“Emotet” was considered a particularly dangerous ransomware variant for a long time. Highly professional phishing mails have deceived many users and infected systems.

The FBI and Europol finally deactivated the network behind it in January 2021. Since mid-November 2021, however, evidence has been gathering that Emotet is on fire again. The cybercriminals behind the malware seem to continue to be active in the background and re-emerging along with new versions of the malware. It is also recommended to block the historically known control servers of Emotet. [1]

Not without reason, ransomware is a prominent topic in many companies with very many open questions. In November 2021, the SANS Institute published the results of its “Ransomware Detection and Incident Response Report. ” Different cyber-attack scenarios were compared with known Ransomware strategies. The most important point: In an emergency, a prepared incident process is needed to enable a quick and undelayed response. Especially with ransomware attacks, every minute counts to keep the negative effects as low as possible. [2]

How to make it harder for cybercriminals?

In the report of the SANS Institute, the procedures for cyber-attacks and ransomware attacks were analysed in depth. In the case of the latter, three points are particularly relevant to prevent security incidents.

1) User accounts with many rights

Avoid accounts in the system that are provided with very high rights for the necessary (daily) activities. Especially such overprivileged and unverified accounts are highly vulnerable to ransomware attacks.

2) Ignoring or reacting too late to conspicuous behaviour

Ransomware generates conspicuous activities, e.g., additional network traffic in the affected systems and networks, especially at the beginning. At this point, there is still a lot that can be saved by reacting quickly. Take precautions to report and react to such incidents as soon as possible.

3) No clear actions and lack of instructions for action

In case of suspicion, only the quick identification and separation of affected resources helps. This can be the blocking of a conspicuous account, the blocking of conspicuous traffic to internal or external, but also the complete isolation of entire systems. Only by acting quickly and consistently is it possible to minimise damage. Don’t waste any time before the attacker can deeply implant, spread, and destroy important systems.

How to achieve a successful restoration?

The SANS report discusses five elementary components of an incident plan to get as unharmed as possible by a cyber attack.

1. Preparation and definition of necessary processes
2. Monitoring for the detection of occurrences
3. Definition of steps for rapid containment of incidents
4. Measures to sustainably remedy the disturbance/attack
5. Arrangements for the safe recovery of systems and data

A continuous improvement process is also recommended to adapt better to rapidly changing threats.:

6. Carrying out post-mortem analysis, improving infrastructure and adapting and optimising the emergency plan

Conclusion: Ransomware remains a critical threat to businesses. The approach is still very targeted and usually uses the same patterns: Searching for vulnerabilities inaccessible systems and/or targeted e-mail phishing attacks on employees is used to access the corporate network. Good preparedness for such cyber attacks and an up-to-date contingency plan can help to significantly minimise the impact and damage.

Sources: