The Anatomy of a Ransomware Attack: Ten Steps to Defending Your Company Against Cybercrime

1 October 2021

According to data from Egress, a ransomware attack occurs every eleven seconds. The frequency of attacks on a daily basis alone seems almost incomprehensible, let alone on a monthly, quarterly or annual scale. In addition to this, companies have reported an average downtime of twenty-one days after a ransomware attack has occurred.

With all this in mind, can you really afford to be the victim of a costly and crippling attack? Don’t be an easy target, follow our essential steps to secure your business against cybercrime.


1. Have a robust Incident Response Plan in place

As the age-old saying goes ‘fail to prepare, prepare to fail’. The key is always to be prepared for any eventuality, and the effects of a ransomware attack can be significantly mitigated by having an Incident Response (IR) plan in place. Within your plan, it’s pivotal that you assign roles and responsibilities across the company, making people aware who is going to be in charge when something unforeseen occurs.

Another element to this is implementing specific responses within your IR plan for particular scenarios. The skeleton structure of your IR plan should always be ‘here’s our plan, here’s who’s responsible, at a high level this is what we are going to do and how we are going to do it, this is who to call’. But as an appendix or an annex, ideally you should detail what your incident response plan will be if the incident is ransomware, specifically detailing the steps that you will follow.

A core plan sets the scene, and as part of that you can have steps for individual scenarios so that you can plan for the ones that are most likely to happen and/or require the most specialist or technical assistance and involvement.


2. Engage Specialist Breach Responders (IR/PR/Legal) before an incident occurs

While there is the technical element of the response, you also must bring in other areas of your business – whether that’s marketing, PR, legal teams or finance. The incident may touch every area of the company depending on what your company does.

It’s pivotal to make those who are most likely to be involved in a response aware that A) a plan exists and B) they probably have something to do that’s part of it. This will also ensure that you have information and statements that are ready to be released as soon as they’re required, if necessary.


3. Invest in Mailbox Protection Solutions

You may be surprised to hear that your email software can prove an important tool for detecting ransomware. Phishing emails are the most common way that ransomware gets into an organisation, and there are solutions that can help to filter the email before it lands in people’s inboxes.

Common email providers like MS Office 365, for example, have mailbox protections in place. They will scan emails on your behalf, looking for corrupt attachments and dodgy links. You can set the platform up to undertake a variety of enhanced security measures, but perhaps most importantly, you can stop it sending dodgy emails to end users. They will get blocked, bounced or returned. Having that level of filter in place reduces the likelihood that something untoward makes its way through your organisation.

Ultimately if the dodgy email doesn’t exist then there’s nothing for anything to click on to, eliminating the problems that could arise. That doesn’t mean it’s foolproof, but it’s a well-tested technology. There are lots of software and vendors out there on the market, but effectively they all do the same thing.


4. Disable and remove old user accounts

Lots of security frameworks, like ISO 27001, PCI DSS and Cyber Essentials, mandate removing retired or disabled user accounts. Ideally, when a user leaves, a policy should be implemented whereby a member of your IT team receives a notification that says, ‘John or Jane Smith has now left the company, please disable their user account.’ What many people fail to realise is that a disabled user account still exists. Because of this, it can potentially be reactivated by an attacker.

There’s a second step to this process, which is that after an appropriate number of days said user account should be deleted completely. Occasionally, a user will leave and the IT team will simply change their password, under the logic that if a user doesn’t know their own password they cannot access their account anymore. But, again, the user account still exists and depending on what type of user account it is, that could be an issue. If it’s someone that had high access level privileges, that’s a ghost account that’s floating around and you don’t want that level of access ending up in the wrong hands.

It’s those kinds of things that hackers take advantage of. They may be able to access your organisation through a ‘normal’ user account, but once they’re in there, they may start looking at who else is in the organisation. If they find an account that looks like it’s dormant, that generally means no-one is going to flag when it gets logged into, and the fact that it’s probably not actively monitored means it’s likely to be completely forgotten about.


