Ransomware. It’s an ominous threat facing virtually all organizations and industries. Between recent news coverage and a new McAfee report showing ransomware attacks doubling in 2019, these cyber attacks are rightfully top-of-mind for business leaders.
What is ransomware?
It’s essentially a type of software designed to infect a computer in such a way that it prevents access to the data within. The individual or organization responsible for holding your data hostage will demand a ransom in exchange for keys that will let you decrypt the stolen files.
Ransomware can hit anybody
It's the common adage: You're only as strong as your weakest link, and your weakest link in the world of IT security is your people.
Whether it’s that people are too busy or simply don’t know much about computing, there are a myriad of reasons that can lead to a slip up. Ransomware can get into your system in many ways. Common examples include people unintentionally visiting malicious websites and either clicking on links or downloading attachments from phishing emails.
Phishing emails are the most common form of attack. This form of cyber attack involves faking an email that tricks you into opening up something you shouldn't open. Once you’ve clicked on an infected file, the malware has access to your computer and can begin spreading across the network.
It doesn’t matter where you’re connecting: whether it’s a data center hosted by your company, a third party, Microsoft, or AWS; if you're connected and you get infected, you're going to infect the network as well.
Stopping a ransomware attack
Ransomware always starts because a user did something they should not have done. Always. If you have a very good layered defense, you might be able to stop the attack before it infects the rest of your network.
If you don't, the ransomware software will crawl your network and get from machine to machine. The people writing this software add more features to it in order to encrypt files, and have learned how to crawl networks and spread quickly, whether it goes across a wired network or WiFi or even Bluetooth. The Internet of Things (IoT) is a beautiful thing, but it’s dangerous in that it increases your organization’s vulnerability to the spreading of malware. Any way in which ransomware can jump to another machine, it will.
The number one thing to know about ransomware prevention is how important it is to educate your users. Run on the assumption that somebody at some point will do something to jeopardize your network’s security. Studies show that by continually reinforcing your users not to click on things that they shouldn’t be does in fact reduce the number of attacks a company has. Education, therefore, should always be your first line of defense.
The second line of defense is to keep your computers patched and up-to-date.
The third is to have some form of antivirus software running on your network — across each layer, user machine, server, and firewall.
The only way that you can truly recover from a ransomware attack is through following a good disaster recovery plan. It's not inevitable that everybody will get hit at some point, but if you do, you need to be able to recover.
Your disaster recovery plan should involve taking data offsite so that it’s not connected to your network all the time. It’s not good enough to create backups on an external drive if you never disconnect that drive from the network. If you get attacked, the malware will find its way to anything that’s still connected to your network, backups included. Disconnect the external drive: whether it’s added to external hard drives or taken to tape or pushed to a cloud service (like Carbonite or Azure, for example), ensure that your backup data is offsite.
If you're using backup servers, they need to be firewalled so that nothing can get to them. The best offense is a good defense.
Recovering from a ransomware attack
If you get hit by a ransomware attack, it's not as simple as paying the ransom. Paying the ransom is a double-edged sword. The FBI recommends never giving in to a ransomer’s demands because while most times they will give you the key to decrypt the files, they might not. You're dealing with criminals, after all.
Even if you do pay, it’s getting expensive. When ransomware first started out, attacks weren't expensive. Ransom payments cost a couple hundred dollars. At that point, it was a no brainer: just pay it and move on. But now, you’re typically looking at costs of $50,000 to $100,000. It's costly.
And, even if you’ve paid the ransom and are given the decryption key, it will still take you days and days and days to decrypt your computers. The decryption process is extremely slow. Encrypting is quick, it's the decrypting that takes a lot of time and involves a lot of number crunching. It’s much better to simply revert to your backups.
What to do if you’ve been hit with a ransomware cyber attack
The first thing you’ll need to do is stop it from spreading as quickly as you can. This, of course, is assuming one of your users realizes there's a problem. Here's where it's important to have continual education so that your users have the tools they need to detect an issue as it arises.
Disconnect every computer from the network and shut everything down before the malware can propagate across the network.
Try to find “patient zero” through forensic diagnosis. Where did the attack originate? This process essentially involves turning each computer on individually to see if there's an infection on it. Find every infected machine and quarantine them.
Let’s say its managed to get across everything. Your only choices are your backups. Now it’s time to figure out what you’ve lost, what data is gone, and make the determination on its criticality to your ongoing operations. If it’s something you can live without, then live without. If you need to get it back, you’ll need to find a backup source. If they're all gone or you don’t have any, then you're looking at paying the ransom, possibly.
Paying the ransom comes down to a cost/benefit analysis. Is the cost of the ransom less than the effect of not having that data? How will it impact your company?
If you’re faced with a ransomware attack, take everything offline. You’ll need to figure out which machines have been infected and what data has been affected. Clean your machines, find your backup sources, and restore from here. If your backups have been corrupted, decide if it’s right for your business to pay the ransom. If you haven’t previously planned and tested for disaster recovery, there’s little else you can do, unfortunately.
Set yourself up for success (and security)
How can you prevent a cyber attack disaster that has the potential to cripple your organization? The first thing is to try to find a partner and have someone do an assessment of your current setup. If you’re our client (or have Microsoft Dynamics NAV or Business Central), call us! We might not be the ones to do the assessment, but we can point you in the right direction and help you find the right tools.
For example, rather than simply using Office 365, you might want to think about paying a bit more for Microsoft 365. (It’s essentially Office 365 with a bunch of security and monitoring tools).
Again, the number one thing to stress is user education. If you aren't educating your users, that’s how you're going to get attacked. The more your users know and the more it’s at the forefront of their minds as they're online, the better chance your business has of staying safe.
Your disaster recovery plans aren’t complete just because you maintain backups. That's only the half of it. You have to test your plan. If something were to happen, could you take those backups and get them restored? Have you kept your hardware (or software) up-to-date?
Whether a business owner thinks they don't need to invest much money on IT or they don’t see IT security as critical — whatever the reason may be — they choose not to invest in their critical infrastructure. By doing this, these companies find themselves on the back side of the technology curve and get absolutely burned because they can't support what they're actually running. This, in turn, makes any type of recovery effort cost that much more, because rather than restoring from bare metal, they're having to build from bare metal.
Educate your users, and make sure you have not just a disaster recovery plan, but a tested disaster recovery plan.
It starts with you reaching out. The first thing that has to happen is an assessment: know where you are to figure out where to go. This is an important business conversation that you need to be having. Call us and we can point you in the right direction.