Mon, May 15, 2017
What Is a Ransomware Attack?
Last week’s extensive ransomware attack continues to cause issues worldwide and shows how any size business in any industry is vulnerable. Ransomware can be particularly troublesome for small- to medium-sized businesses that typically do not have the full range of IT resources readily available to combat such attacks or to respond to such criminal demands.
Ransomware is a type of malware; once executed on a computer system, it seeks to encrypt a wide range of files, denying the user access, and effectively holding these files “hostage” in return for a monetary payment – a ransom. The malware encrypts targeted files with a password unknown to the user and leaves a ransom note on the infected system(s) that demands a payment to get files decrypted. Attackers demand payments in bitcoins (a form of electronic currency), which allows for anonymity.
Perpetrators take advantage of myriad methods to deploy ransomware on targeted networks, including:
If You Get Breached
Ransomware is a highly successful and profitable criminal operation. The FBI reported that the first three months of 2016 alone yielded close to $209 million in ransomware-related monetary losses. As much as an organization can prepare, attackers are very persistent and ransomware may still find a way in. Here are some thoughts on how to respond to a ransomware breach:
If the problem is larger than the organization can handle, then you may need to reach out and request third-party help. This may require involving legal counsel or hiring third-party investigators. Additionally, your organization may have cyber insurance that can assist in the cost of responding to a ransomware breach.
How to Respond to Attackers
Once a ransomware breach has occurred, many organizations want to end the pain as soon as possible. The organization has suffered through hours or days of inaccessible data and constant, nagging emails. Paying the ransom may seem like an easy fix – in fact, many attackers these days are demanding ransoms just low enough that it does not seem like an insurmountable sum. However, this is all by design.
Kroll recommends against paying ransoms. This recommendation comes from years of ransomware investigations and is due to the following:
There is no “one-plan-fits-all” approach to responding to a ransomware attack. Businesses have to respond to these scenarios with realistic expectations and take into account their ability to respond, recover, and/or even to pay the ransom in the first place. Getting an expert opinion can definitely help a company make the right decisions.
Getting Back to Normal
Once your organization has contained the attack and file encryption has stopped, it is time to start the healing process. Make sure to take the following steps:
Recovery: Improving for the Future
After restoring your business back to normal, it is time to start improving the organization to protect against future attacks. This is an important process in developing internal security and is practiced by organizations large and small. Consider the following:
As disruptive as the attacks may have been, security-minded organizations use these events as opportunities to enhance their user security. Schedule meetings with staff or departments to discuss how the attack happened and steps the organization can take or has taken to mitigate future attacks. If user processes have to change (for example, users no longer have Local Administrator privileges on their machines), this will give them an opportunity to ask questions.
Ransomware serves only one purpose: Disrupt normal business processes and demand payment for resumed continuity. This “business” model has led to its success, as many small- to medium-sized organizations simply want a way to get back to normal. However, with a little preparation, defense, and an action plan, companies of all sizes can prevent and survive ransomware attacks without spending a lot of money while reducing the chances of being victimized again.
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
The Kroll Investigations, Diligence and Compliance team are experts in forensic investigations and intelligence, delivering actionable data and insights that help clients worldwide make critical decisions and mitigate risk.