Threats

Ransomware is a costly business and organizations are becoming increasingly concerned that their systems and data may one day fall victim to a ransomware attack. Among 582 surveyed cybersecurity professionals, 50% did not believe their organizations had sufficient protection to repel a ransomware attack. This concern is validated by the alarming statistic that 66% of organizations experienced ransomware attacks in 2023.

For businesses, preventative measures are essential for thwarting attack attempts in first place and a rehearsed disaster recovery plan helps minimize overall loss for the organization. Nevertheless, regardless of the ransomware prevention and protections in place, companies may still fall short and, in the event of a compromise, appropriate personnel must be ready with a proactive response, removal, and recovery plan.

1. Gather Information and Identify the Source

The critical first step in the event of a ransomware attack is to remain calm. Take the time to make notes about the attack, what the malicious party is requesting, while taking photos of what the message looks like. Look for key clues to identify what type of ransomware you’ve been infected with.

There are several ransomware identification tools available that have a database with common encryption extensions gathered from popular ransomware such as LockBit, BlackCat, Conti, REvil, and more.

Social engineering attacks, such as phishing and Business Email Compromise (BEC), are often very effective and lucrative for cybercriminals. These attacks have almost doubled and represent more than 50% of incidents. It's also important to note that 74% of all breaches involve the human element, including errors, privilege misuse, use of stolen credentials, or social engineering

At this point, the source of the attack may be isolated to a single host or infect your company at multiple endpoints. Identify what devices have been compromised, what files have been encrypted, and how widespread the attack is. Conscious and clear communication is key here, as everyone must do their part to ensure the attack is contained.

2. Isolate the Attack

Once the source(s) of the attack have been identified, it’s important to isolate these from the environment to prevent further damage. This may mean unplugging from the network both physically and wirelessly, removing the power source, extracting infected drives, or booting into safe mode if possible.

The objective of this step is to, at all costs, keep the damages and extent of the compromise as contained as possible. An extension of this step is to ensure that if the ransomware was triggered by a phishing email or malicious link, that this is flagged and notified to employees immediately to prevent more devices and files from becoming infected with malware.

3. Consult and Consider Your Cybersecurity Options

Before any executive decisions can be made, it is pivotal to notify the appropriate personnel for updated information about the attack. This may include your company’s IT/security department, the authorities, and depending on the organization, your security team lead, CISO, or equivalent.

Once the impact and severity of the compromise is under control, it’s time to start considering the course of action. As mentioned, it is fundamental to understand that preparation in the event of an attack is one of the best strategies for responding and recovering from one. This ultimately gives you more alternatives if your company is hit with ransomware. It should be noted however, that your options are reliant on a variety of factors including the size of your company, the cost of potential downtime and lost revenue, the number of affected assets, and more.

a. Wipe & Recover from Backups

Companies should have offline, external backups and copies of critical data, segregated from the original data so that if any type of disaster occurs the company can attempt to minimize loss. If this applies to your business, then consider this option. Contingent upon whether the malicious party could encrypt all original copies and their corresponding backups across each system and branch, this might not be a viable solution.

Therefore, it’s important to evaluate the amount of effort and downtime this alternative will cost your company. If the cost to wipe, re-image, and restore from backups/restoration points, in addition to lost revenue from taking your company offline will impair your organization more than paying the ransom, that is something that must be assessed.

b. Attempt to Decrypt Files

If you were able to identify the type of ransomware from the first step and research reveals there are existing and trusted tools that attempt to decrypt your files, then it may be worth investigating this option further. Again, there are pitfalls to trusting third-party software to decrypt your files.

One must consider the price, legitimacy, and reliability of the tool before carefully exploring this option.

c. (Don’t) Pay the Ransom

If your company didn’t employ correct measures to recover in the event of an attack, there’s no way to recover the files, and with each minute that passes where your company is not responding resulting in significant damage, paying the ransom comes into consideration. There are severe warnings that come with this option, however, and that even if the ransom is paid, there is no guarantee that the files will actually be recovered or decrypted. In 2023, it was calculated that only about 46% of victims that decided to pay the ransom demand actually got their data back.

Though, many security experts suggest against paying the ransom, as it only promotes success statistics and further encourage hackers to partake in this culture and economy. For many organizations however, rolling the dice on paying the ransom becomes ultimately a more realistic and cheaper decision than venturing other opportunities. It should be noted though, that if your company is even in the position where it must explore this option, your security team should take the time to evaluate your security posture, understand your vulnerabilities, and devise an efficient response plan.

At the end of the day, it is about considering what option is best for your company by weighing the factors. What option gives your organization the best possibility to stay afloat, while minimizing the cost of downtime, and impacting your clients/customers the least.

4. Learn from Mistakes

From Step 1, organizations must fully understand what weaknesses or vulnerabilities within your business allowed for this attack to take place. Note down how the process of response and recovery went, what can be improved for next time, and determine what mitigation strategies can be implemented to ensure that this attack vector is eliminated.

Successful breaches are a powerful component of Employee Awareness Programs. An effective security awareness training program incorporates procedures and policies to protect an organization by detecting potential threats and mitigating them. Companies seeking to ward off hackers while complying with regional laws must invest in employee security awareness training since trained employees are harder to deceive.

Conclusion

Though delivering ransomware is a unique type of attack, the avenues through which it is distributed are similar to how malicious parties gain unauthorized access to your company’s sensitive data.

If organizations do not conduct thorough Employee Awareness Training and up-to-date security practices, then you may be more vulnerable than you think. For more information on how to prepare and deal with ransomware, please contact us today.