Q&A - Community Roundtable: What To Do During a Ransomware Breach

By Swathi posted 27 days ago

Here are the responses from our expert panelists for all of the questions asked by our audience during the recent community roundtable event regarding 'What to do during a ransomware breach'. Hope you find this helpful.

And don't forget to watch the replay here. Have more questions? Please post in the comments section below.

  • Is there a place where people make decoding tools for files available?
    • Various outlets and github sites are available but many times decrypting is just not an option without getting the keys. One site ( is a very popular one to visit as it has various decoding tools for ransomware. 
  • What are some things you can do to detect this activity early before damage is done?
    • This is a very broad question and has a lot of answers but in general you need to understand and identify the tactics and techniques being used. (We discussed some of them today) Then test your security controls against those techniques. Use the Mitre Att&ck framework ( to help with the understanding of the TTPs.  The site provides you a lot of information to help you detect them. 
  • Hello, worked previously with Veritas Netbackup, saw a case that Ransomware infected backups and backup servers themselves.
    • In many cases the actors will destroy the backup system themselves. This is why it’s important to make sure you have a quick way of restoring these critical services along with restoring your backup data which should be kept off site.
  • Are there different category types of ransomwares? Targeting and encrypting critical data (single target server) vs. DOS ransomware across multiple workstations to cause business disruption?
    • There are many ransomware categories, but I don’t see a lot of them that are only targeting one server. Today we typically see one group getting access to a network then selling that access to a ransomware group that is then stealing data and doing the encryption asking for a ransom.  We have seen DOS ransomware as well but not as much as the traditional file encryption. 
  • If we have The FortiGate data leak prevention (DLP) in place. and AV updated, IPS, https inspection as well. is this enough to protect from ransomware?
    • This is hard to answer, and it depends on the type of ransomware. It’s a good start but I would look into EDR like technology such has our FortiEDR to help detect some of the threats that may circumvent your security controls such as AV.  AV is good to have but might not always detect all your threats.  This is why the industry has created EDR/XDR technology to help better detect and protect against threats at the endpoint. 

  • So, if an attacker can steal the data and delete the backups before deploying ransomware in your environment, what backup strategy or approach is recommended?
    • In general backups should be kept offsite. If they delete your backups that you have on-net you at least can restore from the offsite one. For data being exfiltrated there is usually a good amount of noise that occurs before this happens so ensuring you have the right controls and collecting the right log data can help detect activating before it happens. Also, EDR like technology can help detect this type of activity.  Hopefully someone is monitoring your network as well.

  • How was the Colonial Pipeline Ransomware attack different from other OT Ransomware attacks?
    • It really wasn’t. We obviously don’t know all the details since their an investigation and public information has been filtered. What we do know is ransomware attacked an organization. The organization has segments that were less air gapped and protected than they thought they were either thru function or business processes, and it appeared the organization paid the ransom with less than expected results. These are all tried but true tested stories we hear about ransomware.
  • In this pandemic age, if a remote worker's PC gets compromised on their home network what can I do to keep that from being transmitted to the corporate network via SSL-VPN other than 2FA?
    • First ensure you have good technology on your endpoints protecting them such as EDR/XDR but if it happens to circumvent its important to minimize the access your remote users have to internal resources to only the ones needed. Also ensuring the communications from your remote worker to internal systems are being scrubbed for malicious payloads will help. 
  • With cryptocurrency has it been easier to track down threat actors since there is a public ledger that broadcasts all transactions, or has it become more difficult due to some of the other technologies in cryptocurrency?
    • It is easier to track down because we have gotten more experienced at tracking it down. In addition, Bitcoins are an-anonymous, and many people link their real identities to their bitcoin addresses in a variety of different ways. There are privacy focused cryptocurrencies that are different from Bitcoins that make it much more difficult to track, and when they become the standard, we will be in a difficult situation tracking down and following the money 
  • What tools do you recommend for monitoring east-west traffic?
    • FortiGate VMs can help with this but some sort of hyper visor implementation such as feature sets on NSX will be a help.
  • Threat Actors are making millions; we are making peanuts. How can we convince the clients to invest more in security rather than getting their insurance policy to pay the ransom?
    • Companies are still required to have a certain level of security standard before the insurance provider will pay the ransom so there is always an investment.
  • Do we have metrics at this point that reflect the value add of employing Fortinet's ecosystem security solution? In other words, are the rates of success and targeting against Fortinet underpinned client’s data that can be captured? It would be terrific as a means of showcasing ROI....
    • I am not aware of any specific metrics but will look into.
  • What assurances do you have when you pay the ransom that your environment will return to a pre-attack status? These people are criminals, what is to stop them from attacking again or still releasing your data?
    • There are not assurances. The way you reduce the chances of getting re-infected is but shoring up your gap in your security.  Usually, an IR company helped you through an attack and they will have recommendations to help close the gaps that were seen during the investigation. At the end of the day, it’s up to you to ensure you have the right measurements in place.  Continuous testing can help leveraging things like breach and attack simulation technology.
  • If our company data is already encrypted can it be encrypted a second time by a bad actor
    • Yes it can which means you might need to pay twice to get the ransom recovered. Also, it may corrupt the data meaning it can never be recovered