This document provides an overview and guidance on preparing for and responding to ransomware attacks. It discusses 2021 ransomware trends such as increased attacks and higher ransoms. It recommends developing an incident response plan following frameworks like NIST, implementing security best practices for prevention and detection, having robust backup and restoration procedures, and providing security awareness training for employees. Useful external resources on ransomware identification, decryption, and phishing simulations are also referenced.
2. MSP360.COM
Ransomware
2021 Indicators of the Year
● Attacks up 105%
● Phishing directly linked to later-stage
ransomware
● Targeted attacks are up
● Higher ransoms and longer downtime
● Double & triple extortion threats
● Ransomware-as-a-Service (RaaS)
● Top security concern (with phishing)
4. MSP360.COM
Pen testing, monitor
logs, know your data
flow, impact of
cybersecurity events
NIST Cybersecurity Framework
Guidance for organizations to better
manage and reduce cybersecurity risk
Identify assets /
risks, inventory,
cybersecurity roles
Access (least privilege),
encryption, backups,
firewalls, EDR, OS
updates, training
Test & update
response plans,
coordinate with
stakeholders
Restore, communicate
stakeholders, update
recovery plans, PR
5. MSP360.COM
A Cyber Incident Response Plan
Create one and you’ll be ready
● Create a Cyber Incident Response Team
(CIRT)
● Develop a 24/7 Contact List for Response
Personnel and Partners
● Compile Key Documentation of Business-
Critical Networks and Systems
● Outline your Incident Reporting Requirements
● Develop Technical Response Procedures:
Investigate, contain, eradicate, and recover
● Develop Legal Response Procedures
● Exercise the Plan, Train Staff, and Update the
Plan Regularly
6. MSP360.COM
Customer Training
And just maybe an additional revenue stream
● 88% of data breaches are caused by
employee mistakes, distractions
● Cyber insurance requirements - phishing and
security awareness training
● Conduct regularly scheduled training to
educate and test cybersecurity awareness
● Conduct organization-wide phishing tests
● Improve password / credential management
● Work laptops are for work
● Configuring home network routers
● How to report suspicious emails, phone calls,
activity
Malicious!
7. MSP360.COM
Backup
and restore, obviously…
● 2 Location, always encrypted, 1 offline /
cloud
● Use cloud immutability / object-lock
● Back up what you need, using the right type
of backup to meet RPOs and RTOs
● Adjust retention to meet compliance needs
● Regularly test your backups & restores
● Document how to restore key systems in
the event of a ransomware attack
● Use more than one solution, if needed
8. MSP360.COM
Remediation
And getting back to business
● Identify affected endpoints
● Consider backing up affected systems to avoid
removing evidence
● Identify any compromised accounts
● Turn off infected machines (or everything if you're not
sure)
● Identify the ransomware family – look for a decryptor
● Improve / review security and training
● Remove or reimage affected systems
● Restore data
● Perform a root-cause-analysis – your post-mortem
10. MSP360.COM
Useful Links
To free stuff…
● CISA U.S. Cybersecurity & Infrastructure Security Agency
https://www.cisa.gov/stopransomware
● NIST National Vulnerability Database https://nvd.nist.gov
● NIST – Ransomware Tips & Tactics:
https://csrc.nist.gov/CSRC/media/Projects/ransomware-protection-
and-
response/documents/NIST_Ransomware_Tips_and_Tactics_Infogra
phic.pdf
● NIST – Small Business Cybersecurity Corner:
https://www.nist.gov/itl/smallbusinesscyber (planners and
workbooks)
● NIST - Enterprise Patch Management Planning: Preventive
Maintenance for Technology
https://csrc.nist.gov/publications/detail/sp/800-40/rev-4/final
● Public Power Cyber Incident Response Playbook
https://www.publicpower.org/system/files/documents/Public-
Power-Cyber-Incident-Response-Playbook.pdf
● SonicWall 2022 Cyber Threat Report
https://www.sonicwall.com/2022-cyber-threat-report
* Please note that third-party links and web sites have not been vetted by MSP360
11. MSP360.COM
Phishing Simulators
Attack Simulation Training
● Office 365 - Attack simulation training in
Defender for Office 365
https://docs.microsoft.com/en-us/microsoft-
365/security/office-365-security/attack-
simulation-training-get-started
● Infosec IQ - Free Phishing Risk Test
https://www.infosecinstitute.com/form/iq-
demo
● Gophish - Open-Source Phishing Framework
https://getgophish.com
● Lucy - Phishing Attacks with Simulations &
Training Courses(community and commercial)
https://lucysecurity.com/phishing-attack-
training/
* Please note that third-party links and web sites have not been vetted by MSP360
12. MSP360.COM
Ransomware Decryptors
They’re out there…
● Check your security vendor web site for decryption tools
● Nomoreransom.org - Ransomware Identification and
Decryption Tools https://www.nomoreransom.org
● ID Ransomware – https://id-
ransomware.malwarehunterteam.com/
● Emsisoft - https://www.emsisoft.com/ransomware-
decryption-tools
● Avast - https://www.avast.com/ransomware-decryption-
tools
● McAfee - https://www.mcafee.com/enterprise/en-
us/downloads/free-tools/ransomware-decryption.html
● BitDefender -
https://www.bitdefender.com/blog/labs/tag/free-tools
* Please note that third-party links and web sites have not been vetted by MSP360
Good afternoon everyone. Thanks for being here.
I'm David Gugick, the VP of Product Management over at MSP360.
And today, we're going to do a quick prepper guide on how you can best recover from a ransomware attack – either at the MSP or at a customer.
As many of you have experienced, it’s usually not a matter of if, but when you'll have to recover from some cybersecurity incident like ransomware.
So today’s topics will include a brief overview of the NIST Cybersecurity Framework, but we'll concentrate with the limited time we have on the recovery side.
Because preparation is key to a faster recovery
Maybe: These are the topics that MSPs we work with have said have helped them better prepare for dealing with ransomware events
Now, we only have limited time, and there's a lot of material, so I've included some slides on the submitted slide deck with useful cybersecurity links, phishing simulators, and ransomware decryptors - so go ahead and download when you're back in the office