One of the major problems in IT security at the moment is ransomware. This form of cyberattack involves a program that locks your computer and gates off your data behind an encryption. In order to get it back, users are asked to pay a ransom to the cybercriminals.
This is growing in severity, as more criminals turn to this method of cyberattack. As such, IT professionals need to be aware of what to do should they or their business fall victim to ransomware.
What to do in the event of a ransomware attack?
To successfully respond to a ransomware attack, there are seven steps businesses and IT security professionals need to follow immediately to deal with this type of threat.
Step one: Disconnect your computer
It sounds like an easy answer, but one of the best things you can do if you notice you're under attack by ransomware is simply turn off your machine and disconnect it from the network it's on. Christopher Budd, global threat communications manager at Trend Micro, says this could stop the attack in its tracks.
However - and perhaps more importantly for large businesses - this will also stop the ransomware program from spreading to other computers connected to the same network. The last thing you want is multiple cases to deal with at the same time.
Step two: Identify and trace the ransomware attack
Knowing exactly what you’re dealing with will help you to understand the situation more thoroughly and therefore be better able to sort it out. Identifying the type of ransomware you’re up against will enable you to understand how it spreads, the type of data it encrypts and how to remove it from your systems.
The two main types of ransomware are screen locking ransomware and encrypting ransomware and they behave in different ways. The first locks down the system but keeps files safe until a ransom is paid, while the second version encrypts all the data until a key is released upon payment.
Step three: Report the breach to the authorities
If the diagnostics you perform reveal that personal data has been compromised, you must inform the relevant authorities. In the EU, GDPR legislation requires the Information Commissioner's Office (ICO) to be told of any breaches within 72 hours.
To avoid being fined up to 4% of your annual global turnover or 20 million euros (whichever is greatest), a breach report should be filed, including information on the type of attack, the amount of personal data affected, actions taken and planned actions to eliminate consequences.
In the US, equivalent legislation is known as the California Consumer Privacy Act (CCPA) and requires security breaches to be rectified within 30 days. Ransomware that only encrypts data and doesn’t allow the attacker to view it is exempt from notification rules, but other breaches must be reported.
Step four: Update staff and ask them to update their login credentials
Handling a ransomware attack also means liaising with employees and ensuring they understand the situation and the implications it has for the company. Working quickly with staff to change all admin and user credentials can help to stop the attack from spreading further.
As ransomware travels around networks, it can encrypt files and even eliminate backups, so the sooner it’s stopped the better. Proactively informing staff and empowering them to help deal with the ransomware can bring focus to the recovery effort.
Step five: Don't pay the ransom
Unfortunately, there's no guarantee you're going to get your data back in the case of a ransomware attack. The encryptions that cybercriminals use to lock off your information almost always require a specific key to decode, and without this it can be nearly impossible to decrypt your machine.
However, giving in and paying the ransom isn't the answer. FBI Cyber Division assistant director James Trainor points out that all this will do is fund more illegal activity. He said:
Furthermore, it doesn't even guarantee access to your data. Jason Glassberg, co-founder of Casaba Security, entreats businesses to remember that they're dealing with criminals, adding: "They may not honor their promise to remove the ransomware or they may re-infect the network again soon afterward."
Step six: Conduct a security audit and update all systems
Removing the ransomware from your computers means accepting that your files won’t be restored to how they were prior to the attack. Instead, you’ll be returning to a backed up version of the data and putting your system back into its previous state.
You’ll need to run a security audit to scan the system and find the ransomware program in order to remove it. Once it’s gone, you can then update all your machines to return them to a version before the attack.
It’s then worth thinking of strategies to ensure your organization isn’t vulnerable to another ransomware attack in the future. Machine learning is among the tools at the forefront of the fight against ransomware, as it works by analyzing data to identify patterns of behavior, flagging and quarantining any anomalies.
Step seven: Contact an organization that can help
There are plenty of ways to remove ransomware from your computer, but without the relevant encryption keys your data may be lost forever unless you have it backed up. However, in some cases there are organizations who can help out.
One example is the No More Ransom project, which has access to a number of ransomware decryption tools for certain iterations of the software. There are no guarantees, but if you have a form of ransomware that is not particularly current it might be possible to recover your information.
Employees are the weakest link in cybersecurity
Employees can be the biggest security threat within your company, so education and training is vital in ensuring they don’t become unwitting accomplices. One small action by an individual can have far-reaching consequences, whether it be working from an unprotected personal device or opening an official-looking attachment.
Minimize employee threats by:
- Conducting awareness training that demonstrates to staff that IT security is everyone’s responsibility and any weaknesses should be reported
- Encouraging openness about mistakes in order to learn from them and highlight potential pitfalls for the future
- Educating staff on the importance of strong passwords and implementing a system that mandates they be changed regularly
- Keeping staff up to date on the latest scams and sending regular reminders about best practice in data security