Ransomware attack? What to do instead of paying the ransom
Ransomware is a persistent threat that today’s organizations face. But even in the most devastating attacks, there are several important reasons why paying the ransom is a bad idea. And in some cases, doing so could land your business in legal trouble with federal authorities.
In this post, we look at the steps you can take immediately following an infection to mitigate the attack and get your data back without giving the hackers a penny.
Why shouldn’t you pay the ransom?
It can be tempting for a business to pay the ransom in hopes of restoring their operations, because an extended disruption could be far more costly. But here’s a quick reminder of why this is NOT recommended:
- The Federal Bureau of Investigation (FBI) strongly advises organizations not to pay.
- There is no guarantee that threat actors will return data even if the ransom is paid or that they won’t target your organization again in the future.
- Aside from the possibility of not receiving decryption keys, even if they are provided, the data may be corrupted.
- Paying ransom encourages cybercriminals that their tactics are valid and thus supports the ransomware industry.
- Your company could be fined for paying the hackers if they are known adversaries to the U.S. government, such as terrorist groups or nation states.
- Cyber insurance costs could increase if the ransom is paid.
The best way to avoid becoming a victim and becoming one of the growing ransomware statistics is to learn how to avoid infection and have a dependable data backup system. However, even if infected and subsequently exploited, knowing what steps your organization can take before conceding to cybercriminals demanding payment is the next best outcome.
Here are some possible steps you can try first.
Restore data from backup
One of the first steps to take is to try to recover data from backup. Performing routine backups is a critical part of a good business continuity plan. And, in the event of a ransomware attack, it can completely eliminate the question of needing to pay the ransom. By rolling back to clean data from before the attack occurred, data is effectively restored and the infection is removed.
A report by Datto shows that restoring data from backup is the top ransomware recovery method. Their data, reported in 2020, found that 76% of organizations suffering an attack were able to recover their machines from backups.
Isolate infected computers/servers
This is another important step you should take immediately after an infection is known.
Isolating the infected computer or server from all networks is critical to preventing the ransomware from spreading. As a part of this step, make certain the infected device’s networking, wireless, Bluetooth and any other communication capabilities are disabled. All shared and networked drives should also be disconnected, including wired ones.
If several systems or subnets look to be affected, take the network offline at the switch level to quickly limit the damage. However, if it appears to be only one or two computers impacted, it’s easier to simply isolate them ASAP.
By limiting the spread of the infection, you can greatly reduce the amount of data that is affected, ideally preventing the need to pay the ransom.
Power down computers
Powering down networked computers (both infected and not) can help to further prevent the infection from spreading. Once these devices are shut down and segregated, move them to a location where they can be clearly labeled. Experts may be able to extract partially encrypted files, but either way, it helps prevent spread.
As systems are eventually brought back online, each machine should be diagnosed individually to ensure the infection is not present, and/or reimage the device. Just keep in mind that as soon as you reimage an infected device, you potentially lose evidence that authorities could use in an investigation. This includes recovered executable files, live RAM captures, log files, malware samples, PowerShell scripts and encrypted file samples.
Do Not pay the ransom. Contact proper authorities
Users who first become aware of a ransomware attack should report incidents to the company’s IT teams to determine the scope of the incident and initiate the proper disaster recovery protocols. But regardless of the severity of the attack, organizations are advised to call the authorities as soon as possible. This ensures that incidents are properly reported, but also, sometimes authorities will have the means to decrypt infected files or identify the attackers.
Some options include:
- Contact MS-ISAC for information.
- Contact a local FBI field office to ask for help.
- Submit a tip online to the FBI.
- File a report with the Internet Crime Complaint Center (IC3).
Preventative steps to avoid losses caused by ransomware
Taking swift action is important in the event of a ransomware attack, but taking action before an attack – or preventing a reoccurrence in the future – is a critical step going forward.
- Create a business continuity plan and keep it updated. Connecting with a business continuity expert can assist with planning and take on the technical requirements to minimize the risk of a costly disruption from ransomware.
- Perform routine backups. Use a robust BC/DR system that allows for frequent backups and fast recovery methods.
- Educate employees. All employees at every level should receive education about ransomware, what to look for and what protocols they should follow in the event of a suspected problem. Poor user practices are one of the top reasons attacks are successful.
- Train all teams. Set up mandatory cybersecurity training that includes a segment specifically about ransomware. Focus on and emphasize how they should never click links or open attachments in unsolicited emails. Phishing is the top cause of malware infections.
- Update software and OS systems. Threat actors often target outdated applications and OS. Don’t delay updates for the latest patches.
- Use strong anti-virus and anti-malware solutions. Once installed, set them to automatically update and routinely scan.
- Restrict user permissions. Only give permissions to employees on an as-needed basis, giving the lowest level of access necessary to perform their jobs. If an attack succeeds, this may prevent malware from spreading through your network.
- Establish strong spam filters. This will significantly limit the number of phishing emails reaching employee inboxes and will mitigate receipt of emails from spoofing attempts.
- Configure firewalls. Block access to known malicious IP addresses so they cannot get through to your network.
Connecting with a third-party vendor can help you accomplish all these preventative steps, especially if your own resources and budgets are limited. These experts will have the most up-to-date equipment, knowledge, and skills to help your organization prevent an attack and mitigate the impact if one occurs.
The costs that accompany ransomware attacks go far beyond payouts and the expenses associated with an investigation. Costs also involve damage and destruction of data, loss of productivity, disruption to business operations, restoration of operations and damage to brand reputation. Many businesses simply cannot withstand these costs and find it difficult to recover, if they do at all.
What’s the big deal? Consider these stats
Ransomware statistics continue to look bleaker every year. In an August 2020 report, Datto shared that ransomware is currently the top malware threat businesses face. Statistics cited almost 70% of MSPs report ransomware is the “most common” type of malware to SMBs.
It’s no secret that ransomware is not an easy type of disruption to recover from. But unfortunately, many businesses still don’t take this threat seriously enough. The Datto research found several troubling facts and statistics relating to ransomware attacks.
- MSPs report 62% of their clients suffered a negative impact on productivity, and 39% said their clients experienced “business-threatening” downtime.
- It’s not only MSP’s clients being targeted and exploited with ransomware. Datto reports a whopping 95% of MSPs agree they are also increasingly being targeted.
- Cost of downtime is growing. The average cost of an attack reported in 2020 was 94% greater than it was in 2019.
- Downtime costs are almost fifty times greater than the amount of ransom requested in 2020.
- Phishing is the top successful method of ransomware attacks and many individuals continue to fall for these ruses.
- A disconnect exists between MSPs and SMBs when it comes to ransomware attacks. Statistics indicate the majority of MSPs are highly concerned with these threats whereas a mere 30% of SMBs are worried about them.
In 2019, Cybersecurity Ventures projected ransomware would continue to be a growing problem. At the time, it was anticipated that global ransomware damage costs would be in the neighborhood of $20 billion by 2021 (57x more than it was in 2015). If these predictions are on target, this year every 11 seconds a business will fall victim to a ransomware attack.
Don’t pay the ransom. Get the protection your business needs
Businesses of every size are at risk for ransomware attacks. Statistically speaking, SMBs often suffer the biggest losses, because they either don’t think to plan or, if they do, don’t have the robust IT departments to carry out the planning process and put the appropriate technology preventatives in place. This is where partnering with the experts can help your company invest in a comprehensive continuity strategy to ensure you have a good plan at a price point you can afford.
To learn more about effective business continuity and disaster recovery strategies, contact our experts at Invenio IT. Request a free demo