How To Deal with a Ransomware Attack
In this blog, we’ll unpack what you'll experience during a ransomware attack, what to do if you fall victim, and defenses you can use to avoid these attacks.
Cybercrime is a massive growth “industry” right now (particularly in the wake of the pandemic and hybrid working adoption), so anyone with professional network responsibilities needs to understand some basic rules to stay cyber-safe.
In this article, we’ll unpack the kind of actions you might experience during a ransomware attack, what to do if you fall victim to these tactics, and the kind of defenses you can put in place to avoid these attacks in the first place.
Please note - this is not intended to be a playbook for incident response. There are nuances to every business and variations to every cybersecurity incident and a proper incident response should be custom-tailored by a cybersecurity professional.
What is a Ransomware Attack?
If you’ve heard of ransomware attacks, you’re no doubt familiar with the concept of cyber criminals capturing your data and holding it to ransom. Generally, there’s a three-stage process that we refer to as the three Es.
Stage One – Exfiltrate
The hackers will penetrate your network and then find and withdraw documents and sensitive information. They could be looking for the following.
Human Resources files, containing data such as employee names, birth dates, social security numbers, and bank routing numbers.
Finance/Accounts files, containing bank account information associated with customers, suppliers, or associates.
Engineering and Patent files, containing corporate intellectual property (IP).
Sensitive information specific to your business or industry – this might include medical records, software code, and legal information.
Stage Two – Encrypt
Having secured and copied targeted data, the hackers now encrypt it, cutting you off from your own information. Tools vary – as commercially available “data at rest” encryption software has grown more powerful, it’s become a more popular “weapon” for cyber criminals, who previously relied mainly on military grade algorithms.
To create maximum inconvenience (and increase the likelihood the ransom will be paid), the hackers will encrypt as much data as possible, regardless of whether they can use it or not.
Stage Three – Extort
Their plan in place, the attackers will now contact you and issue their demands.
A ransomware extortion is usually based around two separate threats. Firstly, they’ll ask for payment to decrypt your data, so you and your company can get back to work. Secondly, they’ll ask you to pay them to delete the data they’ve stolen – instead of leaking your information onto the dark web.
How To Deal with a Ransomware Attack
If you’re lucky, you’ll find out you’ve been attacked before the attackers contact you. This can happen if a governmental agency becomes aware of the attack during their normal investigations, due to traffic and communications between the bad actors involved.
While this might not save you from the ransomware attack, it’s possible that the agencies’ early involvement may be enough to interrupt some of the attack processes and give you time to protect your data.
If this doesn’t happen, you’ll only find out about the attack from the attackers themselves, when your data is already encrypted.
There’s nothing as exciting as a ransom note where all the letters are cut from a different magazine like you see in the movies. It’s more likely they’ll leave you a notepad message on some or all your PCs and servers, outlining what they’ve done and providing an email address for you to contact and negotiate with them.
At this point, there are seven steps that apply in most ransomware situations.
Step One – Document the ransomware notification
Before panic descends, and everyone starts running in circles, you need to start gathering evidence, which includes documenting everything from the notification onwards.
This can be harder than it sounds – particularly if the attackers have encrypted your PC’s operating systems as well as your servers. This makes it impossible to take screenshots or save files, so take pictures with your phone until you’re sure you can capture and export images and data from machines on the network.
Step Two – Notify the authorities (and anyone else immediately affected)
Ransomware attacks are obviously illegal, so your first call should be to the relevant authorities. The FBI has an online portal which guides victims step-by step through the process of reporting a ransomware attack.
If you’ve got a cyber insurance policy, your insurers should be your next call, ideally – they may have their own set of response processes you need to adhere to avoid invalidating your insurance. If this is the case, you’ll need to incorporate these into your cyber incident response plan.
You probably won’t enjoy the next set of calls – but if the encrypted data contains personal information belonging to your employees, partners, or worst of all, your customers, you’ll need to let them know, and keep them updated until the situation is resolved. Sure, it’s embarrassing – but it’s better than keeping it a secret, which could leave you vulnerable to legal action. That’s extra heat you probably don’t need.
Step Three – Isolate all systems
This step is intended to help you contain the damage and prevent any further infection to your systems. There may be elements of the network which haven’t been affected yet, so you can stop the situation from worsening by disconnecting all systems from the network, then disconnecting the network, and powering everything down.
