Trustwave SpiderLabs Uncovers Critical Cybersecurity Vulnerabilities Exposing Manufacturers to Costly Attacks. Learn More

Trustwave SpiderLabs Uncovers Critical Cybersecurity Vulnerabilities Exposing Manufacturers to Costly Attacks. Learn More

Managed Detection & Response

Eradicate cyberthreats with world-class intel and expertise

Managed Security Services

Expand your team’s capabilities and strengthen your security posture

Consulting & Professional Services

Tap into our global team of tenured cybersecurity specialists

Penetration Testing

Subscription- or project-based testing, delivered by global experts

Database Security

Get ahead of database risk, protect data and exceed compliance requirements

Email Security & Management

Catch email threats others miss with layered security & maximum control

Co-Managed SOC (SIEM)

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
The Trustwave Approach
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Platform
SpiderLabs Fusion Center
Security Operations Centers
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

The Aftermath of a Ransomware Attack: How to Recover and Better Prepare

The recent Kaseya VSA ransomware attack compromised approximately 60 MSPs and 1,500 of their respective clients’ systems, resulting in more than one million individual lockups. Even if your organization wasn’t affected by this most recent attack, there is ample reason to be vigilant: With 304 million attacks worldwide in 2020 alone (a 64 percent increase from 2019), the prevalence of ransomware attacks has warranted concern in recent years.

And, they’ll cost you: there was an alarming 171 percent increase in ransomware payouts between 2019 and 2020 with the trend continuing today. While the downstream impact of this attack has been a focal point for many, the uptick in ransomware attacks regardless of the network being targeted or the ransom amount shows a trend in exploiting unsuspecting (and often under-trained) employees for efforts of much larger scale than consumer-level scams. This calls attention to the nascent ways that attackers can exploit security vulnerabilities, as ransomware evolves in severity.

When it comes to the recent Kaseya attack, there are lingering questions that need to be answered: Is it over? What is stopping threat actors from doing it again or something else?

We can agree that these are not ethical humans we are dealing with. They are financially motivated actors that may already have a foothold in your environment. Knowing the likelihood that your system will be compromised a matter of when, not if IT leaders must prepare for a surge in attacks of this nature, while planning for recovery in tandem.

How to Recover and Better Prepare

When remediation is necessary, incident response teams (DFIR) are typically engaged and should provide information on the initial infiltration method and post exploitation techniques used to deploy the ransomware. As you recover and learn more about how the attack unfolded, keep these considerations in mind:

  1. Initial Infiltration: How did the bad actor enter your system? Typically, this happens in the form of phishing or weak remote access controls. Remember, ransomware is the final payload. Before the ransomware is deployed, the attackers need to infiltrate, use tools to move laterally, and exfiltrate network information as reconnaissance and critical data for extortion (in most recent cases). Understanding the moves that have been made will go a long way for your security beyond the initial incident.

    How you can be proactive moving forward: Mitigate risk with foundational capabilities like security awareness, secure email gateways, and multi-factor authentication. Limiting remote access and closely monitoring any remote entry points will also give you solid footing to identify bad actors early for remediation. Deception techniques are also a valid way in identifying potential malicious behavior early.

  2. Post Exploitation: What should you do immediately after the attack? After exploitation, 30-day efforts should focus on hunting for malware that may be sitting dormant that would have been used as a delivery mechanism for the ransomware. This can come in many forms, but recently we’ve sought out modular malware like Dridex, Trickbot, Emotet, Qakbot, and others. If these are not discovered and eradicated, the attacker can once again use them as a backdoor to do more damage. In some cases, we have seen a new ransomware attack six months after the original attack caused by the same backdoor technique. It could be the same group, or even a scenario where compromised devices were sold to the next financially motivated bad guy on the dark web with a “100% guarantee that this victim will pay.” Once some remote access trojan or other attacker is in your environment, there are some things you can put in place to mitigate future damage.

    How you can be proactive moving forward:
    • Antivirus protection provides a basic layer of defense, despite being weaker and more outdated than other methods. Make sure it is updated and always on.
    • Patching is absolutely critical. The current state of patch management programs is pretty bad: Your vulnerable systems will be the first to be targeted, if not actively monitored and updated.
    • Invest in an application audit. Understanding what “normal” looks like for your applications will better alert you to what is deemed suspicious. While application whitelisting may cause reservations for some IT teams, if a company has a handle on what apps are running and required from a business standpoint, it helps security prioritize what is a true threat. Audits increase confidence to ensure there is important context surrounding what is whitelisted and any exceptions.

  3. Monitoring Nefarious Activity: What haven’t you considered? Once the environment is sanitized, it’s time to start taking proactive steps to avoid similar vulnerabilities in the future. By thinking about how an attack is carried out, you can better map the ongoing security you need to prevent and remediate others.

    How you can be proactive moving forward: Technology can only take you so far when protecting against increasingly adaptive, creative, and sophisticated attackers. Learn to think like the bad guys by investing in continuous threat hunting. With a spirit of resourcefulness and deep industry expertise, threat hunters notice patterns, build connections between real-world events, investigate interactions on the dark web, and more to catch things that other alerts and solutions miss.

Latest Trustwave Blogs

Unlock the Power of Your SIEM with Co-Managed SOC

Security information and event management (SIEM) systems play a pivotal role in cybersecurity: they offer a unified solution for gathering and assessing alerts from a plethora of security tools,...

Read More

Trustwave SpiderLabs: LockBit 3.0 Ransomware Most Common Malware Used to Attack the Manufacturing Sector

As the manufacturing sector continues its digital transformation, Operational Technology (OT), Industrial Control Systems (ICS), and Supervisory Control and Data Acquisition (SCADA) are becoming...

Read More

Trustwave’s Observations on the Recent Cyberattack on Aliquippa Water Treatment Plant

The attack last week on the Municipal Water Authority in Aliquippa, Penn., that gave threat actors access to a portion of the facility’s pumping equipment has spurred the Cybersecurity &...

Read More