As the ransomware used on Garmin did not have known weaknesses or decryptors, Garmin probably negotiated with them. They might have paid the full $10 mil though.

#cybersecurity #ransomware #security #CISO #CISOthoughts

bleepingcomputer.com/news/security/…

And the provided decryption software included a number of security software that would help Garmin reduce the potential of another ransomware attack.

It is always good to have a customer centric focus, and even if you are peddling malware, it still behooves you to act professionally. These malware service providers are very professional. 10/10. Would pay again. 😂🙈😎

On a more professional note, there are things you can and must do before, during, and after.

If you have not been hit by ransomware, do this immediately:
1) have a good backup plan (and *TEST IT!*)
2) regularly scan for vulnerabilities *AND REMEDIATE AND PATCH ASAP

3) Invest in an application whitelisting software, *AND TAKE IT TO THE HIGHEST ENFORCEMENT LEVEL!
4) Have a continuous education campaign for your staff, including contractors, employees, and anyone else with access to your data or systems.
5) Log, and watch for failures above.

If you are in the middle of an attack:

1) DON'T PANIC!
2) REALLY, DON'T PANIC!
3) Containment: Figure out what's been infected. Remove them from the network.
4) Figure out the extent of the data that's been ransomed.

5) Figure out if you can recover - can you live without the data if you restore? How much would it cost?
6) Check and see if the ransomware used has any weaknesses - a number of security professionals have cracked the code on some of these ransomware and provided decryptors free

7) Remember, if you pay, they know you paid, and another group would come after you again.
8) However, organization is finished if you don't pay, or if there are lives at stake - that's more important.

9) However you decrypt, or restore, do it in a clean fashion. Assume any computer infected has backdoors and hidden infections. REFORMAT AND REINSTALL FROM CLEAN MEDIA!
10) IMMEDIATELY SCAN FOR VULNERABILITIES AND PATCH ASAP.

Post attack:

1) Investigate and brief key stakeholders.
2) DO NOT ASSIGN BLAME - *YOU ARE ALL TO BLAME* It is easy to say it was an oversight by security or IT did not patch, but these things did not happen overnight, and there's typically pushback from Business...

... I was at a place where vulnerabilities were known for 5-6 years, and there were vulnerabilities from 10-15 years ago, but nothing was done, until the CIO said - clean it up. And asked for status every week.

A 200,000 line spreadsheet of 10-15 years of vulnerabilities was cleared out in 12 months once it had the support and oversight of the CIO.
3) Go look at all the "Before" steps and implement them.

4) Remember. Microsoft had to stop all development for 3 months, sent all their developers to an intensive security development training, and it still took them years to improve their security. You have a culture that need to be fixed.

You need to understand, to be customer focused, to provide the best level of service to your customer, means you have to treat their data as gold.

@threadreaderapp unroll