Friday, Feb 19, 2021
BY: Jerry Nguyen - Director of Threat Intelligence & Rapid Response
There has been a lot of media attention lately in certain industries around a type of ransomware called DopplePaymer.
- Ransomware: is a simple but effective means for cybercriminals to make money from cyberattacks. It encrypts a user’s files once it is installed on a victim’s computer and then demands a ransom payment from the victim in exchange for the encryption key needed to restore their data.
- DopplePaymer: has been active and affecting victims as early as June of 2019. Research shows that the most popular way victims are infected with DopplePaymer is by spam or phishing emails and through compromised websites.
Using this ransomware, an adversary will gain access to an organization. From there, they will start infecting systems and will demand a payment and/or threaten to release the victim’s data if the ransom is not paid. This trend of additional extortion become increasingly common with ransomware operators in the past two years.
As more and more companies are being targeted by ransomware actors, Nuspire would like to share some best practices to prepare for a ransomware event. While you may not be able to have total control over how or who infects your organization, you can control how prepared you.
11 Things to Think About When it Comes to Ransomware
- Know your threat landscape | Who might attack and how?
- Know your industry’s threat landscape | What type of threats are specific to your industry or what is happening to your industry’s threat landscape?
- Have a plan or playbook to handle ransomware | Do you have a documented plan so you know your next steps?
- Ensure you have a Vulnerability Management and Patching Plan | Do you have a plan to manage identified vulnerabilities and how often to patch them?
- Make sure your advanced EDR is in prevent mode | Are you using the tools you have to prevent attacks?
- Have a plan in place to hunt for Indicators of Compromise (IOCs) | Do you know what to do with relevant IOCs as they are published?
- Make sure you have backups of your critical data and systems | How and who manages your backups?
- Make sure your backups are available offline | Where are your backups?
- Ensure your service providers are prepared to support you |Do you know what role your providers play if you are infected with ransomware?
- Train staff to not click on links or open files in emails from unknown sources |Do you have regular training to educate staff on safe email use?
- Train staff to recognize phone calls from imposters or fraudsters. Is the caller really from IT? | Do you have regular training to educate staff on safe phone answering?
What do you do if you have a Ransomware Attack?
There are five important steps you should take to resolve an attack and restore any damage done to your organization in the fallout:
- If you have an incident response plan, refer to that plan. (If you do not a plan already in place for things like this, use this template to get you started)
- Check your backup data to make sure they are not affected.
- If you have cybersecurity insurance, contact your provider to understand your coverage and what they advise for your next steps.
- Contact your legal counsel and explain the situation to them so they can help you assess any risks to your business and clients.
- Call your Managed Security Services Provider (MSSP). They will have the expertise you need to scope, detect, isolate and prevent further infections.
What does Nuspire do for clients?
Our role is to make sure our existing clients with deployed Managed Detection and Response (MDR) and Endpoint Detection and Response (EDR) with endpoint protection have the proactive protection in place to prevent Ransomware attacks from happening.
For existing clients that are using Nuspire for other services and do not have Managed Detection and Response (MDR) and EDR with endpoint protection or those that are new to Nuspire, we are here to help. Once notified we will quickly set up MDR services with EDR to scope, detect, isolate and prevent further infections. Our role in this scenario is to proactively hunt for those Indicators of Compromise (IOCs), isolate and help provide any further infections.