Ransomware Prevention: What to Do Before, During & After an Attack

February 9, 2017

6 min read

Tracy Rock

Director of Marketing @ Invenio IT

Ransomware Prevention: What to Do Before, During & After an Attack

by | Feb 9, 2017

Ransomware prevention and protection are possible.

Ransomware prevention has rapidly become one of the most urgent issues at organizations across the globe. With up to 56,000 infections occurring in a single month in 2016 (numbers that are expected to double in 2017), businesses are racing to find the best ways to protect themselves.

Solutions for preventing ransomware include everything from anti-malware software to proper employee training. Below, we’ll look at some of the most important measures to implement within your business continuity plan, along with some emerging technologies that will play an increasingly important role in keeping these cyberattacks at bay.

What is Ransomware?

Ransomware is a form of malware that encrypts computer data and then demands ransom money in exchange for restoring access to the encrypted files.

In 2016, the FBI warned that ransomware was on track to extort over $1 billion a year from a wide variety of organizations, including:

  • Hospitals
  • School districts
  • Government agencies
  • Law enforcement agencies
  • Small to large businesses

A common form of attack comes through email, which is disguised as an invoice or electronic fax. The emails often come with an attachment that contains the malicious code. When the user opens the attachment, the malware infects the machine.

The FBI explains, “Once the infection is present, the malware begins encrypting files and folders on local drives, any attached drives, backup drives, and potentially other computers on the same network that the victim computer is attached to.”

Increasingly, attacks also occur when users visit a website that has been infected with malicious code. These can be sites linked from the same malicious emails or, in some cases, completely legitimate websites. That was the case in March 2016, when corrupted ads on nytimes.com and several other major media outlets infected thousands of visitors’ computers with ransomware.

Why the Need for Ransomware Prevention?

Although the typical ransom demand usually ranges from about $500 to $2,000, these demands have been rising as attackers target larger institutions.

Ransomware is increasingly targeted to organizations, rather than individuals, because such attacks are more lucrative. Organizations with highly sensitive data are more willing to pay larger sums to regain access.

In one high-profile ransomware hospital attack in 2016, Hollywood Presbyterian Medical Center paid $17,000 to hackers (the initial ransom demand was $3.4 million) after the hospital’s computers remained infected for over a week. This caused an internal emergency at the hospital, forcing it to divert patients to other medical centers.

The cost of a ransomware infection can extend far beyond the expense of paying the ransom alone. When businesses lose access to critical data, it disrupts operations. It results in productivity loss. It creates new expenses for emergency data restoration and even new infrastructure. It creates a credibility issue with clients and customers who are adversely affected by the downtime.

Some recent ransomware statistics highlighted in The Atlantic show that ransomware costs businesses at least $75 billion a year when factoring in these expenses.

That is why ransomware prevention has quickly become such a critical component of business continuity planning.

The Two Sides of Ransomware Prevention

Ransomware prevention is a two-sided coin: prevention and response. Organizations must consider:

  1. How to prevent a ransomware attack from occurring in the first place: What processes, training procedures and technologies can help to reduce the risk of an attack?
  2. How to resolve the problem if an attack does occur: How will the business respond to a ransom demand? How can it avoid it? How can data be restored without paying the ransom?

Let’s look at the first of these two concerns.

1) Prevention

The FBI advises several important steps for preventing a ransomware attack:

Employee Training

Remember that a devastating, network-wide ransomware infection often begins with a “simple” mistake by an employee: opening a suspicious email attachment containing the ransomware virus. This is why training staff is so important. Employees must know what to look for, what the risks are and why it’s so important to practice utmost caution.

Spam Filtering

A strong spam filtering system can help to prevent phishing and other malicious emails from ever reaching staff inboxes. The FBI also recommends authenticating inbound email with technologies like Sender Policy Framework (SPF).

