A Ransomware Scenario
The story is all too common: a low-level employee receives an email offering a new product or investment opportunity from what appears to be a legitimate source. But when they click the link or open an attachment, the trouble begins. Their computer locks up or crucial files encrypted. Within minutes, your whole organization is exposed as the cyber attack spreads throughout your network, causing disruptions and shut-downs that can paralyze your entire operation. Before long, a new message appears, demanding payment in exchange for a decryption key.
Ransomware attacks jumped nearly 300% in 2021 as cyber-criminals struck high profile targets like KIA Motors, the Colonial Pipeline, and the DC Police Department, demanding millions of dollars. DarkSide, the ransomware gang behind the Colonial Pipeline attack, is estimated to have stolen as much as $60 million before recently closing down their operations. But for every one group that goes away, ten more take its place. Attacks on healthcare institutions, utility companies and power grids could cause widespread havoc, impacting millions of people.
Ransomware as a Service
As cyber criminals grow bolder and more sophisticated, their methods evolve. The dark web now hosts Ransomware-as-a-Service, where malware developers outsource their operations to affiliates who execute the attacks. These criminal enterprises come complete with 24/7 call-centers and money laundering services.
The lucrative nature of cybercrime is one factor driving the explosive growth of ransomware attacks. The cost of ransomware attacks was estimated at more than $20 billion in 2021.
Prepare for the worst
So what can your company do to avoid a ransomware attack? Probably nothing. With ransomware, the question is not IF but WHEN.
However, there are ways to prepare for and mitigate the effects of an attack. These include: Education, Detection and Backup strategies.
Unfortunately, your company’s greatest assets—your employees—are also your greatest vulnerability. Ransomware attacks usually occur when an employee clicks on a link or opens a file from a phishing email. So a protection strategy must first include educating your staff on cyber-attacks. Train employees to notify your security team about suspicious emails or other communications. The tactics of cyber-criminals continue to evolve so employee training sessions, updates, reminders and refresher courses need to be a regular occurrence.
The faster your team can detect a ransomware attack the better. But detection requires monitoring your systems 24/7. Cyber criminals don’t keep normal business hours and are constantly honing their tactics. So you need a Security Operations Center (SOC) that is well-equipped, well-trained and well-staffed. Unfortunately, for many businesses, this requires a considerable budget to maintain a SOC in house.
There are service providers and third-party vendors to help manage your cyber security but it can be a daunting task to choose the right one. Be sure to do your homework before committing to an outside SOC partner.
Creating a backup system for your critical data files is crucial to responding to a ransomware attack. The Department of Homeland Security recommends following the 3-2-1 rule of data backup. This means: create 3 copies of your data, store them on 2 different media, with 1 of them being stored off-site.
However backup servers are often a primary target for cyber-criminals so it is vital to keep these systems secure and isolated from your primary network. Schedule regular security drills and exercises to ensure those systems are being updated regularly and can be accessed in case of an attack.
No backup system is perfect, but following the 3-2-1 rule is a solid plan to maximize your chances of a successful recovery.
Responding to an Attack
All the planning and preparation may still not prevent an attack. So what should you do when you detect ransomware on your system?
- Isolate and identify
The first thing to do with an infected computer is disconnect it completely from your company’s network and external storage devices. This will prevent cryptoworms from exploiting connections to other computers. You also don’t want the ransomware communicating across the network with its command and control center.
The priority is to find “patient zero” but be aware that there may be more than just one. Ransomware can enter your business through multiple computers, or may be dormant on other systems. Be suspicious of all connected and networked computers until you can identify which systems are not infected.
Most ransomware will identify itself when it asks for ransom. There are third-party sites that can help identify which specific ransomware you’re dealing with. These include: ID Ransomware and No More Ransom! Project that connects with Crypto Sheriff to help identify ransomware.
Identifying the specific ransomware you’re dealing with will help your security team understand how it propagates, what kind of files it encrypts and what options you have for disinfection. It also helps you to report the attack to the authorities, which is recommended.
- Alert the authorities
The FBI urges victims to report ransomware incidents at the Internet Crime Complaint Center. Reporting a cyber-attack helps law enforcement to better understand the threat and may also provide information to aid in other ongoing investigations. Learning more about your incident will help the FBI identify cyber criminals and understand their methods of targeting victims.
- Determine your options
There are two basic options ransomware victims can choose to recover from an attack:
Pay the ransom
It is generally recommended not to pay a ransom since it doesn’t always solve the problem. The 2021 Sophos State of Ransomware report showed that only 8% of ransomware victims got all of their data restored after paying a ransom. And nearly one third had lost more than half of their data. Furthermore, paying cyber criminals often makes companies more likely targets for future attacks.
Remove and restore
Websites like No More Ransom! Project claim to be able to remove malware from your infected systems. They maintain a catalog of decryption keys from known ransomware. However, cyber-criminals are always creating more sophisticated versions of malware so this option may not be successful.
If this is the case, the only other option is to wipe the devices and reinstall backup software. Of course this further highlights the importance of maintaining a sound backup protocol.
Unfortunately, ransomware is an ongoing threat. In light of this, InterVision has launched the first, managed service, designed specifically to provide end-to-end protection against ransomware attacks. InterVision’s Ransomware Protection as a Service™ (RPaaS™) tool takes a holistic approach to ransomware threats, focusing on detection, protection and recovery.
InterVision has been helping businesses solve IT problems for more than 25 years. Our team will help you craft a full ransomware protection plan tailored specifically for your needs. Don’t wait to become the next ransomware victim. Visit our website or call 844.622.5710 to speak with one of our experts today.