Ransomware has become more prevalent than ever and predictions are that it will continue to be a major form of cybercrime in the coming years. Ransomware is a type of malware designed to encrypt files or even entire drives, so that the business infected can no longer access these files or systems without the key to unlock the encryption, which of course is not available unless a ransom is paid, almost always via a cryptocurrency. This can have a devastating effect on the attacked organization, creating an atmosphere of desperation, that can be mitigated with preparation or avoided all together with strategic prevention.
Ransomware attacks all sectors of the economy including healthcare, banking, finance, manufacturing and small businesses, which essentially means everyone is susceptible. The average demand from ransomware attackers in 2020 was $570,857. The recent ransomware attack on the Colonial Pipeline, the largest U.S. pipeline system connecting Texas and New York, was resolved by paying nearly $5 million to the hackers. The first known fatality due to ransomware occurred in Germany when a critically-ill woman had to be taken to another hospital for treatment because ransomware had taken down important hospital systems.
It is far better to prevent a ransomware attack than to try to recover from one. There are many ways to prevent a ransomware event from happening by taking proactive cybersecurity measures and practicing basic good cyber hygiene. Today, good cybersecurity practices are not only sound business policy, but an absolute business survival necessity. In order to prevent a ransomware attack, CyberNINES recommends starting with these best practices from the Cybersecurity & Infrastructure Security Agency (CISA) to help prevent ransomware attack.
If your company is truly prepared for ransomware attack, then you have a significant lower chance of having an attack occur, however, even the best systems have their weakness, namely users, and if you do get breached by a ransomware attack, your immediate reactions should be:
1. Isolate the infected systems immediately.
- Infected systems should be removed from the network as soon as possible to prevent ransomware from spreading on the network or share drives.
- Isolate or power-off affected devices that have not yet been completely corrupted. This may afford more time to clean and recover data, contain damage, and prevent worsening conditions.
- Immediately secure backup data or systems by taking them offline.
- Ensure backups are free of malware.
- Delete Registry values and files to stop the program from loading.
2. Contact law enforcement immediately.
- A ransomware attack is no different than a bank robbery, treat it the same.
- We strongly encourage you to contact a local field office of the Federal Bureau of Investigation (FBI) or U.S. Secret Service immediately upon discovery to report a ransomware event and request assistance.
- Do not “cover up” the incident.
- Collect forensic information if any is found.
3. Do not pay the ransom
- FBI recommends that you NOT pay the ransom.
- Probably won’t help get your files back
- Paying means they have your files and your money.
- It can be illegal to pay the ransom if the attacker is on the US Denied Parties list.
4. If you backed up your files you can recover
- If you have a previously commissioned an IRT, now is the time to call them.
- Restoring files in only one part of your recovery, you will also need to format drives and reinstall programs.
- Change all online account passwords and network passwords.
- Don’t be afraid to ask for help.
For more information on how to conduct vulnerability scanning or manage your security and compliance, visit the CISA website (https://www.cisa.gov/cybersecurity) or feel free to contact us at CyberNINES.