How MSSPs Can Create An Effective Ransomware Response Plan

Cyber Security, Phishing, E-Mail, Network Security, Computer Hacker, Cloud Computing

The volume of ransomware attacks was unprecedented in 2021. For instance, in the third quarter of the year, security researchers documented 190.4 million ransomware attempts. This volume made Q3 2021 the highest quarter ever recorded, reported by Help Net Security. The period almost surpassed the 195.7 million ransomware attack attempts logged during the first nine months of the previous year. 

The report predicted a total of 714 million ransomware attack attempts for all of 2021, a volume that would have marked a 134% year-over-increase. Reflecting on these findings, most organizations in various sectors expect to become the target of a ransomware attack in the future. As noted by HealthITSecurity, more than half (57%) of those organizations attributed their viewpoint to the fact that ransomware actors have already targeted so many other organizations in the industry.

For example, 48% of IT managers at local government agencies, and 63% of central government respondents in a survey covered by StateScoop, said that they expected their employer to suffer a ransomware infection in the future. In another study, 63% of healthcare organizations revealed their belief that ransomware actors would target them at some point. 

A Cybereason study, titled Ransomware Attacks and the True Cost to Business, found that 66% of organizations reported a significant loss of revenue following a ransomware attack, and 53% of organizations indicated that their brand and reputation were damaged as a result of a successful attack, demonstrating that ransomware attacks pose a significant risk to a business’s viability.

Focusing On Ransomware Response

Acknowledging the risk ransomware poses to business operations, MSSPs need to make sure that they can respond effectively to a ransomware attack to minimize impact to their customers' business. Here are some things they can consider along the way: 

  1. Practice good security hygiene like implementing a security awareness program for employees, assuring operating systems and other software are regularly updated and patched, and deploying the best-in-class security solutions on the network. 
  2. Develop a repeatable Incident Response plan as critical response actions can be delayed during weekend/holiday periods. MSSPs should be able to respond quickly and at odd hours to a ransomware attack. They should have an ability to rapidly mitigate further spread, but also to understand the root cause, number of machines affected, and stop the leak of data or further encryption or privilege escalation.
  3. Ensure clear isolation practices are in place to stop further ingress on the network or spread of the ransomware to other devices. Teams should be proficient at disconnecting a host, locking down a compromised account, blocking a malicious domain, etc. Testing these procedures with scheduled or unscheduled drills at least every quarter is recommended to make sure all personnel and procedures work as expected. 
  4. Lock-down of critical accounts because the usual path attackers take in propagating ransomware across a network is to escalate privileges to the admin domain-level and then deploy the ransomware. Teams should create highly-secured, emergency-only accounts in the active directory that are only used when other operational accounts are temporarily disabled as a precaution or inaccessible during a ransomware attack.
  5. Contact Law Enforcement Immediately upon discovering a ransomware attack, including the FBI and local authorities immediately upon discovering an attack. They must do this despite what some ransomware gangs have started telling victims (here’s looking at you,Grief Gang).
  6. Help your customer weigh the decision to pay a ransom Carefully: Doing so doesn’t always help victims regain access to their data. About half of respondents in our ransomware study cited above said that some or all the data to which they regained access following the payment was corrupted. 

Ransomware Response vs. Prevention

The challenges associated with paying the ransom highlight an essential reality of ransomware response—namely, that it’s minimally effective when attackers are themselves prepared and intent on undermining organizations’ response efforts. 

For example, Threatpost reported on a recently documented Conti ransomware variant that came with the capability to exfiltrate data from backups and then manually remove those backups. Ransomware gangs like Conti are embracing these tactics to force victims into a position where they’re more inclined to pay.

Simultaneously, paying the ransom rarely closes out a ransomware incident. In our report cited above, we learned that 80% of victims who paid a ransom ended up suffering another attack. About half (46%) of those respondents thought the same attackers had chosen to target them again. Meanwhile, a third noted that a different set of threat actors had perpetrated the attack, raising the possibility the initial gang had sold network access to the victim on the dark web. 

Finally, organizations can’t always depend on third parties to cover all the ransomware attack costs. Nearly half (42%) of survey respondents had cyber insurance policies in place but revealed that their insurer covered only a portion of their losses. 

MSSPs should be adopting Extended Detection and Response (XDR) solutions powered by Artificial Intelligence (AI) and Machine Learning (ML) to enable their security teams to better automate triage, investigation, and remediation efforts at scale to detect ransomware attacks at the earliest stages of an attack.

Ransomware isn’t going anywhere, nation-state attackers are experts at getting around defenses to propagate this cash and carry attack method. MSSPs need to be prepared to protect their customers in the event that ransomware does get through the defenses. The specter of ransomware is also an opportunity for MSSPs to increase their value to their customers with a solid incident response plan and the proper technology to mitigate the impact of such an attack on the business. 

Visit and subscribe to the Cybereason blog to learn more on XDR, ransomware and the latest cyber security news and trends or reach out to the MSSP Team at Cybereason for more information: [email protected]

Guest blog courtesy of Cybereason. Read more Cybereason guest blogs here. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program.