Nov 09 2017

4 Steps Agencies Can Take to Bounce Back from a Ransomware Attack

Don’t just focus on keeping the threat out; prepare your system now to minimize an attack’s impact once it’s inside.

In recent months, ransomware attacks have rocked several state and local government agencies, which are particularly vulnerable to attack because of their small IT teams on tight budgets. But even as agencies begin to tighten security, implement effective best practices and training, and bring in new suites of security software, every agency should be prepared to fall victim to a ransomware attack.

“Of course, you are going to try to prevent the infection. The problem is that the chances of preventing that infection aren’t always 100 percent,” Gartner Research Director Robert Rhame told attendees of the Commvault GO 2017 conference on Nov. 7, speaking at the session “Bounce Back from Ransomware and Destructive Malware.”

Rhame offers several tips on how agencies can effectively prepare their systems and teams to bounce back from a cyberattack that finds its way inside. Here are four steps that can best help state agency IT teams prepare:

SIGN UP: Get more news from the StateTech newsletter in your inbox every two weeks

1. Form a Single Crisis Management Team

Once an attack is inside the system, it’s important to get all hands on deck to understand the threat, contain it and make decisions as to how to best come back from it, said Rhame.

By establishing this team beforehand, all members will be prepared for their part in combatting the attack — as long as they have the tools at hand to communicate.

“This means you’re going to require, most likely, out-of-band communications,” said Rhame. “If you don’t have email, how are you going to communicate? If you don’t have a [Microsoft] Exchange server and they don’t have you listed as a contact, how are they going to get your contact information?”

2. Set the Stage to Reduce the Ransomware’s Impact

Organizations should be prepared for ransomware to enter their IT systems and ensure that their IT infrastructures minimize the ransomware’s ability to run at its full capacity.

“You want to make sure that the ransomware’s chance of actually executing while it’s on a server or workstation are minimized. Or that its ability to get to a control structure is cut off,” said Rhame.

Organizations should also look to ensure that if one part of the organization gets hit, it doesn’t take out the rest of the systems.

“Essentially what you’re doing is trying to contain the attack,” said Rhame. “That comes with compartmentalization, minimizing your windows for loss.”

Implementing basic segmentation can keep ransomware contained. This means putting up firewalls between the user zone and the server zone, said Rhame.

“Basic compartmentalization is something that needs to be implemented. It basically prevents scanning, hookups, lots of things,” he said.

3. Update Agency Disaster Recovery Systems

Early this year, an auditor’s report found that the state of Michigan was not fully prepared for an IT emergency and lacked plans to restore infrastructure, intranet and other vital systems. But the state isn’t alone.

“A lot of the organizations I talk to set up disaster recovery back in the day when a disaster was an asteroid coming through the atmosphere and taking out the data centers,” said Rhame. “They have synchronous replication set up and … when something gets encrypted, everything gets replicated.”

To prevent this, agencies should take a look at their current disaster recovery systems and ensure they have the proper recovery techniques in place to keep data safe from ransomware attacks.

“You need to have set up snapshots or read-only aspects called journaling so that the content that’s being replicated can be stepped back in time as opposed to being a true copy,” said Rhame.

4. Patch Systems Frequently

For many organizations hit by WannaCry, the attack could have been prevented if they had installed a patch that Microsoft released nearly three months prior to the attack.

“There’s a lot of organizations that don’t patch very frequently,” said Rhame, adding that this allows cyberattackers to take advantage of vulnerable systems, whereas developing cyberthreats that can take advantage of up-to-date systems is a much more difficult task. “Keeping up-to-date with known, critical vulnerabilities is very important.”

While patching and ensuring that systems are up-to-date are particularly important to reducing an agency’s vulnerability to attack, leadership and IT teams need to realize that even these best practices may not keep them safe.

“No security tools are 100 percent, that’s what you’re up against, so you need to protect as if something will evade them,” said Rhame. “There is no silver bullet.”

sorbetto/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT