You’re just sitting at your desk, working hard, minding your own business when bam! An alarming red background takes over your screen. A message written in a threatening font tells you all your files are locked and demands you pay a hefty ransom in cryptocurrency, or your files are gone forever. Because your attackers were feeling extra dramatic, the message is signed with a skull and crossbones at the bottom. As soon as you see this, you will be tempted to panic, but try to take a deep breath and remain calm and collected. Yes, a ransomware attack can be devastating, but if you act immediately, you can mitigate some damage.
What exactly is Ransomware?
Ransomware is a malicious attack of malware that infects a computer or computer system and leaves your data locked (or encrypted) by anonymous cybercriminals. The attackers hold your locked data hostage until you pay the ransom for an encryption key that unlocks your files and restores your access.
Despite rising awareness of the risk, ransomware is a growing billion-dollar business and hackers have attacked nearly every industry, often with large ransoms and huge restoration costs. Even government agencies and entire countries aren’t immune. In April 2022, cybercriminals attacked thirty government agencies in Costa Rica with ransomware, forcing the country to essentially shutdown and declare a state of emergency. It was a disaster they are still rebuilding from.
But it’s not just the big guys at risk. Ransomware attacks affect small businesses too. Small businesses are often targeted because they do not budget for adequate security and backup measures.
The best defense against today’s advanced security threats is a good offense that outsmarts emerging threats while they’re still just threats. Ineffective firewalls, unmanaged email, and unprotected devices are behind most security breaches.
The attack typically starts at one workstation, which geeks like us call endpoints. Maybe you click unknowingly on an infected website or malicious email. The ransomware begins silently running in the background, looking for files to encrypt or other targets on your network. Once the ransomware encrypts everything it can, you will see that terrifying message letting you know they locked your files until you pay. So how should your company handle a ransomware attack?
Here are eight steps to take following a ransomware attack:
- Record the Attack
Take a photo of the ransomware note with your smartphone or camera. If possible, take a screenshot on the affected machine as well. This will help in filing police and insurance reports and maybe even help restore your data.
- Quarantine to Stop the Spread
It’s important to isolate the affected systems as soon as possible. Disconnecting the affected computer helps stop the ransomware in its tracks. While it may have already infiltrated your network, you reduce the damage by isolating the system. Ransomware typically scans the target network and propagates laterally to other systems. If an infected computer is powered off and unplugged, it’s not talking to anything else. This, of course, gets more complicated if multiple devices or servers are compromised.
- Call for Help
* Call your IT Department or MSP immediately and alert them to the attack. They will take care of the next steps.
* Call your Legal Counsel
* Call Law Enforcement. Ransomware is a crime and should be reported to local law enforcement authorities or the FBI. * Call your insurance company. You may be covered in this kind of situation.
If you do not have an IT department that is taking care of the remaining steps, you can call Liberty Technology to assist you in disaster recovery, or you can take care of the following steps:
- Disable Maintenance Tasks
You should immediately disable automated maintenance tasks on affected systems, such as temporary file removal and log rotation. This will prevent these tasks from interfering with files that might be useful for forensics and investigation analysis.
- Secure Backups
Most modern ransomware strains immediately go after backups to thwart recovery efforts. Secure your backups by disconnecting them from the rest of the network. You should also lock down access to backup systems until after the infection gets removed.
- Identify the Ransomware Strain & Look for Decryption tools.
To determine the ransomware strain, you can use free services such as Emsisoft’s online ransomware identification tool or ID Ransomware. These services allow users to upload a sample of the encrypted file, any ransom note left behind, and the attacker’s contact information, if available. The analysis of this information can identify the type of ransomware strain that has affected the user’s files.
There are many decryption tools available online, such as No More Ransom. Once you know the strain you are dealing with, you can plug it into a website and search for the matching decryption. You may get a free key, and there is a slim chance that your files are not encrypted. Some ransomware attacks are merely an attempt to scare you into paying a ransom, even though the data is not actually encrypted.
- Clean the Slate
Once you have disconnected the affected systems from the network, change all online and account passwords. After the ransomware gets removed, you should once again change all the system passwords. Once a network has been infected, there is no way to guarantee that the ransomware is completely gone unless all devices are wiped clean. This includes virtual devices as well. Make sure all your devices are professionally wiped clean before using them again.
- Decide Whether or Not to Pay
Deciding to pay for ransomware is not a simple decision. Only pay for ransomware if you have exhausted all other options and losing data damages you or your company more than paying the ransom. Remember, you’re dealing with criminals. There is no guarantee that you will recover your data; paying them only encourages more attacks. If you decide to pay the ransom, ask the attackers to prove that they can decrypt the files and negotiate a lower ransom if possible. Keep a cool head, and don’t be rash. Again, your IT team or MSP can help you determine the severity of the attack and provide guidance on the best way to move forward.
As we said before, prevention is the best strategy. Liberty Technology’s approach to security is an aggressive risk-reduction strategy, giving you the visibility and insight you need to shut down security threats wherever they appear. You’ll also have peace of mind knowing that we are with you every step of the way to mitigate a ransomware attack.
While Liberty Technology provides IT disaster recovery and stands ready to assist you in a moment of crisis, we hope that day never comes. Taking preventative measures can drastically increase the probability that it never will. We provide state-of-the-art IT security for government organizations and companies across the healthcare, financial, manufacturing, retail, and education industries. Call us today!