Ransomware actors lure employees to download a malicious attachment or file on the company’s system. There are several methods for delivering malicious files, although the most common is often emails or links to infected websites.
According to Statistica, in 2020, the most common causes of ransomware infections were:
- Spam or phishing emails – 54%
- Poor usage practices – 27%
- Lack of cybersecurity education 26%
- Weak passwords – 21%
Once the malicious file is opened, the malware gains access to the system. It will start encrypting files and the data stored on the network. Some hackers use sophisticated tools to prevent anti-virus and anti-malware software from detecting ransomware. Slowly, the malware will start encrypting files and spread to other systems on the network. The ransomware will continue doing this until the desired number of files are compromised.
After the ransomware is widespread, the hackers will lock the system and display a ransom message. The ransom message will contain information about the amount of ransom demanded, the deadline to pay the amount, and how to pay (usually in cryptocurrencies).
Steps to Take if Infected with Ransomware
Having a response plan is necessary to react fast and limit damage of an attack. In this section, we will talk explain the critical first steps that should be taken if an attack happens.
Document Everything. Delegate someone in the team to document everything that is being done, from unplugging systems to making the priority list, based on the initial analysis. This will help IT security experts and law enforcement agencies to understand the sequence of events and help them investigate the attack in the future.
1. Analyze the Damage
The first step is to determine how many systems and network resources have been impacted by the malware. If there are just 2-3 computers, disconnect and isolate those from the network (Ethernet or Wi-Fi). This will prevent the ransomware from spreading to other systems on the network. Then treat the infected computers individually. If more computers have been impacted, a coordinated approach will be needed. Avoid powering down the infected computers right away as it could result in permanent loss of data and evidence of a ransomware infection.
After identifying the infected systems, determine a response plan. Avoid using personal emails or network resources to communicate about the ransomware with employees. If a business has been hit with ransomware, there are high chances that the business emails and communications platforms have already been compromised. Using them to communicate could tip attackers into finding out that the intrusion has been detected. This may motivate them to completely lock out the entire system. Instead, use out-of-network communication lines like phones or personal emails. This should prevent attackers from finding out that the infection has been detected.
2. Power Down the Infected Systems
If it is difficult to disconnect the infected systems from the network, power them down to prevent the further spread of the ransomware. Before doing this, remember that this could lead to loss of evidence of an attack or even valuable data. We advise victims to take photographs of the ransomware message before turning the system off so they can be shared with cybersecurity experts, legal authorities, and local law enforcement agencies.
3. Prioritize Impacted Systems for Recovery
Once the infected systems have been isolated, identify the kind of files or data stored on them. Based on the critical assets list, prioritize restoration and recovery of infected resources. The top priority should be to recover systems that contribute to revenue generation, keep the business running, keep client information secure, and other critical resources.
Make a list of systems that don’t seem to be impacted. These can be deprioritized to be recovered and restored later. The main focus should be on recovering critical system resources that will enable the business to resume its activities.
4. Inform All Stakeholders
After the initial response, it is important to inform all the stakeholders about the attack. The stakeholders include IT service providers, cyber insurance companies, business leaders and law enforcement agencies (FBI, CISA or MI-ISAC).
Sometimes business owners may think that paying the ransom will recover their data and systems, and that is what hackers want them to do. According to the latest reports, in 92% of cases, paying the ransom did not result in the company getting all of their data back.
Before deciding to pay the ransom or keep information about the attack private, read the following section to know what not to do in case attacked by ransomware.
Things to Avoid
Not Contacting Experts and Legal Authorities
Damaged reputation and diminished client trust is at risk during an attack. The fear associated with keeping the attack hidden sometimes causes businesses to avoid contacting cybersecurity experts and legal authorities. While the concern is understandable, ransomware actors know this and take advantage of this fear.
Paying the Ransom Right Away
While organizations may be tempted to pay the ransom right away, attackers always give victims some days to transfer the money. Use this time to determine the damage that has been done, because many times, even after paying the ransom, companies fail to recover 100% of their data. CISA, MS-ISAC, and other law enforcement agencies strictly recommend against paying the ransom.
Paying the ransom should be only the last option. We are dealing with criminals. Regardless of the fact that the data is retrieved or the system gets unlocked after paying the ransom, every time a ransom is paid, it makes ransomware actors more powerful and confident about performing future attacks.
Ransomware may be a major threat, but recovering from an attack is possible. Scheduling periodical backups, conducting employee training, and securing the systems can help prevent the chance of a ransomware attack.