployment and monitoring of solutions:

• Implementing preventive measures and incident remediation according to the predefined plan.
• Closely monitoring the deployment process to ensure effectiveness and making timely adjustments if necessary.
• Monitoring post-incident to ensure system stability and safety.

The IRT should include experienced members with expertise in the following areas:

• Chief Executive Officer (CEO)/Executive Director: Providing overall leadership and direction for the IRT's activities.
• Business perations Manager: Ensuring continuity of business operations to the extent possible.
• Information Security Expert: Analyzing incidents, proposing solutions, and implementing technical measures.
• IT Specialist: System recovery, supporting solution deployment, and ensuring technical operations.
• Communications Specialist: Effectively conveying incident information to relevant parties.
• Legal Advisor: Providing legal counsel on incident-related issues and data protection.

3. Proceed with crisis management

a. Assessing the situation, formulating response plans

Evaluating the overall situation based on current data is imperative to craft the most effective response strategy, emphasizing the following dimensions:

• Immediate notification of relevant stakeholders about the attack (employees, board members, clients, partners, regulatory bodies, security entities) is essential to ensure timely support and prevent communication and legal crises.
• Assessing the criticality and direct impact of the compromised data on core functionalities and business operations.
• Determining the direct or indirect financial ramifications of the incident and ascertaining the organization's financial readiness.
• Identifying other potential contingencies stemming from the attack and their likelihood, such as the risk of a data breach or the repercussions of leaked data on the enterprise or its clientele.
• The crisis management team must meticulously maintain logs of the incident, documenting each phase of the attack and recovery in a chronological manner. A precise and comprehensive record is indispensable for recovery efforts, incident comprehension, and legal safeguarding of the enterprise.

Additionally, the crisis management team is tasked with ensuring continuous updates and adjustments to the plan, enhancing its efficacy throughout the response endeavor.

b. Develop and activate recovery plan

If the organization has an existing ransomware recovery plan, proceed with its implementation. If not, focus on the following points:

Limit the attacker's activities and prevent spread through the system

• Assess the root causes of the ransomware attack (identify systems and accounts involved in the initial breach, which may include email accounts), isolate the affected systems immediately.
• Inspect and evaluate the extent of impact on the system and implement measures to restrict the attacker's activities and prevent their spread.

Check and remove malicious software

• Assess the status of the attacker's connection to the system to determine if they have caused system damage or installed any malware.
• Conduct scanning and completely remove malware from the system to prevent re-infection.

Restore services and business operations

• Identify and prioritize core services and business operations for restoration.
• Establish procedures and methods to quickly and effectively restore system and service (consider building a clean network area, restore data and then move to the clean network area for protection).

Contact cyber insurance company (if applicable)

Liên hệ với công ty bảo hiểm mạng để tận dụng các dịch vụ hỗ trợ từ chuyên gia an ninh được bảo hiểm cung cấp, như hỗ trợ tư vấn và khôi phục dữ liệu.

Do not pay ransom to attackers

nitially, it may seem like the ransom cost is lower than resolving the crisis independently. However, businesses should never pay ransom in any case because:

• Allowing ransom payment could lead to recurring attacks. Even if the operation is shut down, recovery may take considerable time, expense, and may not guarantee complete data recovery.
• Paying criminals may lead to serious legal consequences for the business.
• Ransom payment could be deceptive if the malware has destroyed files rather than encrypting them.
• Paying ransom supports the growth of cybercrime.

4. Implementing a comprehensive recovery plan

Following the immediate actions taken to mitigate the attack, organizational management/leadership should focus on executing a thorough and detailed recovery process.

Verify critical systems and services:

Ensure that all critical systems and services have undergone thorough inspection and complete restoration post-attack. This guarantees their availability and readiness for seamless business operations.

Conduct detailed security checks:

Reassess current security measures and enhance them if necessary to ensure that the system is not compromised again. This includes updating software, deploying new security solutions, and reviewing security procedures.

Analyze and learn from the incident:

Conduct a thorough analysis of the attack's causes and learn from the experience to improve security measures and risk management in the future. This may involve adjusting security policies, providing training for employees, or investing in new security solutions.

Establish backup recovery plans:

Develop and implement backup recovery plans to be prepared for potential future attacks. This includes regular data backups, setting up automatic backup systems, and ensuring readiness for quick data restoration when needed. Successful data recovery from backups can reduce overall incident costs by 41% (At-Bay, 2023).

Enhance communication and information dissemination:

Strengthen communication channels and information dissemination practices to ensure all stakeholders are adequately informed about the post-attack scenario and the measures undertaken to address it.

Evaluate risks and propose preventive measures:

Utilize insights gleaned from the attack to reassess potential risks and recommend proactive measures to forestall future incidents.

Businesses, especially those with limited cybersecurity capabilities, can optimize cybersecurity effectiveness by collaborating with specialized entities in incident response and cybersecurity protection. According to a 2022 Deloitte survey, 81% of business executives opt to use services from external providers for all or part of their cybersecurity solutions. This underscores the tangible benefits of collaboration.

