What to Do When Your Company Gets Hit By Ransomware

What to do after a ransomware attack

Ransomware is such a profitable form of cybercrime that it has become an entire self-sustaining industry with its own shifts and trends. A few years ago, for example, ransomware developers and operators were primarily interested in home users. Attacking personal computers was cheap, and some clever social engineering techniques ensured that the success rate is not bad. Meanwhile, people's backup culture wasn't exactly great, which meant that for many, the only option of recovering their data was paying the ransom. Then, however, things started to change.

Ransomware operators have moved from home users to businesses and large organizations

2017 saw a couple of massive ransomware outbreaks, WannaCry and NotPetya, which gained a lot of publicity. They weren't specifically aimed at home users, but the home users saw them on the news, and they gradually became more familiar with the threat. They realized how important backups are and became better prepared to deal with ransomware attacks.

In fairness, cybercriminals aren't particularly keen on sharing their income statements, but the fact that ransomware infections on home PCs have been on the decline for the last couple of years does suggest that fewer end users are inclined to cave in to the hackers' demands. This doesn't mean, however, that the ransomware business is shrinking.

At one point, ransomware operators realized that the extra effort of attacking organizations rather than individual users might be worth it, and ever since, major ransomware incidents have mostly involved businesses, healthcare organizations, and government institutions. A ransomware outbreak at a private company could be especially damaging, which is why people must learn how to react to the threat not only when they're at home but also in the office.

How can a ransomware infection affect your company?

From a purely technical perspective, a ransomware attack presents a company with two major issues: data loss and downtime.

Having your data locked up is the more obvious problem. A successful ransomware infection can encrypt trade secrets, product-specific information, and customer details. Losing this sort of data can lead to your company's demise, which means that you might be tempted to consider complying with the hackers' demands and paying the ransom. Even if you do, however, you can have no guarantees that all the information will be returned to its pre-infection state. This is not the only issue, though.

By nature, ransomware infections are pretty noisy. If you ever find yourself on the wrong end of an attack, you will be made aware of what's going on, and your customers will learn that something's wrong pretty quickly as well. A ransomware infection can completely disrupt a company's operation and stop it from serving its users. Inevitably, the cause of the problem will be made public, and it will plant the seed of uncertainty in your users who will assume that your company isn't taking particularly good care of their data's security. What all this means is that dealing with the situation as quickly and as efficiently as possible is extremely important.

How should your company react to a successful ransomware attack?

As you can see, the two main things you need to think about are preventing data loss and minimizing downtime. If you work for a company that's been hit by ransomware, you must make sure that recovering from the attack takes as little time as possible, but you should also be careful to double-check that every file is where it needs to be before you put the company back into operational mode. It's a stressful process that requires a lot of concentration and a coordinated effort from everyone responsible.

If malware has managed to infiltrate your systems, containing its spread should be your highest priority. Never underestimate reports of strange behavior from employees, and if you find out that just one computer has been hit with ransomware, be sure that any parts of your company's IT infrastructure that might be connected to it have had their network cables unplugged. Modern ransomware families come with worm-like components that allow the attack to spread quickly, and the hackers want to lock as many endpoints as possible with the idea of demanding a higher ransom. The greater the number of encrypted PCs, the more time you'll need to bring everything back online as well.

We mentioned already that minimizing downtime should be high on your priority list. That being said, you shouldn't rush the process. Before you power everything on, you must make sure that all traces of the ransomware have been removed, and you should check if everything is operational. Further delays aren't going to make your customers very happy, but telling them that you're back in business and making them face more problems can make them even more upset than they already are.

Speaking of which, if you really want to make your users feel less bad about what has happened, try to be as transparent as possible about the attack. Tell them how the hackers got in, what you've done to stop them, and what you're planning to do to prevent future attacks. Tell your users how the attack will affect them and the services they've paid for, and hold nothing back. Although some companies seem to think that this is a good strategy, downplaying the problem usually backfires and does even more reputational damage than the attack itself.

There's a lot to think about, and even if you do everything by the book, the consequences could still be pretty horrific. In July 2018, for example, LabCorp, one of the world's largest networks of laboratories, was hit by the SamSam ransomware. Although its IT team moved quickly to contain the malware, SamSam still managed to infect around 7 thousand endpoints and close to 2 thousand servers.

More recently, currency exchange Travelex was attacked by the Sodinokibi (a.k.a. REvil) ransomware, and for more than two weeks, its employees were forced to use pens and pieces of paper to do their jobs.

A ransomware attack is bound to cause all sorts of problems, especially if it's targeting a larger organization. With the risk of falling into the cliché trap, we should say that taking active prevention measures is the best strategy in the fight against this type of threat.

What can you do to prevent a successful ransomware attack?

Installing an anti-virus program on your employees' computers and backing up their hard drives isn't enough. Once again, we're talking about a complex process that has plenty of pitfalls, and the healthy state of the ransomware business clearly shows that companies make mistakes all the time.

A simple security product can't save the day if your entire IT system is based on ancient software that hasn't received its security patches. None other than the United Nations learned the hard way how important security updates are, and if you're responsible for maintaining the network of an entire company, you have no excuses for running software that has known security vulnerabilities.

There's no excuse for poorly configured networks, either. Many of the ransomware families that currently target organizations propagate through unsecured network protocols that have been left open by careless sysadmins. Default passwords are also a frequent highlight of a number of reports on ransomware incidents, which goes to show that the social engineering in the spam emails is far from the only weapon in the hackers' arsenal. That being said, training your employees not to click random links and attachments in unexpected messages is always a good idea.

As you can see, there are already plenty of tasks to take care of, and we haven't even touched upon the question of backing up data.

Every company should have a solid backup strategy, and creating one is not as easy as it sounds. Depending on how you use your data, you need to think about how often it needs to be backed up, but perhaps more importantly, you must think about the actual mechanism for creating backups.

Ideally, you'll follow the 3-2-1 rule, which states that you should have 3 copies of your data stored in 2 different places, 1 of which is offsite. If you can't stick to this strategy, you must regularly test your backups to be sure that they're functional, and you must also keep them disconnected from the rest of your IT systems. That way, a potential ransomware attack won't be able to affect the copies of your data.

These are just some of the things you need to consider, and depending on the business of the company you work for, there could be plenty of other factors that you might need to keep in mind. All in all, trying to protect a company against a ransomware attack is arguably even more of a pain than cleaning up the mess after it's already been hit. Given how devastating the damage could be, however, the effort is well worth it.

February 19, 2020

Leave a Reply