How to Survive a Ransomware Attack
Ransomware was first thrust into the spotlight when the WannaCry attack crippled the NHS in 2017.
Since then, ransomware attacks have continued to hit businesses and have only seemed to have gotten worse.
Since 2013 infections have increased exponentially – New tactics, variants and sophisticated methods are resulting in a huge increase in ransomware threats.
Instead of seeking mass infections through relatively blunt means, threat actors are now using more precise infection vectors to achieve initial compromise.
In fact, in 2021, the FBI’s Internet Crime Complaint Center received notice 3,729 ransomware attacks.
Cybersecurity Ventures expects that by 2031, businesses will fall victim to a ransomware incident every other second, trending upwards from every 11 seconds in 2021, every 14 seconds in 2019, and every 40 seconds in 2016.
Unsurprisingly, this rapid growth in threat actors leveraging ransomware attacks has had huge financial impact – Cybersecurity Ventures further states that ransomware damages reached $20 billion in 2021, and predicts that number to hit $265 billion by 2031.
No business or industry is immune regardless of size or vertical. This begs the question – What is the best way to protect myself from ransomware attacks?
What should I do in the event that my company is breached?
How does a Ransomware Attack work?
Like many other kinds of malicious software, ransomware attacks usually starts when a threat actor breaches your network.
Hackers have a variety of methods for doing so, but the most popular is via a spam download in an email attachment. One access is gained, cyber criminals then focus on encrypting critical data and charging a ransom for access.
Here is how a typical ransomware attack might play out in a step by step process:
Step 1: Infection
Like any other kind of malware attack, Ransomware can gain access to your computer in a variety of different ways. However, we have seen that ransomware operators seem to prefer a few specific attack vectors.
One of the most popular is through a phishing email. The attacker sends the victim a malicious email with a link containing a download or attachment that contains malicious code.
Another popular method is by taking advantage of services like remote desktop protocol (RDP). With RDP, an attacker can use stolen credentials to access computer systems within an enterprise network. From there, the attacker can download malware and execute the programs within the infected computers.
Step 2: Data Encryption/Exfiltration
Once ransomware has gained access to your network, it will typically then begin encrypting files. This simply involves access important files, encrypting them with an attacker controlled key, and then replacing the original files with the encrypted versions.
Interestingly, most ransomware variants will take special care not to infect system critical data or other services to ensure system stability.
Step 3: Ransom Demands
Once files have been accessed and encrypted, the attacker is usually ready to make a ransom demand.
While different ransomware variants will go about this in different ways, the most common is to simply change the display background to a ransom note, or to simply place text files in each infected directory that contain a ransom note.
In theory, once the ransom is paid, a decryption key will be provided which can then be used to regain access to your files.
This is not always the case, however – we have seen cases of cyber criminal groups receiving ransoms only to delete the infected files anyway.
Protecting Yourself From Ransomware Attacks
Ultimately, the first line of defense against most cyberattacks is through proper prevention and preparation. With this in mind, organizations must take the necessary prevention, detection and preparation measures to keep themselves protected. These include:
Following an Incident Response Plan
When dealing with a ransomware incident, it is ideal that response teams have access to a well defined set of incident response plans. This should provide a step by step guide that should help staff detect, and respond to network security incidents.
These should be reviewed and updated regularly.
Employee Security Awareness Training
Employees are the first line of defense against malware as they are the ones who are actually being targeted during an attack. Proper training ensures that employees can identify malicious emails, avoid being hacked, and understand how to report suspicious emails.
Implementing Multi-Factor Authentication (MFA)
This provides an additional layer of security by requiring an extra token of authentication before access is provided.
This helps to ensure that stolen credentials are not readily usable in the case that an attacker obtains them.
Involve Law Enforcement Officials and External Legal Counsel
Any organization that is dealing with a cyber attack should also be in contact with law enforcement, who can help with assessing a breaches magnitude and can also provide guidance on how to proceed.
Additionally, they can also provide guidance on how best to communicate with an attacker, while providing support on identifying the criminal and their location.
In the event that the any ransomware incidents lead to potential litigation, it is also recommended that the company contacts a legal representative that specializes in cybersecurity related incidents.
Should I pay the Ransom?
In the event that your company is breached, the question of whether or not to pay the ransom demand will inevitably come up. The answer should almost always be no. You should never pay a ransom because there is no guarantee that you will get your data back.
Similarly there is no guarantee that your data is even usable or undamaged. All paying the ransom does is encourage further cybercriminal activity while also providing the funding for future attacks.
So What do I do if I am breached?
1. Isolate Infected Machines
When it comes to ransomware, speed is always king. The longer an infected system goes by unnoticed, the longer an attacker has to move laterally in the network and escalate their privileges. With this in mind, the first thing you should do if you suspect that a machine has been infected is immediately disconnect it from the rest of the network.
2. Notify your IT Security Team
Immediately notify your IT team so that they can contain the spread of ransomware and put in place the correct procedures to deal with the attack. This is where your incident response plan should come into play.
3. Identify the type of ransomware
There are two main types of ransomware – The kind that locks your screen, and the type that encrypts your files. The first kind – the screen locking variant – is easiest to resolve, and files will usually be safe until the payment is made. However, the variants that encrypt your files are usually more difficult and will require significantly more effort to deal with.
4. Inform Employees
In the event of a breach, you should immediately inform your employees that there has been a breach. Explain what it means for the company and outline the steps you will be taking to mitigate the incident. Employees deserve to know what is going on and should be fully briefed on the evolving situation.
5. Change Login Credentials
If hackers compromise admin credentials, they will be able to move laterally around networks, crypt files, and wipe out entire backups. If you suspect that your admin credentials have been compromised, you should change them immediately after a breach.
6. Take a photo of the ransomware incident
This will serve as evidence and will be helpful for providing further information on attack methods and investigations.
7. Partner with an trusted Managed Security Services Provider like Stratejm
A reputable cybersecurity company like Stratejm can put the full weight of their expertise and resources towards the recovery of your systems and data.
MSSPs benefit from vast expertise managing cybersecurity threats across various different verticals, and will often have the tools and incident response capabilities needed to provide the most complete recovery of your data.