Ransomware response and preventive measures: What you need to know

| By:
Raffael Marty

Ransomware. It’s a word that still strikes fear in the hearts of business owners, CTOs, and IT professionals across all industries. According to a recent survey from Deloitte, 65% of U.S. executives say ransomware is a cyber threat that currently poses “major concern” to their organization.  

While business email compromise (BEC) (a form of phishing where a threat actor poses as a legitimate business colleague) is one of the top cyber threats affecting companies. Often BEC is followed with a ransomware payload. A threat that  receives significant press coverage because of the damages both financially and operationally. The exposure spans compromised customer data, a tarnished reputation, and loss of productivity: Research from Coveware shows that the average amount of downtime caused by a ransomware attack is 21 days. 

Let’s take a closer look at what ransomware is, steps for responding to a ransomware attack, and how you can strengthen your MSP business’s defenses against ransomware.  

What is a ransomware attack and how does it work?  

Ransomware is a form of malware in which threat actors encrypt the information on a computer system so that users are unable to access their own data. The hackers then demand payment in exchange for releasing the information that is being held ransom back to the owner. Hackers commonly use email phishing, remote desktop protocol vulnerabilities, and software vulnerabilities to gain access to networks and deploy ransomware software.  

Here’s an overview of what that typically looks like:  

  • First, hackers infiltrate an organization’s network through stolen credentials and remote access malware. 
  • Next, they destabilize critical administrative accounts that control backup, Active Directory (AD), Domain Name System (DNS) servers, storage admin consoles, and other key systems.  
  • With access to the backup administration console, backup jobs are turned off or modified and retention policies are changed. This also gives threat actors a roadmap to where sensitive application data is stored. 
  • Often even security software such as anti virus components are circumvented or even turned off. 
  • Hackers then encrypt the data and possibly steal (aka exfiltrate) data for use in future criminal activities. 

As mentioned in that last step, ransomware doesn’t have to be encryption only — last year we predicted that data exfiltration and subsequent ransom demands would proliferate across the cybercrime landscape, and unfortunately that forecast has come true. LockBit, the hacking group that recently demanded $50 million from global IT consultancy Accenture in a ransomware attack, possesses data exfiltration software capable of easily downloading data from compromised systems.  

Ransomware response: Five steps to take 

When you consider the possibility of ransomware affecting your MSP business and its clients, you should think about it as a matter of when, not if. It’s better to anticipate a worst-case scenario than to be underprepared in the event of an incident. Develop an incident response plan that includes each team member's role and responsibilities as well as goals that can be used to measure effective response to a ransomware attack. 

At a high level, here are the steps you will need to quickly take for ransomware response:  

  • Step #1: Identify the systems that have been infected by the ransomware.  
  • Step #2: Isolate the infection by disconnecting all infected computers from one another and the network.  
  • Step #3: Use backup and disaster recovery (BDR) software to restore systems and data from backups by pulling information from before the network was infected by the ransomware.  
  • Step #4: Review all the facts surrounding the ransomware attack and how it occurred so you can begin to put additional preventive measures in place.  
  • Step #5: File a report to the FBI's Internet Crime Complaint Center (IC3) containing thorough details about the incident.   

It’s worth noting that, because more companies are utilizing BDR tools to restore infected systems, cybercriminals have upped the ante and are now threatening to publish data on the dark web if the ransom is not paid (as was the case in the Accenture attack). According to the above-mentioned Coveware research, 77% of ransomware attacks now involve a threat to leak exfiltrated data.  

For a comprehensive checklist of what to do in the aftermath of a ransomware attack, we highly recommend reviewing this ransomware guide from the Cybersecurity and Infrastructure Security Agency (CISA). 

Tips for ransomware prevention and mitigation   

Although it is impossible to guarantee 100% protection against ransomware, there are certain tools and techniques that can be used to improve the security posture of your MSP business. This can help reduce the likelihood of an attack as well as mitigate the damage in the event of an incident.  

Discover and monitor every asset 

When unidentified assets exist on a network without being accounted for, it can introduce operational and security risk. Unmanaged and unmonitored endpoints are prime targets for hackers, because they’re more likely to be outdated and have vulnerabilities. 

MSPs can only manage the assets they have on record. That's why asset discovery featuring automated network scans is an important service. With ongoing scans, your MSP can quickly find and monitor new devices as they join the network and then understand each device’s health.  

Software patching 

Once assets are identified, your MSP must also monitor and manage them effectively. Keeping operating systems, software, and applications current and up to date can reduce the cybersecurity risk level of your MSP business and its customers. A remote monitoring and management (RMM) tool helps with continuous patching: This technology enables you to automatically deploy updates to endpoints, ensuring that you never fall behind with your patching needs. You should also ensure that your anti-virus and anti-malware solutions are set to automatically update and run regular scans. 

Regular data backups  

To minimize downtime and disruption in the event of a cybersecurity incident, routinely backing up data is a must. However, you may need to manage different backup tools to meet the needs of different clients. That’s where an integrated BDR solution comes in, to help MSPs achieve more streamlined service management with far less chaos. It’s also crucial to secure your backups — make sure they are not connected to the computers and networks they are backing up, or else they could become infected in the event of a ransomware attack. 

Deploy an endpoint protection tool 

Endpoint security is another crucial element of an organization’s overall cybersecurity posture. Many organizations leverage endpoint detection and response (EDR) technology to help with protection of endpoints such as servers, laptops, desktops, mobile devices, and more. An EDR tool is capable of quickly identifying many different virus and malware variants, as well as automatically taking remediation actions such as restoring unsafe files to an acceptable previous state. To be effective, EDR technology must be operated by seasoned security professionals. That’s why a truly comprehensive EDR solution includes an embedded security operations center (SOC) that provides 24/7 monitoring and response services to help remediate issues.  

Enhancing your cybersecurity toolset   

When it comes to cybersecurity, there is no such thing as too secure. The State of SMB Cybersecurity in 2024 survey conducted by Vanson Bourne and commissioned by ConnectWise discovered that 62% of organizations would definitely consider moving to a new IT service provider if they provided the “right” cybersecurity solution. Plus, these organizations are willing to pay an average of 47% more for this enhanced security and peace of mind. Here are a few examples of tools and services you should consider adding to your cybersecurity tech stack: 

Keeping your MSP business and its clients protected 

Now you understand the importance of bolstering your MSP business’s cybersecurity defenses, as well as preparing to respond in the event of a ransomware attack. We encourage you to have the security conversations with your customers to ensure that you are on the same page and underscore the seriousness of ransomware response and prevention. In our 2021 MSP Threat Research Report, we found that nearly 60% of MSP client incidents were related to ransomware.  

Not sure how mature your MSP business currently is when it comes to security? Take a free self-assessment to see where your MSP falls on the cybersecurity spectrum, plus tips for what to do next.