Ask anyone who’s been through it: ransomware attacks are nasty, insidious beasts that can spike stress levels, lean hard on resources and steal funds from organizations. They impact brand reputation, deflate morale and significantly disrupt normal business operations.
Worst of all, ransomware reports on the rise.
A recent survey shows that the biggest cost to business is downtime, not the ransom payment. The other interesting finding is that almost half of all attacks target firms with more than 20 employees, with 60% targeting those with 100+ employees.
With companies opting to pay the ransom to avoid downtime, they help to fund the criminal business model, which not only encourages existing attackers to ramp up their nefarious activities, but also inspires other potential cybercriminals to join the ransomware fray.
The only way to stop attackers is to hit them where it hurts: the proverbial wallet. Lowering your exposure to ransomware attacks is key – so is having agreed mitigation plan in place that can be immediately launched, should you find yourself a victim of this cyber scourge.
The ransomware business model
File-encrypting ransomware employs similar attack vectors as other types of malware. The attacker’s objective is to get access to your systems in order to encrypt files.
Encrypted files are rarely recoverable without the decryption key, which is offered to you by the attackers for a fee, or ransom. If the ransom is not paid in a set amount of time, the ransom amount is increased.
Upon receiving payment, the attackers pledge to decrypt the files.
Popular ransomware attack vectors
Ransomware attacks need access to the network in order to encrypt files. The most popular techniques employed to access the network include exploiting system vulnerabilities and employing social engineering techniques (such as duping a staff member into revealing access codes to the system).
How to avoid a ransomware attack
There are a few steps that can significantly lower your risk of exposure:
- Regularly pen test your network to patch known vulnerabilities and review permissions and configurations
- Monitor traffic, automating immediate flagging of suspicious activities
- Provide detailed cybersecurity training to staff
- Perform serialised back-ups regularly in case newer backups are compromised.
What to do if you think you may be under ransomware attack?
It is vital that no firm feels they are immune to ransomware attack. Attackers often employ sophisticated social engineering tactics – similar to those seen in phishing attacks. If they gain access to the system using valid credentials, these insidious attacks can be much more difficult to spot.
To avoid the headless chicken approach to dealing with an emergency situation, it is recommended to have a solid practiced plan in place. The faster you can mitigate against the attack, the easier it will be to resolve the issue without paying out.
Isolate the problem
The first step is to maintain as much network integrity as possible, and that means preventing the infection from spreading across your network.
While availability will be affected if you choose to shut down the entire network, it may be your only choice if isolating and quarantining affected machines is not an option.
Analyse the problem
This phase is all about scoping the issue in order to isolate the attack vector.
Not only might you want to contact the authorities, but you might also want to bring in third party IT security experts to help resolve the issue and harden systems to avoid future ransomware attacks.
The more information you can provide upon contacting them, the easier their job will be. Answers to the following questions will be helpful:
- Can you locate a source of intrusion or infection?
- How many machines are impacted?
- Are any files or data already encrypted?
- When was the last system backup?
- Can you isolate the attack vector?
- Have you noticed any suspicious activity on your network and if yes, when did it first appear?
Unless your company is lucky enough to have in-house IT-security experts that can deep-dive your systems, isolate the attack vector and implement security measures to prevent further attacks, it is highly recommended to bring in third party expert consultants.
You want to make sure that anyone you bring in has a proven track record of penetration testing systems to isolate and eradicate vulnerabilities lurking on the system.
Note that once infected, it is often impossible for even the best IT security experts to recover files without paying the ransom to the attackers.
This is why prevention, as well safety-net security measures like serialised back-ups, are a much better alternative to remediation.
If you are concerned about ransomware prevention or a possible attack, please contact TBG Security.