IT Governance Blog: protecting yourself after a ransomware attack
So, your computer screen has been hijacked by ransomware and the criminals behind the attack are demanding money to return your systems. Now what?
That’s a question countless organisations are asking themselves nowadays, with attacks increasing and, according to Mimecast’s The State of Email Security Report 2020, organisations suffering three days of downtime on average following a ransomware attack.
If you think that doesn’t sound so bad, the true scale of the issue is much bigger than this. The majority of organisations that are struck by ransomware don’t report the issue.
This might be because they think it will make them look as if they weren’t adequately prepared to protect themselves from ransomware.
Alternatively, they might fear that announcing an attack will lead to other criminals launching similar attacks against them.
What is ransomware?
Ransomware is a specific type of malware that encrypts the files on a computer, essentially locking the owner out of their systems.
Once this has happened, the ransomware will display a message demanding that the victim make a ransom payment to regain access to their files.
Criminals generally plant the malware on victim’s computers by hiding it in an attachment contained within a phishing email.
Many ransomware victims feel obliged to pay up, because it’s the quickest and least expensive way to get back to business as usual.
However, experts generally urge organisations not to negotiate, because ransom payments help fuel the cyber crime industry.
But what’s the alternative? Take a look at our seven-step guide to find out.
1) Prepare for attack: back up your data
The only way to avoid paying ransoms and avoid catastrophic delays is to make sure you have a second, uninfected copy of your sensitive information.
That way, when crooks encrypt your systems, there’s no need to worry. Let them keep the decryptor. You can just wipe those files and upload clean duplicates.
Because you are continuously creating new files and amending old ones, backups should be performed regularly.
You don’t need to do everything in one go; instead, look at each folder and determine how often substantial changes are made.
The more frequently things are added or amended, the more often you should back them up.
Once you’ve determined that, you should set up a backup schedule, saving your work on an isolated local device or in the Cloud.
2) Be sure that it’s ransomware
Don’t assume that the person who has spotted the attack knows that it’s ransomware.
The attack method is more well-known than ever – thanks in part to WannaCry – but many people wouldn’t be able to identify the attack.
This means you could be wasting valuable time identifying the problem.
You can avoid this by teaching staff about ransomware and establishing a line of communication in the event of security incidents.
That way, the employee who first discovered the malware can immediately contact someone who can identify what the threat is and initiate response measures.
3) Disconnect infected devices from the network
Now that you’re sure that you’ve been hit by ransomware, you should isolate the infection by taking affected devices offline.
This will stop the ransomware spreading, giving you partial functionality and time to implement the next steps.
4) Notify your employees
Employees will quickly notice that something is amiss.
Even if their computers haven’t been infected, they’ll see that others have and that certain systems are unavailable.
Whether or not they are aware that the disruption has been caused by ransomware, staff are liable to worry.
Is it just their team that’s affected? How are they supposed to do work? Are their bosses aware of the problem?
That’s why you should explain the situation to your employees as soon as possible.
Let them know which areas of the organisation have been infected and how you are going to manage in the meantime.
Many ransomware victims use pen and paper instead of computers where possible. If that’s possible in this situation, you should help out as much as you can.
For example, you should provide them with said pens and paper, direct them to hard copies of information they might need and bring in colleagues who can’t work to help out.
5) Photograph the ransom note
You can use this as evidence of the attack when submitting a police report.
This might seem futile – the police will almost certainly be unable to recover your data, let alone catch the crooks – but evidence of the attack is necessary for filing a cyber insurance claim.
If you don’t already have cyber insurance, it’s worth considering.
Damages associated with information security incidents generally aren’t mentioned in commercial insurance policies, meaning most providers won’t pay out if you make a claim based on, say, a business interruption.
You must therefore take out a specific cyber insurance policy if you want to protect yourself from the costs associated with cyber attacks and data breaches.
6) Find out what kind of ransomware it is
Identifying the ransomware strain used in the attack might save you a lot of time and effort.
Some strains have been cracked with decryption tools available online, and others are fakes that don’t actually encrypt data.
The ransom note might explicitly state what strain it is, but if it doesn’t, there are other clues that can help you identify it.
Try uploading the encryption file type, the way the ransom demand is phrased and the URLs within it to a website such as ID Ransomware, which can help you determine the strain you’ve been attacked with.
7) Remove the ransomware from your device
If the ransomware behind your attack has been cracked, you can use an online decryptor to remove the infection.
Similarly, if you’ve been attacked with a fake, you can simply delete the malicious file.
But what if it’s the real thing? Fortunately, that’s not much more complicated.
The safest way to remove ransomware is to restore your infected devices to factory settings.
You can do this on Windows devices by going to the update and security menu within your settings, or by holding F8 as your computer turns on until the recovery screen appears.
If the ransomware stops you from reaching recovery screens, you can use the installation disk or USB sticks on which your operating system is stored.
Be warned that this process will remove all data stored on the device, which is why it’s important to have backups.
Once your computer has been restored, you can transfer the duplicate files back onto your device.
Depending on how much data you have, this could take anywhere from a few hours to a few days – so you’re not completely out of the woods.
However, this process won’t take much longer than getting the decryptor from the fraudster and regaining access to your files.
What should you do if you’re under attack?
When your defences fail and your organisation is compromised, every second counts.
You must respond quickly and follow a systematic, structured approach to the recovery process.
That is, of course, easier said than done, particularly if you don’t have a cyber security expert onboard.
Fortunately, IT Governance is here to help.
With our cyber security incident response service, expert consultants will guide you through the recovery process, from identifying the source of the breach and how to stem the damage to notifying the appropriate people and returning to business as usual.
A version of this blog was originally published on 11 June 2019.