5. Make sure you have a process in place for mass password resets

Ideally this will be part of your incident response plan. If you do have an incident, it’s a case of having an ‘in case of emergency: push this button’ mass reset to immediately reset everybody’s passwords.

Potentially a hacker could gain access using someone’s password, but if you have the ability to change it quickly that will cut off access. Having a procedure in place for how you’re going to achieve this ahead of time is a very useful control to fight the fire.


6. Ensure that your back-up is isolated

Unfortunately, it’s not all that uncommon for companies to have their back-ups connected to the rest of their IT environment. Because they’re connected, you can see them… so if you’re a hacker, you can have a look at the environment and see where everything is. A hacker could spot a back-up server or something that looks like a back-up and either delete or encrypt its contents. This means the company cannot recover from that back-up because they can’t get to that data, which can have potentially ruinous effects.

Severing that link and having it completely separate is key, certainly in the instance of a ransomware attack.


7. Restrict Administrative access

We have a concept of least privilege in cyber security, which means that people have the least amounts of rights that they need to do their job and nothing extra.

Most people in an organisation do not need the ability to change the settings on computers, or to log into servers because they don’t need that access as part of their job role. When users get set up, ideally, they have rights specific to their role or their department. The control is to prevent people having access to things that they don’t require access to, to limit the impact should a ransomware attack occur.

If an employee has access to everything in an organisation and clicks on a link within a phishing email that turns out to be ransomware, the unnecessary exposure means the hacker also gains that same level of access too. Essentially, it’s a disaster waiting to happen.


8. Implement IP Whitelisting

In order to connect to the internet an IP address is required; the easiest way to describe it is similar to a telephone number. You have a unique telephone number and when you want to speak with someone, that’s the number that you call.

The same theory applies with an IP address. This computer wants to speak to that computer, and so they both need to know a unique identifier between their computers – an IP address. What you can do, especially in the world of remote access, is whitelist (specifically allow) particular IP addresses and only those that you want to access things remotely.

Effectively, you’re blocking everything and only allowing access to the IP addresses that you trust. If you’re a business you may have people that work from home, and you know their IP addresses so that only those people are allowed to connect. It doesn’t work in every scenario because IP addresses can change, but it can prove an effective restrictive measure.


9. Deliver mock incident workshop scenario planning

It’s a great idea to have a plan in the first plan, but it’s also vitally important to test that plan in a semi-realistic exercise. Everyone that’s involved in your plan should have the chance to walk it through in a tabletop exercise or similar, because with the best will in the world you can write a plan and someone may say ‘that’s not the way we do things’ or ‘that’s changed’ or ‘Jane/John have moved departments.’

Making sure that the plan is representative of the real world is always effective. Plus, it gets people who are named in the plan thinking about what they would do in the situation. It also makes them aware that the plan exists.


10. Implement alternative communication systems

It’s incredibly important to ensure that you have alternative communication systems in place, so that you’re able to communicate with your employees should a ransomware attack occur.

It’s common knowledge that ransomware attacks are likely to lock you out of and paralyse your software, preventing you from being able to access the internet to search for help, let alone communicate with your staff and colleagues.

Having an alternative communication system in place would enable you to let your staff know what’s going on, and keep them in the loop with any further action required for the next steps.


IntaForensics provides a comprehensive range of security services designed to prevent, monitor, and respond to security breaches.

We boast a team of 50 cyber security and digital forensic experts and a growing market presence. Our consultants will be able to assist with all digital forensic investigations, PCI/DSS QSA, PCI/DSS PFI, Cyber Security and Incident Response.

Quality underpins everything we do, and we are proud to be UKAS 17025:2017 accredited and ISO/IEC 27001:2013, ISO 9001:2015 and ISO 14001:2015 certified.

To find out more about over services Tel: 0247 77 17780 to speak with a member of our team and fill-in our online contact form.

Talk to our consultation team today

Contact Us

I can honestly say that your excellent customer service and communication has made our forensic instructions to you exceptionally easy. I am very conscious of the amount of time I must have taken up with various queries, requests, and then changed requests but you have always been very patient, polite and extremely helpful.

Case Review Manager - Criminal Cases Review Commission