Dealing with a ransomware attack
A ransomware attack is one of the biggest threats facing online users. In this article, we explore what happens during a ransomware attack, and the steps you need to take to secure your organisation in the aftermath.
How to deal with a ransomware attack
Ransomware attacks are a huge threat to organisations because 90% impact their ability to operate, and on average it takes a month to recover from the attack. They’re highly disruptive to business, and it’s a threat vector on the rise. By 2031 it’s expected that businesses will fall victim to a ransomware attack every other second (up from every 11 seconds in 2021).
What is a ransomware attack?
Ransomware is a type of malware that encrypts an organisation’s data so it can no longer be accessed. A ransom is demanded – the average is $570,000 – and upon payment, the decryption keys should be issued so the organisation regains access.
While no specific vertical sector is safe from the effects of ransomware, a bad actor will typically choose to target an organisation based on two factors:
Opportunity: for example, if the business has a small security team, lacks IT resources, or is a data-rich organisation.
Potential financial gain: businesses that require immediate access to their files and are more likely to pay a ransom quickly – such as lawyers or government agencies.
Bad actors can gain access to organisational data via various tactics, including:
Phishing: using social engineering techniques to trick users into doing something, such as clicking a malicious link in an email.
Remote access: scanning the internet for open ports, such as remote desktop protocol, and capturing valid credentials to authenticate by the remote access solution.
Privileged account compromise: taking advantage of admin accounts to access more systems and sensitive data.
Known software or application vulnerabilities: exploiting known vulnerabilities where patches were available to fix the issue but not applied.
Before encrypting the data, a bad actor may choose to take copies and threaten to leak them if the ransom is not paid in a timely manner. This is known as ‘double extortion’. Once encryption begins, it’s a fast process - the median ransomware variant can encrypt nearly 100,000 files totaling 54.93 GB in just 42 minutes and 52 seconds – which is why speed is of the essence when it comes to taking action following an attack.
What to do in the event of a ransomware attack
As soon as you know you have been hit by a ransomware attack – usually because a big notification will flash up on the screen – it’s essential to isolate the infected device. Remove network and data cables, USBs and dongles, and disable WiFi and Bluetooth to stop the device from making any connection that could cause the threat to spread.
In these initial moments, adrenaline is likely to kick in, alongside feelings of shock, anger, and fear. It’s important not to panic and remain calm while assessing the situation. One way to achieve this is through ransomware simulations where the business practices how it would react following an attack, so that individuals are familiar with the steps to contain the breach in a calm and timely manner:
Notify the business/contacts
It’s important that all communications are orchestrated by a central point within the organisation to prevent any misinformation or confusion. This should include a directive to not speak to anyone in the media or publish anything on social media. PR announcements need to be carefully prepared to avoid unsettling shareholders, stakeholders, and the wider market.
Once an attack is known, everyone in the business must be alerted to the threat. If anyone suspects their device is infected, they must take steps to isolate it from the network immediately. Best practice also says that users should reset all their credentials – especially for privileged accounts – to prevent the bad actor from harvesting valuable data that could be used to launch further attacks.
Identify the type of ransomware
Using the malware scanning tool on the device, or through the organisation's Security Operations Centre, run a malware scan to help identify what ransomware was used, as this will help determine the remediation actions that need to be taken.
Additionally, make notes about the attack including the date, time, file details, first signs of ransomware, affected devices, what you were doing immediately before the attack, and when your device was connected. Also, take photos and record suspicious programs, files, and pop-ups.
All this information then feeds into the ransomware identification tool to help determine what the business was hit with, and the remediation actions you need to take now.
Paying the ransom
Cyber security professionals and federal agencies agree: do not pay the ransom.
Research indicates that only 3 in 5 organisations regained access to data/systems, so there’s no guarantee that you will get access to your data or computer. Also, even if you do get your data back, there’s no guarantee it’s safe - 18% of ransomware victims who paid the demand still had their sensitive data exposed by bad actors on the dark web.
Remove the ransomware from your devices
Unfortunately, removing ransomware from devices isn’t as simple as clicking ‘delete’. In many cases, it requires a complete factory reset, which is irreversible and runs the risk of data loss. Therefore, it’s always best to seek the support of a professional who can use appropriate decryption tools and safely restore you back to business-as-usual.
Recovering data from backups
Maintaining an up-to-date backup is the most effective way of recovering from a ransomware attack. A best practice is to follow the ‘3-2-1 rule’ – 3 copies of the data, stored in 2 different locations, of which 1 is offline.
When it comes to restoring data, scan your data for malware first, and ensure backups are only connected to known clean devices to prevent re-infection.
Report the attack
Once your business is back online you should report the ransomware attack to the relevant authorities – for example, the CISA in the US or the NCSC in the UK. This intelligence is invaluable to helping agencies track how ransomware attacks are developing to stop the cybercriminals, assist with remediation tools, and prevent the spread further.
Protect yourself from future ransomware attacks
End-user behaviour can be one of the best threat deterrents at your disposal when it comes to tackling the threat of ransomware. Provide training on the basics and continuously reinforce their importance to ensure these behaviours are followed:
- Updating your device and turning on automatic updates.
- Enabling multi-factor authentication.
- Performing regular backups.
- Controlling who can access what on your devices.
- Turning on ransomware protection.
Contact Ontrack for Ransomware Recovery
Every ransomware attack is unique and varies in complexity, but data recovery is possible. At Ontrack, we have developed a specialized collection of proprietary tools to recover data - we currently have encryption abilities on 138 types of ransomware and continuously track 271 different variants.
With labs located around the world, our specialists are available 24/7 to provide help and support in the event of a worst-case scenario.