This isn’t always possible – some organizations have an obligation to keep things running. Electricity and other energy providers, water supply and treatment, critical health care functions and other organizations will need to maintain some network functions, in the interest of public safety.
Even so, in the event of a ransomware attack these bodies should still power down as many non-essential elements of their network as possible.
Step Four – Analyze
It’s time to review the information and create the most comprehensive overview of what’s happening to your network.
If you’ve ever watched John Carpenter’s The Thing, then think of your network equipment and systems in the same way Kurt Russell’s character thinks of his colleagues in that snowy Arctic outpost – until you can test and confirm a component or system’s safety, it’s best to treat it as an alien beast with carnivorous intentions.
Other questions you should be asking – and answering – during this step include:
What backups do we have, and are they still uncompromised?
What encryption method was used for the attack?
What ransomware strain was used?
What cloud services or online applications (e.g., Salesforce, Zoominfo, etc) are you using, and how are they affected? Securing cloud data comes with its own challenges. Obviously, these systems can’t be powered down, and cloud service providers work to a “shared responsibility” model, so it’s worth adding your cloud service provider’s response processes to your cyber incident response plan.
Step Five – Planning
Even if you’ve had the organizational foresight to prepare a cyber incident response plan, every incident comes with its own unique circumstances and context.
You’ll need to adapt your existing preparations and knowledge, along with everything you’ve uncovered during the analysis stage of your response, to formulate a cohesive response that considers the requirements of everyone affected.
As you plan your response, seek out the counsel of law enforcement, as well as the cyber insurance company, your own internal IT staff, or IT consultants, along with anyone else who may have a useful or relevant perspective on the situation.
Step Six – Restoral
Once you’ve planned your response and restoration and agreed to its implementation with both law enforcement and any cyber insurance companies involved, it’s time to act.
Depending on the circumstances, you’ll need to do the following.
Start from the network core and work outwards, towards the endpoints and users.
Decrypt devices in isolation from the network. If the decryption process requires connectivity, then connect and decrypt one item at a time.
Once each item is decrypted (and hopefully still isolated), install and run the most comprehensive virus detection and removal software available, before reconnecting, one device at a time, back into the network.
Step Seven – Final notifications
Remember, those calls you made, back when the fur was flying during step two? It’s time to ring them back and tell them the show’s over.
As part of your processes, you’ll have developed a pretty good idea of what data has been affected, so your due diligence should include recommendations to these affected parties about their own next steps, and how many passwords they’ll need to change. If you’re working with security experts, they’ll advise you on the best way to help your partners, employees, and customers mitigate any further risk.
How To Lower Your Exposure to Ransomware Attacks
Once a network is connected to the internet, it can never be classed as 100% safe. So, how can you minimize the risk?
It’s best to think in terms of the level of effort required. Put yourself in the cyber criminal’s shoes – they’re looking to make money from their crimes. To them, it’s nothing personal – just their idea of a business.
The more time, effort, and resources they must invest in attacking your network, the less likely they are to bother. A real-world analogy can be useful to understand this – how valuable is your data to others? Are you looking to protect the database equivalent of a garden shed? A grocery store? Or are you sitting on data so valuable and critical, that your cyber security needs to protect the digital version of City Hall or the Pentagon?
A padlock would be fine for a garden shed, though, it’s not going to suffice for City Hall. Conversely, that security camera and biometric system might be overkill for your weed-whacker and plant pots.
Most cyber-security systems are built using a combination of tools and techniques to match the specific network and business needs. However, there are some basic recommendations that most organizations with data to protect should be aware of.
At the user level, organizations should consider implementing the following.
Endpoint detection and response (EDR)
Security awareness training – as many as 95% of cyber incidents can be attributed to human error
At the network level, it’s worth considering the following.
Cloud-based network security/firewalls
Premise-based network security/firewalls
Zero Trust Network Access and philosophy (ZTNA)
At the server level, standard procedures include the following.
Data at Rest encryption
Data in Transit encryption
Air-gapped backups (preferably with encryption)
Server endpoint protection
If you or your business have fallen prey to a ransomware attack, it’s probably little comfort to know that you’re not alone – in 2022, organizations around the world detected 493.33 million ransomware attacks. If you need help identifying the best way to improve your security posture, get in touch with us here at Lightyear!
Want to learn more about how Lightyear can help you?
Let us show you the product and discuss specifics on how it might be helpful.
Not ready to buy?
Stay up to date on our product, straight to your inbox every month.