Some believe that paying the ransom to criminals is the most cost effective and the fastest way to restore an organizations network, but that is not always the case. Additionally, paying a ransom lets threat actors know that an organization is willing to pay, therefore making them a likely target for additional for future attacks. Victims of ransomware must investigate and determine how malware was able to enter their network undetected. This investigation should be carried out before restoring networks. Before an attack takes place, organizations should have an incident response plan in place. A detailed plan should include response and notification procedures for a ransomware incident. Regularly patch software and operating systems to the latest available versions. Employ best practices for use of RDP and other remote desktop services by protecting them behind a strong VPN with Multi-Factor Authentication (MFA) and auditing any unusual login events from IP addresses or devices that are different from what the employee account normally uses. Threat actors commonly gain initial access through insecure Internet-facing remote services or phishing. When an attack makes it through the outer layers of defense, it is important to have a Security Operations Center or a managed security monitoring service with expert security analysts on duty, such as the Binary Defense Security Operations Task Force. The Task Force provides a 24/7 monitoring solution of SIEM and endpoint detection systems to detect and defend from intrusions on an organization’s network.

Sources: https://www.zdnet.com/article/ransomware-this-is-the-first-thing-you-should-think-about-if-you-fall-victim-to-an-attack/

https://www.ncsc.gov.uk/blog-post/rise-of-ransomware

https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks