Ian Harragan
Director at i-confidential
Ransomware attacks are increasing and no one is immune, but there are ways to reduce the risk. Are you taking the appropriate steps to protect your systems and data from attack?
What Is a Ransomware Attack?
Typically, an attacker uses malicious software to encrypt a victim’s files or data before demanding a ransom payment in exchange for restoring access.
The attack starts with a breach of a computer or network. This is commonly enabled by a successful phishing attempt, where the attackers deceive people into revealing sensitive information or installing unauthorised software. For example, you might click on a link in an email that downloads ransomware onto your computer, or gives an attacker access to your device.
Once an attacker is inside your computer, it takes little time for them to deploy the ransomware and encrypt your files, and potentially all the files on any networked shares, effectively locking you out of them. Many ransomware programs will then display a message with the required ransom and further instructions on how to get in touch with the attacker.
After an Attack
At this point, you have a few options. Regardless of circumstances, you need to proceed calmly and methodically. The National Cyber Security Centre (NCSC) provides some helpful general advice here including:
Immediately disconnect the infected computers, laptops or tablets from all network connections, whether wired, wireless, or mobile phone based.
In a serious case, consider whether turning off your Wi-Fi, disabling any core network connections (including switches), and disconnecting from the internet might be necessary.
Reset credentials, including passwords (especially for administrator and other system accounts), but verify that you are not locking yourself out of systems that are needed for recovery.
Safely wipe the infected devices and reinstall the operating system.
Before you restore from a backup, verify that it is free from any malware. You should only restore from a backup if you are confident that the backup and the device you're connecting it to are clean.
Connect devices to a clean network in order to download, install, and update the operating system and all other software.
Install, update, and run antivirus software.
Reconnect to your network.
Monitor network traffic and run antivirus scans to identify if any infection remains.
What you shouldn’t do is jump in straight away and pay the ransom. Not only is this discouraged by law enforcement but it won’t necessarily fix your problem. There is no guarantee you will get access restored to your data or computer system, and you will still be infected.
Counting the Cost
The impact of a ransomware attack on a business can be significant - sometimes terminal. It can include:
Disruption to regular operations.
Loss of revenue.
Loss of valuable data.
Loss of sensitive information.
Compromised customer confidence.
Diminished brand reputation.
A high-profile example was the attack on The Guardian newspaper last year. Staff had to work remotely while internal systems were disconnected and assessed. IT systems were widely affected, from internal staff communication tools to the tills in the canteen.
Preventing an Attack
Most intrusions result from human error, misconfigurations, social engineering, or phishing attacks. The attacker’s ultimate goal is to deliver the ransomware itself.
Organisations therefore need to take steps to help prevent an attack. This includes a number of technical measures:
Ensuring data is backed up, with regular testing of the backup and restore process.
Making sure all software is up to date.
Using anti-malware tools.
Using strong passwords and possibly multi-factor authentication.
Limiting the privileged access people have to devices and the network.
Protecting inbound and outbound traffic with specific controls that can help defend against ransomware threats.
Testing incident processes to see how well you can recover – and on a regular basis.
People Power
Aside from these steps there is also a vitally important people element that involves ongoing education and communication.
Business users might not have the same understanding of ransomware as their security colleagues. It is therefore vitally important that everyone is educated on the latest phishing and social engineering tactics that are used to deliver ransomware into an organisation.
One educational approach that works well for many organisations is to run regular phishing simulations, which involve delivering emails to employees that mimic real phishing attacks to see what they do when faced with this potential cyber threat.
No one security measure is ‘fool proof’. A multi-layered strategy is essential to help combat ransomware threats. The key message here is to educate all of your colleagues on the role they can play in staying vigilant.
If you would like to understand more about how we can help you protect your organisation, we would welcome a conversation.