canada's leading incident response team
Ransomware Response
If your organization has been infected by ransomware such as Conti, Lockbit or Ryuk and are struggling to contain the incident, contact us today!
Are you currently managing a security incident or need help with a cyber breach? Get in touch with our incident response team right away:
Overview
Deep Incident Response Expertise
Our team is comprised of incident response specialists, crisis managers, threat intelligence analysts and digital forensics experts that have handled some of the largest and most complex ransomware breaches in Canada. We therefore possess deep insight into how ransomware operators gain a foothold in a targeted environment, elevate their privileges to move laterally and exfiltrate sensitive corporate data and information long before ransomware is deployed.
We can help bolster your cyber defenses to mitigate the impacts of ransomware campaigns by hardening your systems against attack, actively hunting for threats within your organization and providing end-to-end incident response services in the event of a breach.
Global ransomware attacks have increased by 151%
(Source: “Ransomware Volumes Hit Record Highs as 2021 Wears On”, Threatpost, 3 August 2021. https://threatpost.com/ransomware-volumes-record-highs-2021/168327/.)
our response methodology
Ransomware Threats Demand a Holistic Response
Ransomware attacks have significantly evolved over the years into a multidimensional threat. Sophisticated criminal supply chains have been created to facilitate a “Ransomware-as-a-Service (RaaS)” business model, where ransomware infrastructure is leased to other cybercriminal actors. Additionally, dark marketplaces have been established by initial access brokers, who specialize in breaching corporate networks and selling that access to ransomware operators that engage in cyber extortion campaigns. These criminal actors are also finding multiple ways to negatively incentivize victims to pay, by manually identifying and disabling critical systems, threatening to leak sensitive business data, and calling victims directly to intimidate them into releasing funds. Therefore, ransomware response demands a holistic strategy that can address the associated business, legal and public relations challenges beyond even the complex technical challenges that such attacks present.
In the event of a ransomware attack, our team can help establish and manage an incident command structure that will more effectively communicate, inform and coordinate actions between corporate decision makers, legal counsel and IT operations. We utilize incident response management software to help facilitate a 24x7 response through automated notification and alerting and providing stakeholders with a live incident timeline so they can follow our response actions up to the minute. Retainer clients are also provided with an emergency response hotline to report new incidents directly to our response team for immediate tasking.
Total cost of ransomware breach in 2021 was $4.62 million, not including the ransom payment.
(Source: “Cost of a Data Breach Report 2021,” IBM, 28 July 2021. https://www.ibm.com/security/data-breach)
How to Prevent Ransomware Before You Become a Victim
While ransomware operators are increasingly adept at bypassing cybersecurity controls, there are effective key measures that can be taken to protect your business and mitigate the impacts. Chief among these is the deployment of a cloud backup solution. Should critical files be encrypted by ransomware, protected files can simply be restored to their original state, eliminating the need to pay the ransom to resume business operations. In addition to providing managed security services, our team can also provision and manage cloud backups including incremental file backup and full system images.
Other preventative measures include the implementation of a secure e-mail gateway to quarantine suspicious e-mails and file attachments. As phishing attacks and business e-mail compromise constitute the primary vectors that ransomware operators leverage to gain initial access, a multilayered e-mail security solution is a key preventative control. Solutions that combine both filtering and detection controls along with malware sandboxing capabilities, URL click detection, data loss prevention (DLP) functionality and threat intelligence feed ingestion are ideal. Additionally, configuring standard e-mail authentication methods such as SPF, DKIM and DMARC will help further prevent spoofing attacks.
Another popular attack vector that ransomware operators leverage to gain initial access is exploiting insecure Remote Desktop Protocol (RDP) connections. The widespread use of single factor authentication for remote connections along with the absence of client authentication certificates, encrypted protocols and adequate network controls, makes RDP particularly susceptible to attack. To bolster defenses, it’s imperative that all RDP use is restricted to protected VPN connections only, and multifactor authentication technologies are employed as an additional layer of protection for all critical assets.
Ransomware Countermeasures
Other important countermeasures include:
The deployment of asset management tools that can map against available vulnerability intelligence will help your organization keep up to date with its security patch cycle.
The development of hardened system images that comply with stringent security compliance criteria such as CIS benchmarks or DISA STIGs can make it much more difficult for ransomware operators to effectively pivot off a compromised asset.
Effective endpoint protection is essential to any ransomware prevention strategy. EDR technologies that go beyond static means of detection, that can identify suspicious patterns of system behavior, can significantly reduce mean time to detection.
Implementing PAM technologies that can enforce a least privilege approach to access can help prevent lateral movement. Additionally, the automated rotation of privileged credentials can further reduce the risk of credential theft and prevent the spread of ransomware throughout a network environment.
Lastly, it’s imperative that proper security awareness training exercises are conducted regularly. Such exercises should not only be aimed at regular users but more specialized training provided to technical IT staff as well. Both tabletop and live-fire incident response exercises should be conducted to ensure that your organization’s security team has an opportunity to test their incident response protocols prior to a real incident. Realistic, simulated attack scenarios are ideal to measure the effectiveness of incident response plans.