Kaspersky Offers Guidance for Individuals and Companies on Dealing with Data Leaks
Amidst growing concerns about data security following the recent high-profile ransomware attack on a national telecommunication company, Kaspersky issues timely advice for individuals about data leaks and for companies facing a ransomware attack.
According to experts, ransomware attacks target organizations every 11 seconds, causing $20 billion in damages globally. This type of threat always results in significant losses, both financial and reputational.
“Our recent survey found that 88% of company executives are willing to pay the ransom after a successful ransomware infection. This shows the desperation of companies to get back their data. Unfortunately, when news outlets or hacker forums report that your company has become a victim of such an attack, it can potentially attract the attention of other attackers, more so if you have agreed to pay the ransom. It’s also important to remember that paying the ransom does not guarantee that you will get all your data back,” says Adrian Hia, Managing Director for Asia Pacific at Kaspersky.
CyberSecurity Malaysia (CSM), for their part, also discourage companies affected by ransomware from giving in to demands from hackers, but to seek assistance from authorities. CSM vows to provide guidance to tackle the issue or refer the victims to international partners for further assistance if the attacks are too complicated.
While the incident is still under investigation, a potential data leak can also have implications against affected customers. Kaspersky strongly recommends that concerned Malaysians take the following steps immediately:
-
As soon as you realize your data may be compromised, inform the people in your life of what happened so they can avoid possible scams using your identity, and help you report to authorities.
-
Check if your email account has been exposed at https://haveibeenpwned.com. Type in the email address associated with you and you will find out if that address was included in any of the leaked databases that haveibeenpwned is aware of.
-
Change the passwords on all your accounts. If there are security questions and answers or PIN codes attached to your account, you should change these too. And use strong passwords. One of our experts shares how to create one here.
-
Secure your computer and other devices with antivirus and anti-malware software. If your device is installed with Kaspersky Premium or Kaspersky Plus, you can use its Data Leak Checker feature that monitors the internet and the dark web to let you know if your personal data is compromised.
-
Protect your financial privacy. Even if your payment information is safe, it’s a good idea to set up credit monitoring. This will alert you when there are any changes to your credit report, like if someone applies for new credit in your name.
-
Don’t respond directly to requests from a company to give them personal data after a data breach. It could be a social engineering attack. Take the time to read the news, check the company’s website or even phone their customer service line to check if the requests are legitimate.
-
Sign up for two-factor authentication (2FA) wherever it is available. It’s an extra level of security for your online accounts that requires you to enter an additional piece of identity information.
-
Monitor your accounts for signs of any new activity. If you see transactions that you don’t recognize, address them immediately.
For organizations whose information have been encrypted for ransom, now is the time for cool heads and quick, decisive actions. Your response will help determine whether the incident becomes a deadly headache for the company or a feather in your cap.
We can summarize the recovery process in four (4) steps:
-
Step 1: Locate and isolate. Determine the extent of the intrusion. Start by looking for infected computers and network segments and immediately isolate them from the rest of the network to limit contamination. If your company doesn’t have many computers, start with antivirus, endpoint detection and response (EDR), and firewall logs. For very limited implementations, physically walk from machine to machine and check them. If we’re talking about lots of computers, analyze the events and logs in the security information and event management (SIEM) system. After isolating infected machines from the network, create disk images of them and leave the machines alone until the investigation is over.
-
Step 2: Analyze and act. First, see to the security of the rest of the network. Then start the threat-hunting process—analyze the ransomware, figure out how it got in and what groups usually use it. Ransomware doesn’t simply appear; a dropper, Remote Access Trojan (RAT), Trojan loader, or something of that nature installed it.
For any cybersecurity breach or attack, you need to perform an incident investigation and response to determine the root cause of an incident and ensure a similar incident will not happen again. If your internal team does not have the skills and experience, engage a qualified 3rd party such as Kaspersky Incident Response Services to provide comprehensive digital forensics and incident response service.
-
Step 3: Clean up and restore. Turn your attention to the computers that are out of commission. From those that are no longer needed for investigation, format the drives and restore data from the most recent clean backup. If you have no backup copy, decrypt whatever’s on the drives. Start at Kaspersky’s No Ransom website, where a decryptor may already exist for the ransomware you encountered. If it doesn’t, contact your cybersecurity provider for help. In any event, don’t delete the encrypted files. New decryptors appear from time to time and there might be one tomorrow.
Regardless of the particulars, don’t pay up. You’d be sponsoring criminal activity and the chances of getting your data decrypted is not high. Apart from blocking your data, ransomware attackers may have stolen it for blackmail purposes. Paying greedy cybercriminals encourages them to ask for more. In general, consider any stolen data public knowledge and be prepared to deal with the leak. Sooner or later, you will have to talk about the incident with employees, shareholders, government agencies and quite possibly journalists. Openness and honesty are important and will be appreciated.
-
Step 4: Take preventive measures. A major cyber incident always equals big trouble and prevention is the best cure. Prepare in advance for what go wrong:
-
Install reliable protection on all network endpoints (including smartphones)
-
Segment the network and furnish it with well-configured firewalls. Better still, use a next-gen firewall (NGFW) or a similar product that automatically receives data about new threats
-
Look beyond antivirus to powerful threat-hunting tools
-
Deploy a SIEM system if you’re a large company for immediate alerts
-
Train employees in cybersecurity awareness with regular interactive sessions
-
Deploy Managed Detection and Response service to proactively monitor and detect cyber-threats or cyber-attacks that automated prevention and detection tools may have missed
-
Deploy Threat Intelligence to understand the adversaries or cyber-criminals who are targeting your organization, business reputation and assets thus providing better cyber-threat mitigation measures
As you step through the recovery process, remember to document all your actions for transparency in the eyes of both employees and the wider world. Preserve any evidence you can of the ransomware for later efforts to locate any other malicious tools targeting your system. That means saving logs and other traces of malware that may come in handy during later investigation.
Our doors at Kaspersky are always open to share our expertise to any organization, be it public or private, to these kinds of challenges.