What to do when you've been hit with Ransomware
You get into the office with your hot cup of coffee and you sit down at your desk ready to start the day and the unthinkable happens. You’ve been hit with ransomware. What do you do? Ignore it? Pay it? Call in reinforcements? Will anything you do make a difference?
Our panelists along with Chris Roberts discussed the answers to these questions in our latest webinar. First thing first...Don’t panic! Take a deep breath and let your emotions settle before you do anything and by all means, please don’t consult Google.. There are literally ads waiting for you to be desperate enough to seek help only to scam you even more.
Ransomware is a multi-billion dollar industry for a good reason...
Kurtis Minder negotiated with an attacker on a multi-million dollar ransom and received the following message from the attacker, “If you use more complex passwords and also do not store passwords and reminders in text files, it wouldn’t have happened.”
Many of the attacks are actually not that sophisticated. It’s more about the fact that many organizations, small and large, are still behind on the basics and are totally not prepared in case of a ransomware attack. When it’s that easy to get in, why wouldn’t this be a billion dollar industry?
Who is behind these attacks?
They are either organized gangs that have built a brand for themselves or lone wolves. Organized gangs have a reputation to maintain, otherwise, victims will not pay them the ransom. It’s hard to believe, but they operate like a business and they need to stand behind their “product." When it comes to lone wolves, they may be more dangerous. These are individuals that really don’t care about their “reputation." It’s important to know who you are talking to. When you use a 3rd party to negotiate, they know how to talk to these different types of attackers.
One dollar before a breach equals $9 after a breach!
Either way, you’re paying. It’s how much you want to pay up front and how much are you willing to lose that is the question. It’s best to invest your money in preparing via training programs, insurance, and anything else you will need to help prevent or recover from a ransomware attack.
Start with communication and training. So many companies and individuals simply aren’t heeding the warnings and following the recommendations. Invest the time, money, and training it takes to properly build security awareness and protocols.
How come nobody listens?
Passwords...need we say more? You can lead a horse to water but you can’t make him drink...this is true. So, the next best thing is to make it easy for employees to want to do the right thing and make it impossible for them to fail. In other words, mandatory password requirements, clear policies, and accountability. Give them usable alternatives.
Safe storage of passwords - Don’t allow employees to save their passwords in their browser. Huge no-no. Instead, use a password manager that has been vetted by your company. It’s a good idea to use one that allows you to set some controls and encrypts the information.
Multi factor authentication and endpoint protection will also go a long way in helping to mitigate ransomware attacks.
And train, train, train.
Be prepared, aware, and ready...because it WILL happen.
Make sure you have your data backed up more than one way. If you have cloud backup, great but keep a hard copy of your data onsite and even better, keep a backup offsite like in a safety deposit box. Your processes for storing, replacing, and destroying these backups should always be followed so that you aren’t trying to recover from a backup that’s 10 years old.
Have an incident response plan and make sure it includes a ransomware response plan. They are not the same thing and your IR plan most likely doesn’t cover all the aspects on how to recover from a ransomware attack.
Get legal counsel that specializes in breach response to help direct you on what to do next and invest in cyber insurance. Take a listen to our cyber insurance webinar to find out more about what to look for when choosing a cyber insurance company.
Need advice on how to hire a Cyber Insurance company?
The million dollar question - Should you pay the ransom?
This is a business decision that should be made VERY carefully. Some businesses can recover cheaply and afford to be down while others simply cannot. It really depends how prepared the organization was in case of a ransomware attack.
If you involve law enforcement, they usually advise you not to pay the ransom. However it may be legal to pay.
Be aware of your local, state, and federal laws when it comes to paying ransomware so that you don’t end up in trouble. For example, in the United States, it is not illegal to pay a ransom unless the threat actor is on the OFAC (Office of Foreign Asset Control) list. This list keeps track of suspected terrorists and other organizations. For more information and to see the list for yourself, visit the US Department of Treasury.
A lot of ransomware attackers will want you to pay with crypto currency. Some will even give you a tutorial on how to pay. DON’T FOLLOW IT. You’ll just end up losing even more. If you aren’t comfortable, consult with a professional.
You paid the ransom… now what?
How do you know a copy of your data isn’t still floating around somewhere or won’t be used against you again? You don’t. Most ransomware attackers will honor giving you your stuff back but there is never a guarantee. Some may even send you an agreement. They will send you encrypters to get your files back...however, it’s not a guarantee that the files are intact. They may be corrupted. This is a game of chance.
It’s important to continually monitor your environment after you get your files back. The attackers could still be there watching and waiting in the background and hit again a year later.
Leave it to the pros.
You are probably very emotional during an attack and you really don’t want to offend the attackers. It’s better to hire a third party company that deals with ransomware attacks. They see this stuff day in and day out and know exactly what to do and how to communicate. Your cyber insurance company should be able to hand you a list of providers.
Companies that specialize in this field know how to negotiate with ransomware attackers and can help you out of this situation, monitor, and provide recommendations on what to do next and how to prevent future attacks.
Cleaning up the mess.
It’s been a tough day, week, month at the office since the attack and now you’re going through the debris to clean up so that you can move on and be stronger than before.
Monitor company activity for at least a year. For example, keep a close eye on sensitive data...just in case.
Make it a point to help others. Share your story, what happened, what you learned, and what you did. We all need to come together as a community and collaborate so that we can continue learning and protecting ourselves and each other.
Wizer’s hacker, Chris Roberts!
Dell Jackson - Incident Response/Digital Forensics Specialist/Project Management/Fin-Tech. HR and Accounting
Dennis Underwood - Entrepreneur | Inventor | Threat Hunting Expert | Cryptography Dude | Ransomware Expert - Ransomware Rewind
Matt Lee, CISSP - Director of Technology and Security at Iconic IT | CISSP | Proud Member of Infragard | Father, Husband!
Kurtis Minder - CEO GroupSense | Cyber Reconnaissance, Digital Risk | Ransomware Support & Negotiation