Rapid7: Ransomware Playbook - prevention and action

In our last article on Rapid7’s newly released Ransomware Playbook, we explored how ransomware is changing and how to identify risk

|Jul 15|magazine9 min read

In our last article on Rapid7’s newly released Ransomware Playbook, we explored how ransomware is changing and how to identify risk.

Whilst knowing the shape of the cybercrime landscape is a vital part of combatting it, no security strategy can be complete without informed details on how best to prevent a cyberattack or deal with one already underway. 

The best defence is prevention

With cybersecurity, as with physical health, it is far better and easier to nip problems in the bud before they take on larger, more serious proportions.

First and foremost, importance should be placed on ‘user education’ regarding ransomware to ensure an organisation has a solid surface-level defence.

“User education is the first line of defence in our preventative arsenal - people should not be clicking suspicious links or visiting websites that are known carriers of malvertising networks. Organisations should look to add technology and content that reminds the user to be cautious when the user needs to be cautious,” says the report.

Other useful methods for prevention include:

  • Reducing the company’s ‘attack surface’ by segmenting system networks to prevent total infiltration from a single point, as well as siloing mission-critical systems from others.
  • Administrate account permissions.
  • Use mail scanners to filter suspicious files or attachments.
  • Scan for vulnerabilities regularly and thoroughly and patch any weaknesses quickly.
  • Monitor processes and macro scripts which could facilitate malware.

Taking direct action

Establishing a good culture of ransomware prevention should stand you in good stead for avoiding a cyberattack in most instances. However, if a threat has been detected, it is often too late and consider further prevention. Instead, Rapid7 states that organisations must take swift and decisive action.

Three options are immediately available:

  1. Isolate and remove the infected system from the rest of the network to contain the threat.
  2. Ensure that all files are backed-up regularly and can be restored at short notice if required.
  3. Where possible, issue new assets in cases where you have reason to suspect that old equipment has been compromised or poses a substantial risk.

Most importantly, Rapid7 advocates that companies do not succumb to the temptation of paying a ransom to restore systems, even if it initially appears the most expedient solution:

“Most stances, ​including the US FBI​, recommend not paying the ransom demanded by cybercriminals. Similar to other criminal actions, it’s recommended not to negotiate since there is no guarantee the criminals will send you the decryption keys and you’ll regain access to your files. 

“Paying the ransom will encourage criminals to continue carrying out these attacks by funding their activity.”

How can Rapid7 benefit your business?

As its Ransomware Playbook makes clear, Rapid7 is an expert on every layer of cybersecurity which can help ensure the integrity of mission-critical systems and valuable data. 

For risk management and preventative measures, the company’s InsightVM​ solution will identify and prioritise core assets that some organisations might not consider as being at risk from malware.

Regarding incident detection, InsightIDR “uses a variety of mechanisms to detect ransomware in your environment utilising the configured foundational event sources and the endpoint agents.” 

It does this by tackling the four distinct stages of ransomware, namely: initial ingress, code execution/download/deployment, defence evasion and spread.

“Beyond curated threat signatures, InsightIDR comes with pre-built Attacker Behavior Analytics (ABA) detections built by the Threat Intel team. 

“ABA applies Rapid7’s existing experience, research and practical understanding of attacker behaviours to generate investigative leads based on known attacker tools, tactics and procedures (TTP),” says the report.

Proper utilisation of these tools, in addition to Rapid7’s constantly expanding library of plugins and workflows (Extensions), will make an organisation thoroughly resilient to the trials of modern cybersecurity.

Education, practical knowledge and strong partnerships will all play their role in ensuring that ransomware doesn’t impact your business; Rapid7 is amongst the best at fulfilling all three.

Download the full document
Read here