Access Control & Privileged Accounts

In the event that someone does inadvertently open an infected file, you could significantly curb the spread of the infection by limiting write access to only those who absolutely need it. Manage the use of privileged accounts and configure file, directory, and network share permissions appropriately.

Devices Patches

Incidents of ransomware attacks on mobile phones and other digital devices are on the rise. Security on these devices is just as critical as any other workstation on your network. The FBI recommends patching the O/S, software and firmware on such devices, ideally through a centralized patch management system.

Software Restrictions

The FBI advises that organizations should “Implement software restriction policies or other controls to prevent programs from executing from common ransomware locations (for example: temporary folders supporting popular Internet browsers, compression/decompression programs).”


Implementing anti-virus and anti-malware software is critical. These systems should be set to update and scan on a regular basis. While many ransomware infections are caused by new strains of malware that might not be detected, many attacks use well-known variations that would otherwise be stopped by a good anti-malware solution.

Data Backups

Businesses should already be backing up data regularly as part of their continuity planning. With a proper backup and recovery system in place, an organization should be able to restore data after an infection. Be sure to check the integrity of those backups to ensure they can be restored without failure. Additionally, the FBI warns: “Make sure [backups] aren’t connected to the computers and networks they are backing up.”

2) Response

Even with the preventative measures above in place, an infection can still happen. What then? Here are some important steps and systems to consider for properly responding to a ransomware attack.

Early Detection & Data Rollback

Detecting the first sign of an infection is key to stopping an attack in its tracks. As soon as an infection is detected, businesses should roll back to clean data backups right away. The problem here, however, is that most businesses don’t discover the infection until it’s too late. That’s why data-protection companies like Datto have introduced new technology, built into its backup systems, that automatically detects a ransomware attack and notifies administrators to immediately revert to a healthy backup.

Device Isolation

When an infection is detected, the infected computer should be removed from the network as soon as possible. This may help to prevent the malware from infecting other computers and shared drives on the network.

System Shutdown

The FBI recommends powering off all other devices on the network that have not yet been infected. Even if the infection spread across the network initially, shutting down other computers and servers can help to contain the damage and allow more time for cleaning and recovering data.

Backup Security

Take backup systems offline, if they aren’t already. Before reverting to a backup, administrators should make sure it is clean and hasn’t been infected by the ransomware.

Law Enforcement

Reporting the incident to authorities is extremely important, even if you feel the situation is under control. The FBI strongly encourages organizations to contact their nearest FBI field office immediately after discovering a ransomware attack. The FBI can also provide assistance for properly responding to the attack.

System Passwords

After removing the infected system from the network, change all online account passwords and network passwords. Additionally, when the infection has been removed from the system, you should change all system passwords.

“What if we just pay the ransom?”

When weighing the cost and time to restore your system after an attack vs. simply paying the ransom, you may be faced with a difficult decision. The attackers know this. They often keep the ransom demands under $2,000, knowing that many unprepared businesses would rather pay up than sink into an even more costly recovery process.

However, the FBI discourages businesses from paying a ransom unless it is deemed absolutely necessary after careful consideration of the situation.

If your organization is leaning toward paying the ransom, here are a few warnings to keep in mind:

  • Paying the ransom is a gamble. It doesn’t guarantee that you will be given the decryption keys they were promised.
  • The FBI reports that some victims were asked to pay even more money after paying the initial ransom. Other organizations never received their decryption keys at all.
  • Some businesses who have paid the ransom were attacked additional times later on.

It’s also worth noting that paying the ransom effectively reinforces the business model of ransomware. As long as organizations keep paying up, you can be sure these attacks will keep happening.

Learn More about Combatting Ransomware

Invenio IT specializes in enterprise-grade business continuity solutions for small businesses, including advanced data backup and ransomware prevention technologies from Datto. Contact our business continuity specialists for more information on protecting your organization from a ransomware attack and other disaster scenarios. Visit www.invenioIT.com, call (646) 395-1170 or email us at success@invenioIT.com.

New call-to-action

Director of Marketing @ Invenio IT