Dealing with a ransomware attack during the COVID-19 pandemic could be a nightmare scenario. While the basics of protecting your organization won’t change during this pandemic; there are some additional challenges that should be considered.

Criminal groups are increasingly switching to COVID-19 themed lures for phishing exploiting your consumers’ and employees’ concerns over the pandemic and the safety of there loved ones.

There’s also evidence that remote working increases the risk of a successful ransomware attack significantly. This increase is due to a combination of weaker controls on home IT and a higher likelihood of users clicking on COVID-19 themed ransomware lure emails given levels of anxiety.

Some current ransomware lures include:

• Information about vaccines, masks and short-supply commodities like hand sanitizer.
  
• Financial scams offering payment of government assistance during the economic shutdown.
• Free downloads for technology solutions in high demand, such as video and audio conferencing platforms.
• Critical updates to enterprise collaboration solutions and consumer social media applications.

We’ve also seen a move towards more creative ways of extorting ransoms. These include ‘double extortion,’ where ransomware encrypts your data and forces you to pay a ransom to get it back and then sends your data to the threat actor, who threatens to release your sensitive data unless further ransom is paid.

During this pandemic, your organization faces three simultaneous challenges:

• The threat landscape is evolving to use COVID-19 as an allure to more successfully deposit ransomware in your network. 
• Preventative and detective controls may have had to be adapted to permit more flexible working practices.
• The security team is having to manage incidents in unfamiliar conditions, including lockdown, with playbooks that don’t cater to these operating modes. So, where do we go from here?

The security function, compliance team, and internal audit team may be described as the first, second and third lines of defense. Still, users will always be on the front line — education and awareness matters.

Help staff spot COVID-19 email attachments and website links that could contain ransomware, by showing typical attack examples and providing tips on recognizing lures.

• Give staff a practical guide on what to do if their device is compromised. Reassure them about any personal threats received, provide details on whom to call and what to do with the infected device including disconnecting it from the internet.
• Reinforce a no blame culture. It’s more important that staff feel confident to report incidents and allow the organization to deal with the consequences.

Some practical steps to consider when defending your system against ransomware during these unusual times:

• Ransomware can overwrite incremental and other online backups. Take regular, full system backups of your servers, databases and filestores, and make sure you confirm the validity of those backups.
  
• Consider an additional archive copy of key servers and data sets that are stored off-line or in a form that can’t be tampered with by a criminal who acquires domain administrator rights.
• Patching critical vulnerabilities even during change freezes remain as important as ever, including endpoint devices, with a particular focus on browser and productivity application vulnerabilities. Check whether devices are accepting updates by VPN.
• Be more cautious in the configuration of email phishing controls. Flag emails which are external to the organization, make it easy for employees to report suspicious emails (e.g. the report message add-in in Outlook), and use a COVID-19 community blocklist.
• Consider more thorough checking of embedded email links, including blocking uncategorized websites, using Microsoft Advanced Threat Protection (ATP) safelinks functionality or using a DNS filtering service such as the Quad 9 from the Global Cyber Alliance.
• Many current attacks exploit scripting infections. Limiting the use of scripting languages and macros to users who need the functionality can reduce risk. Consider stricter ‘safelisting’ of programs to limit application use to productivity and necessary audio/video conferencing tools for most remote workers.
• Encourage a stricter separation between personal and corporate devices, employees can use their own devices for personal email and browsing activity.

Think through how your organization would deal with a ransomware incident during COVID-19 before it happens. 

• Review ransomware incident playbooks and ask whether physical lockdown restrictions may change the way the incident is managed.
• Ensure incident response teams can travel, that they have letters confirming their status as critical workers if challenged, and that they're able to gain access to key sites/premises which may not be fully manned.
• Consider the need to augment your incident response team if key team members are incapacitated or in self-isolation.
• Assess if an alternate incident response coordination and collaboration mechanism is required if your corporate IT and standard conferencing systems are disrupted by ransomware.
• If remote working devices are encrypted, is there a means to provide replacement devices to priority users, or enable BYOD access for those users.
• If there’s a need to rebuild corporate devices used for remote working, how will those devices be returned, are there any necessary hygiene precautions, and what’s the process for rebuilding those devices?
• Plan a recovery sequence for servers to ensure key business processes can get back up and running, and ask whether those priorities have changed given new working models and patterns of demand.
• Be realistic regarding timelines for full restoration of business services, which may be weeks rather than days. Work with business continuity teams to look at mitigations and workarounds, which may limit customer or corporate impact.
• Understand what support any retained cyber incident response firm and existing cyber insurance policy can provide. Again, there may be limitations on the support those firms can now offer, mainly if international travel is involved.
• Refresh the policy on ransom payments, taking legal advice if appropriate.
• Practice an incident drill while working remotely.

Cybersecurity matters more than ever during COVID-19, and the risk of ransomware has increased as a result of the shift to remote working.

Be clear on priority actions that need attention for the first 72 hours if a ransomware incident occurs. Where will your organization get the support it needs? Does lockdown constrain the ability to respond? And does the new working model change the priorities for business restoration?

If you have any questions or would like additional advice,  please contact us.