The advantages of partnering with incident response and cybersecurity protection entities are as follows:

Cost optimization for businesses:

• Reduced initial investment: Businesses don't need to spend a large amount on purchasing equipment, software, and hiring professional cybersecurity personnel.
• Reasonable operational costs: Outsourcing cybersecurity services often costs less than building and maintaining an in-house cybersecurity department.
• Pay-as-you-go model: Businesses only pay for services actually used, avoiding unnecessary costs for unused services.

Enhanced security effectiveness:

• Experienced professionals: The team of cybersecurity experts is well-trained, experienced, and regularly updated on the latest threats and solutions.
• Advanced solutions: Businesses are provided with advanced and effective cybersecurity solutions, minimizing the risk of cyberattacks and protecting the system securely.
• 24/7 monitoring: The network system is continuously monitored 24/7, helping to detect and timely prevent potential threats.

Enhanced compliance capabilities:

• Compliance assurance: Businesses receive support to fully comply with current cybersecurity regulations and standards.
• Provision of guidance documents: Businesses receive detailed documentation and guidance on cybersecurity compliance procedures.
• Regular assessments: Support for conducting regular cybersecurity assessments to ensure the system meets security requirements.

Helping businesses focus on core business activities:

• Reduced cybersecurity burden: Businesses don't need to worry about cybersecurity issues, freeing up resources to focus on core business activities.
• Improved operational efficiency: Ensuring security enables businesses to operate more efficiently, increasing productivity and profitability.
• Minimized risks: Businesses minimize potential risks from cyberattacks, protecting their reputation and brand.

Collaborating with incident response and cybersecurity protection entities is an effective solution for businesses to enhance their information security capabilities, proactively prevent and respond promptly to cyberattacks in general, and ransomware attacks in particular, safeguarding data and network systems.

Understanding the need to enhance information security capabilities, VNETWORK offers comprehensive VNIS Web/App/API security solutions and EG-Platform comprehensive email security solutions. VNETWORK's security solutions are committed to protecting businesses' information systems from all cyberattacks, minimizing maximum damage, and maintaining stable business operations.

With over 10 years of experience in the security industry, VNETWORK is certified as a Science and Technology Enterprise by the Ministry of Science and Technology under number: 59/DNKHCN, achieving cybersecurity standards ISO 27001, ISO 20000-1, and being recommended for use by reputable security organization Gartner.

For ransomware attacks, the VNIS platform acts as a "steel shield" significantly limiting the negative impacts on a business's information system. VNIS can detect and automatically block all critical security vulnerabilities listed by OWASP (Top 10 OWASP) such as Broken Access Control, SQL Injection, Cryptographic Failures, ensuring constant protection for the business website. Additionally, with over 2,000 security rule sets combined with the ability to manage CRS (Core Rule Set), the business website is ensured to be safe, preventing attackers from exploiting security vulnerabilities to encrypt or unlawfully access data.

According to Cybersecurity Ventures in 2023, email is the most commonly used method for spreading ransomware. Statistics indicate that 92% of ransomware attacks originate from phishing emails, and 64% of ransomware victims click on links or open attachments in emails. It is forecasted that the number of ransomware attacks will increase by over 30% in 2024, accompanied by the use of artificial intelligence (AI) to craft sophisticated spoofed emails to deceive recipients.

With the increasing complexity and scale of ransomware attacks via email, VNETWORK introduces the EG-Platform - a comprehensive email security solution. This system acts as an email firewall with robust email security capabilities in both sending and receiving directions through three layers of filtering:

• SpamGUARD: Effectively blocks spam emails (Anti-Spam Inbound).
• ReceiveGUARD: Guards against phishing emails, ransomware, targeted attacks (APT, BEC), viruses, and malware.
• SendGUARD: Manages and controls emails before sending.

Comprehensive email security mechanism of EG-Platform

Applying advanced and intelligent email security technology, EG-Platform effectively handles all types of targeted email attacks, detecting and preventing viruses as well as new email threats with outstanding features including:

• Machine learning technology: Automatically analyzes and learns from attack data, aiding in the rapid and efficient detection and prevention of new email security threats.
• Artificial Intelligence (AI) technology: Enhances the ability to identify and block sophisticated and complex attacks.
• Virtual area: Examines and analyzes incoming emails to identify harmful behaviors from new, uncategorized viruses, effectively filtering and blocking malicious emails.
• Content transformation to images: Converts email content into images if malicious links are detected, helping to limit users from clicking on virus-containing links.
• Email transmission monitoring and analysis: Promptly notifies and handles suspicious signs and abnormal changes in email transmission, minimizing damage and ensuring user operations are secure.
• Comprehensive, detailed system report: Provides comprehensive, continuous information on the attacked status and situation of emails for users to adjust their email usage behavior promptly.
• Flexible customization based on needs: Helps users enhance security capabilities while ensuring convenient email usage.

Currently, ransomware attacks are increasing exponentially in both quantity and complexity. Choosing the appropriate security solution is a prerequisite for businesses, directly impacting the safety, stability of systems, reputation, business operations, and user experience.

With robust infrastructure, advanced technology, and an experienced team of experts, VNETWORK's comprehensive security platform VNIS and EG-Platform email security solution ensure high readiness, effectively preventing attacks. For detailed information and quotations, please contact us via hotline: +84 (028) 7306 8789 or email: contact@vnetwork.vn.