Out of all the different types of attacks, your IT systems and servers can fall prey to, a ransomware attack is one of the worst. So it’s not surprising that many businesses cite ransomware attacks as the one IT (or cybersecurity) breach they fear the most.
As usual, prevention is the best method of defense and the following is some general guidance you can follow to prevent it from happening to you and what to do if you are a victim of it.
What is Ransomware?
Ransomware is a form of malware that uses encryption. This uses a pair of keys to encrypt and decrypt a file. The keys are uniquely generated by the attacker for the victim, with the private key to decrypt the files stored on the attacker’s server.
The attacker makes the private key available to the victim only after a ransom is paid, though as seen in some recent attacks, that is not always the case. Without access to the key, it is nearly impossible to decrypt the files that are being held for ransom.
Preparation for a ransomware attack can be integral for the prevention of such events and minimising the damage if/when an attack succeeds.
Educating staff on how ransomware works and how best to avoid it is an essential first step to make. Using this knowledge to formulate an action plan in the case of a ransomware attack, including things such as what procedure to take and who to contact, is also a good idea. For example, you may want to notify some or all your customers if they are likely to be affected.
Implementing some basic security and filtering systems such as mail filtering and firewalls is one of the best ways to ensure your data is protected, particularly if your servers or services are open to the public. There are more advanced steps you can take (for example, closing certain ‘ports’ on your server) but the basic steps are a good start. Almost all ransomware infections start via someone unwittingly opening a document or link from an unknown source so make sure your IT policy contains guidance on this aspect - i.e. do not open/click suspicious links!
Regularly creating multiple backups of all your data is an absolute must in this day and age and gives you a fighting chance of recovery if the worst should happen. Storing these backups in multiple locations is essential for safeguarding them as attackers will typically try to ‘infect’ any backups that can be found.
If you’re storing backups on external devices such as USB or external hard drives make sure to never leave them permanently connected to your network as this provides a route for attackers to ‘infect’ these devices and encrypt the data stored there.
Before storing your backups on any device, you should conduct a scan to ensure the device is clean and safe to use.
If you discover that your network has been compromised with ransomware (or indeed any malware) it is important to act immediately to limit the potential damage.
Speed is key so having communication paths in place is the best way to inform everyone who needs to know what is going on and what they need to do.
Your IT team (if you have one) should operate from a ‘ransomware playbook’, carrying out pre-defined steps. This will differ from organisation to organisation but, as a minimum, the playbook should cover the following steps:
- Severing all connections with infected devices from all network connections as soon as they’re located.
- Determining the source of the infection (sometimes referred to as the ‘patient zero’) and locking down this area has been shown to prevent further infection of files. This can usually be determined by looking at the open files on the encrypted shares, if you see one user with hundreds of open files, they are probably the source of the infection.
- Speaking to all the users on your system to investigate if they have recently clicked on any links/websites that may have contained the malware is good practice as if the source has been found, reporting this to all the authorities involved can help tackle this crime and prevent future businesses falling victim to it.
- Verify that every device is clear from malware before reconnection, once reconnected you can then begin restoring your network.
- Once all the devices have been cleared and any signs of the ‘infection’ have gone you can then begin the restoration process.
- Infected devices to be wiped clean using appropriate tools before re-attaching to the network.
- Resetting all passwords and account details is also recommended as one of these may have been compromised.
- Ensure any antivirus software is up to date and running to pick up on any malware that may have been missed.
- If you receive a demand from the attacker it is recommended that agreeing to the demands is an absolute last resort as there is no guarantee that you will be given access back and leaves you as a target for future attacks.
We hope the above information is useful and hope that you do not have to use any of it (apart from the preparation aspects).
We have a committed team of specialists that would be happy to assess your business needs and find the best solution for you. Please don’t hesitate to give us a call now on 0161 464 6101 and we’ll be more than happy to help.