What is Ransomware?
Ransomware is a fairly new virus that has taken the globe by storm. It infects your computer, and usually and network shares you have access to, and encrypts the data, making it totally inaccessible to you. Then you get a message telling you to pay a certain amount of money, usually in Bitcoins, or you’ll never get your data back. This is devastating not only individuals, large enterprises, SMBs, government agencies, and even hospitals.
Your employee got an email from “email@example.com” with an invoice attached and a message saying that it needs to be paid as soon as possible. Your employee thinks nothing of it and downloads the Word Document containing the invoice. There is a message saying “If you can’t read the invoice below, please enable macros to decode the invoice” along with a jumbled mess of characters. Your employee, again, thinks nothing of it and clicks the banner at the top enabling macros. Now every file on your employee’s computer, as well as every file on any file shares your employee has access to, are completely encrypted. A message pops up informing your employee what they’ve done, and how much it will cost to decrypt the data. Now what?
Engage Your Incident Response Plan
You have one right? Great! Follow the procedures set in place for when your company is struck by a Ransomware attack. First, you’ll need to notify those that need to be notified. Start with your cyber security attorney, incident response team or vendor, as well as upper management. At this point your incident response team will probably want to forensically preserve any data it can. This preservation is important for analysis by them or Law Enforcement. Once data has been preserved, restore your backup and move forward.
What if I don’t have an Incident Response Plan?
The first thing you need to do is contact a cyber security attorney. They will advise you on important legal issues that come with ransomware. Do not skip this step. Don’t get sucked into thinking, “I don’t want to pay an attorney for this, I want to keep this as quiet and cheep as possible.” You need to contact a cyber security attorney. They are worth every penny you will spend. You’ll also find they aren’t as expensive as you think.
You have backups right? Good! Restore to a backup prior to infection and you’ll be able to move on. You should still do a post breach analysis or debriefing, as well as analysis on how the infection got in and if anything else happened. For the most part though, you’ve survived the ransomware attack.
What if I don’t have a Backup?
If you don’t have a backup in place there are several options, such as attempting recovery on your own, moving on and taking the hit, paying the ransom, or a combination of those methods.
Attempt Recovery on Your Own
There are a lot of articles on the web that give suggestions on how to recover your data from Ransomware. However, the creators of Ransomware are taking those articles and building in workarounds every time a new version comes out. For example, in the past you might have been able to utilize Volume Shadow Copies to recover previous versions of documents. Many newer Ransomware utilities delete the Volume Shadow Copies to prevent you from doing so. Data recovery software is sometimes detected and disabled as well. Because the registry is often infected, system restore points won’t work either. It is highly unlikely you will be able to recover the data without backups on your own, unless you have been hit by an older family of Ransomware or one that has been broken like Petya.
If you have calculated that the cost of the ransom is more than the cost to recreate the data, then its time to move on. You should still hire an incident response vendor or utilize your in house security team to determine how the ransomware got in though. You also need to figure out how you’re going to deal with ransomware in the future by creating an incident response plan. For now though, wipe the computer and move on.
Pay the Ransom
If you’ve decided to pay the ransom, do so carefully. If you don’t hire a security consultant to help you, do some research on the type of ransomware you have on your network. Find out if people have had success decrytping their files with this family of ransomware. There is always the risk the hacker will just take your money and run, do some research and find out your odds. Chances are though, more than likely the hacker will decrypt your files. If they never did, no one would ever pay.
When you’ve decided to pay, be sure you have someone that understands Bitcoins and how they work before attempting to make payment. Bitcoins are the preferred payment method for hackers because of their anonymity, and can be confusing for first time users. Follow the instructions exactly as they say and hopefully you’ll get decryption instructions.
If you want to, you can attempt several recovery methods at the same time in order to guarantee the quickest recovery time. Have one team working to pay the ransom and restore the data, one team working to restore the newest clean backup, and another team attempting to recover the data on their own. Only highly trained and prepared information security teams should ever try this though. It requires a lot of planning, preparation, and communication.
There is no way to completely prevent such an attack from happening. There are, however, several ways to mitigate the risk that comes with ransomware such as backups, employee training, and security infrastructure on your network.
Our recommendation is that your company should be utilizing backups for all critical data. These backups should store data offsite, on at least a nightly basis. If you have a continuous backup in place, make sure there are offline backups taken on a nightly basis as well. We recently had a client that had continuous backups in place, and as soon as the ransomware encrypted all of the data on their server, all the data in their backup was encrypted at the same time. This doesn’t help you at all. If they had a nightly backup separate from the continuous backup, they could’ve restored to the previous night’s backup and moved on. Backblaze is a great solution. If you’re interested in getting your company set up with Backblaze, be sure to contact us about that.
Social engineering is the name of the game with ransomware. The hackers are doing their best to trick your employee to download, click, or enable something they shouldn’t. Training your employees on what they should and shouldn’t do, what to look out for, and what is normal is your best method for preventing something like a ransomware from hitting your business, or any other type of network breach for that matter.
There are countless security appliances, services, and “guarantees” out there that say they can prevent ransomware. If it says that it can all out prevent it, don’t buy it. Nothing can prevent all types of attacks. The most you can do is mitigate the risk with some security appliances, software, and vendors, and have some sort of monitoring in place for when something gets past your security infrastructure. We recommend Fireeye, especially for email protection. Fireeye’s EX and ETP systems scan emails as they come in for known malware as well as unknown malware by analyzing attachments and links to help protect against spear phishing attacks. Contact us for more information on Fireeye.
It really comes down to two options, backup or pay up. Prepare now by getting an incident response plan in place and backing up your data. Train your employees for what to look for and what not to do, and get something on your network to protect and monitor your infrastructure. If you have a problem with ransomware and need assistance, call us at 1-800-537-3424.