It often starts with an email. Someone in your organization opens an email that seems legitimate — maybe a message about needing to take immediate action on an account, or a notification about a package. They click the enclosed link, or download an attachment and suddenly their computer is locked, and so are the rest of your company’s devices and data. All that’s left is a message asking for a ransom before you can get your data back. You’ve been hit with a ransomware attack.
Ransomware has become an increasingly common threat over the past few years. A report from Verizon found that ransomware was the third most common attack vector in the last year. According to Threatpost, ransomware attacks increased by more than 150% in the first half of 2021 and the threats from ransomware are more diverse than ever; a recent report found that 113 different ransomware families were operating in the first quarter of 2021.
What is ransomware?
Ransomware is malware — or malicious software — that holds an organization’s information, systems, data or networks for ransom. It does this by blocking access to data, either by encrypting the data or by locking a system so the owners can’t get access to their own files.The attackers then demand a ransom for the encryption key. If the ransom isn’t paid, you don’t get your data back — some attackers will threaten to publish proprietary information on the public internet.
Ransomware attacks are most often carried out through a phishing scam (think fake emails or messages) or some other social engineering attack aimed at tricking your people into clicking a link or downloading the malware.
While ransomware attacks started as small-time theft targeting private individuals, ransomware has been a success with hackers and other cybercriminals, who have started to go after bigger targets and bigger ransoms in the past few years. In fact, ransom demands have more than doubled in the last year.
We’ve written before about how cybersecurity isn’t enough to protect your data, but in this case, some basic cyber hygiene practices can reduce your risk of being compromised by ransomware.
What can you do to prevent a ransomware attack
1. Educate your employees
With very few exceptions, ransomware can’t get into your network unless someone clicks on a suspicious link or downloads an attachment they should not. Train your workforce to recognize suspicious email and be wary of links that don’t look right. When your employees should be armed with knowledge that will help them understand, not be tricked by, and report these scams. We should mention that not all scams are easy to spot. Some phishing attacks are quite sophisticated and may fool even savvy users — according to the SANS 2021 Top New Attacks and Threat Report, phishers are increasingly using more extensive research to customize their messages to C-level executives in a bid to fool company leadership into clicking links and opening attachments. Most phishing scams, however, can be prevented by ongoing security awareness training that covers best practices.
2. Back up everything regularly
Criminals who use ransomware rely on the fact that you’ll want your data back. When your networks are at a standstill and you don’t have access to your data, that means you’re suffering a business interruption that will cost you money. If you have backups and a backup system, however, you can continue doing business through other channels while you work to remove the ransomware from your network. The thieves may already have your data, but they won’t be able to disrupt your business.
3. Invest in spam filters and antivirus software
Spam filters and antivirus software might not eliminate all ransomware, but they’re helpful in catching some of the most common phishing scams and malware. It’s worth investing in both — you’d hate to be compromised by an obvious and easily-preventable virus.
4. Have a ransomware response plan
Don’t wait until you’re attacked to figure out how you’ll respond to ransomware. Create a plan in advance. How will you remain productive in the event of an attack? Will you pay the ransom? How will you remove the ransomware? What law enforcement will you contact? Make sure you know exactly what you’ll do ahead of time. That will minimize the damage of the attack.
5. Compromised? Move fast.
Time is of the essence if you’ve been attacked. If you think you’re being attacked, disconnect from the Internet immediately and disconnect any machines you know are infected. Most ransomware needs to establish a connection with its command and control (C&C) servers in the early stages of an attack so that it can complete its encryption routine. If the ransomware can’t do that, your IT department has the opportunity to find and remove the ransomware before it can do any damage. This can be difficult with a remote workforce, but if your workforce has been educated, they’ll know to shut down their computers and notify your team immediately.
Should you pay the ransom?
It’s up to you whether or not to pay the ransom that’s been demanded, but it’s important to know that law enforcement doesn’t support paying ransoms. Last year, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) released an advisory suggesting that companies who pay or facilitate ransom payments may even be penalized for doing so.
Ultimately, most experts say no — don’t pay the ransom. For one thing, it encourages further crime by showing hackers that their tactics work. For another, there’s no guarantee that your data will be returned or kept private.
The best way to mitigate the damage of a ransomware attack is preparedness. By being ready for the attack before it happens, you can keep your data and minimize the effects of any attacks that do happen.
Need help preparing a ransomware response plan? Contact us now for a demo.