Many cyberattacks involve ransomware, a form of malicious software or malware, designed to deny access to a computer system or data until a ransom is paid and a decryption key (commonly called a decryptor) is given to the victim. The encryption is virtually unbreakable without the decryption key, and you should not spend valuable time seeking a way around the encryption if you are attacked with it.
Ransomware can spread in multiple ways, but most typically, through phishing emails or by unknowingly visiting an infected website. Ransomware can be catastrophic to your organization, preventing critical information and systems from being accessed.
ConvergeOne never advocates paying the ransom to cybercriminals. You are paying a criminal organization to extend their attack infrastructure further, rather than putting them out of business. Instead, you should build a cyber-aware culture within your organization and proactively follow a number of steps to keep your information and people protected from cyberattacks.
Do you know precisely what to do if you get hacked?
- Contract or create an incident response team, develop an incident response plan and routinely test that plan to lock in improvements. Get help. Testing incident response is not easy.
- Disconnect or turn off Wi-Fi and Bluetooth. Unplug storage devices.
- Determine scope – shared drives/folders, network storage, USB, external storage, cloud-based storage, etc. Do you know what your “crown jewels” assets are and moreover, where they are?
- Check tools in use like Box, Dropbox and Google Drive. You may be able to revert to unencrypted versions of your files that reside there. Know your Recovery Point Objective (RPO). What is the oldest saved information you can revert to that still has current value to you?
- Know your backups, what is and isn’t backed up and the order that restores must take place.
- Know your firm’s Recovery Time Objective (RTO). How long do you have to get your files back before you start losing revenue every hour you have no access?
- We do not advise paying the ransom, but if you do, remember you need to reconnect encrypted drives to unencrypt them if you’ve disconnected them.
- Usually the attacker will give you access to a registry that has been created by the ransomware listing all files encrypted. Try to use Google to understand the version of ransomware you have been hit with. It’s important.
- Determine if your data or login credentials have been copied, and if so, how much and what. This can often be learned from the ransomware program's announcement itself, as it brags as to what data has been copied or the information regarding your stolen data that the hacker posts on websites or blogs.
- Check your logs and any data loss prevention (DLP) tools to see if they noted any stolen data. Look for large, unauthorized archive files (e.g., zip, arc, etc.) that contain your data that the hacker used for staging before they copied it. Look into any systems that might record large amounts of data being copied off the network. Look for malware, tools and scripts that might have been used to look for and steal data. The main initial sign to look for to see if your data and credentials have been stolen is the cybercriminals telling you they have done it.
- Lastly, if the cybercriminals tell you they have your data or credentials, believe them. They don't bluff that often. Do not panic.