What happens, and what should you do, when Ransomware Attacks?
Ransomware has been in the news and on our technological radar for a while now, but for those that have not experienced an attack, very few know what truly happens. What I would like to do is step through how a ransomware attack progress from start to finish. This article will go through each step of an attack and then the action items you can perform a head of time to prevent or lessen the severity of the attack.
1. Perimeter is Breached
Cybercriminals are looking for easy access to your systems, and they can get that access by sending an email with an infected attachment that employees will open. Or they can infect a web site with malware that will identify software vulnerabilities in the user’s PC. Many times this happens without the user being aware that they did anything wrong at the time.
ACTION ITEM: Install a robust, multi-layered security solution that continually checks for malware from many different angles to protect your system from a breach. This could be anti-virus or anti-malware software or a whitelisting system. Another step that can be taken is to remove Admin rights from users, do not allow them to install any software without help from a Network Admin.
2. Discovery and Panic.
So, a User has managed to infect their computer and perhaps even the network. At this point, the IT department discovers that an infection has invaded the network, and everything comes to a screeching halt. Before the IT Department takes any action there are many questions that must be answered.
- How many computers are infected?
- Is the server infected?
- Has data been stolen?
- Do we have backups that can restore everything to normal and get everything back up and running smoothly?
ACTION ITEM: This is going to be a bad day for the company, and most of all the IT Department. You must have a Disaster Recovery/Business Continuity Plan in place and tested before this situation occurs.
3. Do we pay the ransom?
Most ransomware will demand a payment in bitcoins. While there is some “Honor among Thieves” one out of every five companies did not get their files back even after paying the ransom. So, there is a 20% chance that you will not get the decryption key after paying the ransom.
ACTION ITEM: We do not recommend paying the ransom for several reasons. In addition to the fact that there is no guarantee that you’ll get the decryption key from the cybercriminals, there is also the issue that the ransomware is not your only problem. If paying the ransom is your only option, then it’s a pretty good indication that you don’t have a Disaster Recovery/Business Continuity Plan in place. If this is the case, then you certainly won’t be able to recover from the attack and fully clean your infrastructure from the infection. Another reason why we discourage paying the ransom is if we can break the cycle of people paying, then the threat of ransomware will go away.
4. Downtime and Business Interruption
Most ransomware gives you a time limit to pay the ransom, usually three days. According to our survey, 48% of companies take several days to recover their data. And in that time, 41% report losing a significant number of files entirely if it takes up to a day or more to detect an attack. While all this is happening, normal operations at your company are interrupted. How much of a disruption occurs depends largely on the preventive measures your IT staff took before an infection even occurred.
Do you have up-to-date backups?
Have you updated and patched your software?
Does the rest of your staff know the steps to take to stop the spread of an infection?
All of this affects your downtime and your losses in the face of an attack.
ACTION ITEM: Be prepared. Make regular back-ups, nightly at least. Stay on top of software updates and patches. Educate your employees on email best practices.
5. Post-mortem and Forensics
One of the only good things to come out of an attack is knowledge and understanding. Chances are, you just got a crash course in ransomware and can use that knowledge to prevent another infection.
ACTION ITEM: Company Management and the IT staff should ask themselves the following questions.
What went wrong?
How can we protect ourselves in the future?
Do we need employee education? What is our weakest point?
How can we shore that up?
Do the analysis and make the necessary changes.
How can DNV GL Help you? We can assess your IT environment and make sure that if you are hit by a natural or cyber disaster that you have the ability to recover from it. We will help you develop Business Continuity / Disaster Recovery Plans, that if followed, will protect your data and your organization. If you would like more information about the services we can offer you, please contact me.