Lesson Learned from Ransomware

Development
Lesson Learned from Ransomware

Ransomware

Ransomware is a type of malware (malicious software) that encrypts victims’ files, causing them to lose access to their data. The malware will decrypt the files if the ransom has been paid by the victim, but there is no guarantee that all data will be restored. If the victim refuses to pay, some ransomware variants will expose the victim’s files to the internet. Ransomware spreads through fake installers, phishing, exploit kits, remote desktop access, and other methods.

To keep our data safer and avoid ransomware attacks, here are some lessons learned that the author has summarized based on several cases personally experienced and from colleagues who have been victims of ransomware attacks.

1. Anyone can become a ransomware victim

  • Anyone can become a victim, regardless of organization type, company size, or personal background. Here is a list of ransomware victims recorded by ransomware.live. From that list, we can see the wide range of organizations and companies that have fallen victim to cyberattacks. This also does not exclude individuals as targets. Therefore, we must be more aware of common ransomware distribution methods and perform regular backups of important data.

2. Investing in security process (instead of product, care about the data more)

  • There is no silver bullet. There is no single solution to handle ransomware attacks. Proper planning is required.
  • Focus more on securing data and information, not only relying on security devices such as firewalls or EDR. Ransomware attacks can bypass perimeter defenses.
  • Conduct regular security awareness training for employees (training and testing). In companies that heavily rely on technology for daily operations, regular awareness programs are essential to prevent employees from becoming entry points for attackers.
  • Subscribe to and follow security newsletters. Stay updated on information security trends to avoid being left behind when new attack techniques are used by threat actors, so preventive actions can be taken earlier.

3. Defining assets before securing (Internet-facing services)

  • Inventory all services and devices that are directly accessible from the internet. Schedule regular assessments and mitigate any findings. Yes, this will take time.
  • If using managed services, maintain proper documentation regarding versions and installed patches.

4. Having a backup plan for any attack (business continuity)

  • Develop a solid and well-tested BCP (Business Continuity Plan).
  • Regularly test and validate the BCP that has been created.

5. Your backup might not work

  • Have at least one air-gapped backup. Some ransomware attacks also target backup servers, preventing victims from restoring previously backed-up data. Therefore, it is important to have an air-gapped backup that is not connected to the internet, such as an external HDD backup.
  • Validate your backups. Always recheck backup data and ensure that the backup method used is appropriate and aligned with your needs.
  • Test backup and restore procedures. Perform recovery tests on backed-up data to avoid unexpected issues such as failed restoration due to corrupted data.

Conclusion

Recently, ransomware has become a major issue in cybersecurity. Every individual and organization must take immediate steps to avoid such attacks. The lessons learned above cover backup and recovery, cybersecurity awareness, and asset and patch management. By implementing these measures, individuals and organizations can reduce the risk of ransomware and other cyberattacks. This article is merely the author’s review. If there are any shortcomings, feel free to add suggestions in the comment section. Thank you in advance.