Ransomware is a growing billion-dollar business and hackers have launched high-profile ransomware attacks against nearly every industry from healthcare to higher education to financial services, often with large ransoms and huge restoration costs. Even cities aren't immune: Baltimore estimates cost of a crippling ransomware attack at $18.2 million. Yes, you read that right, $18.2 million!
Despite rising awareness of the ransomware risk, this cyber security threat continues to wreak havoc on businesses, organizations, individuals and municipalities every day with increasing frequency and increasing costs.
So what is ransomware? In the simplest terms, ransomware is malware (think virus) that infects a computer or computer system and renders its data useless by using strong encryption to lock the files. The perpetrator holds the locked data hostage until a ransom is paid for an encryption key that can unlock the files. Here’s what you should do if you’re hit with ransomware, and how to can try to prevent ransomware attacks.
What to Do When Ransomware Strikes
You’ll know when you’ve been hit by ransomware: The attack typically starts at one workstation (your geeky friends like me may call this an endpoint), often after someone has clicked a link in malicious email or visited an infected web site. These are not the only ways that you can get a ransomware infecting running rampant in your network, but they are the most common.
Once implanted, the ransomware runs silently in the background, and in many cases, it will search your network looking for other targets to encrypt including file servers, other work stations and backups. The more files it can encrypt, the more likely you are to pay the ransom, regardless of the price demanded. Once the ransomware has encrypted all files that it can, a message will be displayed announcing that your files are locked. The message will also demand that you pay a ransom, typically in some cryptocurrency like Bitcoin, Monero or Etherum, and pay it within a certain amount of time or your files will be permanently locked. Some of these attacks are so sophisticated that the attackers have a support team that you can call or email for help to make the payment in cryptocurrency.
If you get the dreaded notice that your system has been encrypted with ransomware, don’t panic.
- The first thing to do is to take a photo of the ransomware message (you may need it later to restore your data and for law enforcement).
- Turn the computer off and unplug it from the network and the power outlet. If an infected computer is powered off and unplugged, it’s not talking to anything else. Leaving the computer online risks allowing the ransomware to spread and cause more damage. This of, course gets more complicated if multiple devices or servers are compromised.
- Next, get help. Notify your IT department or managed services provider (MSP) immediately. Savvy technology teams may be able to obtain a free key that can unlock your data by visiting the site Nomoreransom.org, contacting your anti-malware provider or law enforcement.
- Contact your insurance company, you may be covered in this kind of situation. (Intrust IT clients benefit from our $1 Million Cyber Security Guarantee.)
- Talk to your legal counsel, you may have a legal requirement to report the attack to law enforcement.
What Not to Do
Don’t let embarrassment or fear keep you from alerting people who can help. Keeping an attack, a secret can have big consequences. Some organizations are legally required to report data breaches.
Don’t be quick to pay the ransom. You may be able to get a free key, and there is a slim chance that your files are not encrypted. Some ransomware attacks are merely an attempt to scare you into paying a ransom even though the data is not actually encrypted. Keep a cool head and don’t be rash. Again, your IT team or MSP can help you determine the severity of the attack and provide guidance on best way to move forward.
Don’t use the infected computer again until it is wiped clean by a professional.
The best-case scenario: You have an active back-up system with good backups and may only lose the data that was modified since the last back-up. The worst-case scenario? The website Knowb4.com says ransomware can cost a business:
- On average, ransoms of around $12,700
- 7.5 days of downtime to recover from an attack
- An average downtime cost of about $64,000
Gregory A. Garrett, head of U.S. and International Cybersecurity for BDO, recently wrote “During 2018, we have seen a 350 percent increase in ransomware attacks.” Sadly, ransoms, the amount of downtime, and the costs to recover after an attack continue to increase and show no signs of slowing down anytime soon. According to Cisco's "Small and Mighty" Cybersecurity Special Report — drawing on data gathered from 1,816 respondents across 26 countries — more than half (53%) of midmarket companies suffered a security breach in 2018.
Only pay the ransom if all else fails. Remember, you’re dealing with criminals, there is no guarantee that you will be able to recover your data and paying them only encourages more attacks. Including possible future attacks on you. If, as a last resort, you decide to pay the ransom, ask the attackers to prove that they can decrypt the files and negotiate a lower ransom if possible.
Good endpoint protection (antivirus or anti-malware) software that can help protect your devices from known ransomware is a must.
While ransomware can’t always be tracked back to its source, we know it is often contracted from websites that offer free software or driver downloads. Watch for pop-up links claiming to provide software updates. Anywhere you’re getting something for “free,” what you may be getting is a nasty virus including ransomware. Your IT department or MSP should have a regular process that keeps all your software up to date, so you don’t need to download updates on your own.
Email is another path for ransomware to worm its way into your company or organization. Be wary of any emails that look suspicious, and even if they don’t look suspicious, avoid clicking any links you didn’t ask for. If an email takes you to a site that requires downloading a macro, don’t do it.
Sadly, spoofed emails can look very authentic and be well-written. Always verify anything odd with the email sender directly through another channel: Call or text the sender, head to his or her cubicle or compose a new email (using the correct, known address) to affirm the original email’s request.
And in some cases, ransomware can be delivered through links posted to social media sites. Again, it pays to be very skeptical when dealing with any link that you did not ask for and whose legitimacy can’t be confirmed.
Finally, remote access software Remote Desktop Protocol can allow an attacker into your network and launch a ransomware attack. Ask your IT team or service provide how to protect your organization from this attack vector.
Back up, back up, back up. If it’s worth saying once, it’s worth repeating over and over. The only way to carry on without fearing a ransomware attack is to know you have rock solid backup systems in place and functioning. We verify our clients’ backup each day. Talk to your IT department or service provider about how your backup system is verified. If you don’t test backups periodically, you can’t be certain that you can restore in a crisis. Don’t wait until you’re in crisis mode to find out whether you’re following best practices and if your backups work.
Be proactive with security testing. Intrust IT and other companies will perform periodic testing of your systems and users to find weaknesses and help you remediate them.
Finally, education and awareness are increasingly critical; new ransomware attacks are constantly being launched because the bad guys are making big money. You should provide regular training for your staff to help them avoid common mistakes that can make them easy targets for ransomware and other cyber attacks.
While it’s far from a pleasant experience, you can recover from a ransomware attack. Our clients are generally back on track fairly quickly. You don’t have to pay the ransom. You don’t have to go out of business. You can restore to a known, good point.
Got questions? Call us, we can help.