- Many Law Enforcement Agencies and CyberSecurity Analysts are now recommending that if you don't pay the ransom, you keep your encrypted data and backups anyway. The reason is that sometimes the decryptor key becomes available long after the ransomware event without paying for it. This has happened a number of times because of law enforcement actions obtaining the key, the key being broken external to the ransomware gang, rival ransomware gangs trying to disrupt each other by disclosing competing keys, and even disgruntled ransomware employees trying to hurt their former employers.
- Our friends at Huntress discussed in a presentation a site they liked called ID Ransomware. This site allows you to upload a ransom note or a sample encrypted file. The site will then tell you what form of ransomware it is and if a decryptor key is available without paying the criminals. You can find the site at: https://id-ransomware.malwarehunterteam.com/
Of course, the best defense is to never get ransomware in the first place. Start with patching everything in your network regularly including operating systems, third-party applications, BIOS, firmware, and more. Add to it layers of antivirus and advanced EDR protection like Windows Defender, and our CSEDR featuring SentinelOne and a 24x7x365 Security Operations Center watching your endpoints. Add to that Huntress which provides advanced behavior-based analysis backed up by their security analysts. Then add DNS filtering to trap malware addresses before starts like Cisco Umbrella, and advanced email protection including link protection and sandboxes, and oversee all that with firewall logging and monitoring.
If you are missing parts of my list in your security stack, give us a call, and let's figure out how to improve your district's security posture.
-Scott Quimby, CISSP