How to Identify and Respond to a Suspected Ransomware Attack

In today’s digital age, businesses risk falling victim to ransomware attacks. Cybercriminals are using techniques that make all your data and backups unusable and even steal your data, holding you hostage. As a result, companies have no choice but to pay the ransom demanded to recover data and to keep stolen data from competitors or clients… often for tens of thousands of dollars. Ransomware attacks are especially detrimental to small businesses due to the lack of resources and specialized knowledge needed to protect your data. This post provides businesses with a comprehensive guide to defend against ransomware attacks. Detailed instructions include what measures to take during and after an attack, strategies to assist in recovery attempts, and prevention methods against further attacks.

What is Ransomware?

Ransomware attacks use malicious software that encrypts, deletes or exfiltrates (downloads your data to the threat actors’ systems) corporate information and extorts payment for a decryption key and a promise not to sell or publicly release your data. Businesses can suffer terribly from either scenario, causing massive financial losses, significant operational interruptions, and irreparable harm to their reputation. Fortunately, businesses can safeguard themselves from ransomware with the appropriate preparation and response plan.

Pre-Attack Preparation

Proactive planning is the key to minimizing the effects of ransomware. Comprehensive security measures and recovery plans should be created to protect against vulnerabilities and data loss; ensuring minimal business impact caused by a cyber-attack.

Signs of a Ransomware Attack

The first step in navigating a ransomware attack is to recognize the signs of an attack. While the indicators of ransomware may differ based on its variety, there are a few telltale signs, including:

• A message on the computer screen indicating that the data has been encrypted or stolen
• An inability to open files or folders
• A change in file extensions to “.locked” or “.encrypted”
• Failed backups or backups that take a long time to complete
• Backup data has been deleted or you can’t access your backup system

Immediate Response to a Ransomware Attack

If you suspect a ransomware or data exfiltration attack, taking quick action is vital to prevent further damage. Steps to take include:

1. Call Your IT Team or an IT Professional: Your IT team may have tools they can use to isolate infected systems and can help you detect the scale of the cyberattack, determine the entry point, perform remediation, and lock down any weak spots.
2. Disconnect from the Network: If your IT team can’t immediately isolate systems you suspect are infected, physically unplug your ethernet cable and switch off Wi-Fi on any systems you think might be compromised. This measure may prevent the ransomware from spreading to other computers.
3. Communicate your suspicions internally or with Security specialists over the phone or in person: Assume the threat actor is monitoring your email, or corporate communications like Teams and Slack. Take precautions to communicate outside these standard corporate methods until you know that the communication system is no longer (or was never) compromised.

Once you have started the process of isolating suspect systems, you should consider the following actions:

• Inform executive leadership and ownership of a suspected cyber-attack.
• Leadership should follow plans that might include informing insurance providers, law enforcement, vendors and potentially, clients or relevant 3rd parties.
• Engage with appropriate security resources (internal and external) to determine how you were attacked and take steps to cut off the threat actor’s access, including: changing passwords on all corporate accounts, temporarily shutting down remote access to internal systems or cloud solutions, implementing MFA for Microsoft 365 or Google Workspace & remote access, deploy threat detection, and endpoint protection & response tools on all corporate systems.
• Preserve evidence if possible. There is the urge to start recovery efforts, but don’t compromise files. You should maintain files that were encrypted (move them to a USB drive if you don’t have space) and may consider taking images of systems that were compromised for potential forensic investigation.

Assessing the Damage

After addressing the initial damage, it’s crucial to evaluate the full extent of the compromise. Taking proper steps in this assessment process can ensure a thorough understanding of the damage and guide effective next steps toward recovery. Some key consideration includes the following:

1. Determine What Data Has Been Affected: Recognizing what information has been compromised by the ransomware is essential to decide how best to restore your data.
2. Determine the Value of the Affected Data: Carefully evaluating the extent of any data lost through a security breach will assist you in determining whether to pay the ransom, recover from backups, or pursue other options.
3. Assess the state of your backups: Questions to ask:
   1. Can you access all your backup systems? (Don’t assume you have good backups. Threat actors often disable backup and continuity solutions.) If you can access backup systems, change passwords to the systems and reconfigure them so no previous backups can be overwritten.
   2. Is there an ability to start affected systems up on backup appliances or in the cloud that can minimize downtime?
   3. Was any backup data deleted or encrypted? Did deletion\encryption affect offsite\cloud or offline backup data?
   4. Does backup data exist for affected systems?
   5. When was the last good backup of the affected systems?
   6. What is the impact of restoring the last known good backup (helps determine the cost of data lost compared to paying the ransom… is it better to pay the ransom than recover an old backup)?
4. Analyze the Impact on Your Business: Understanding the full extent of the damage caused by the attack on your business is crucial. Analyzing the impact from different perspectives, such as operations and finance, can allow you to make informed decisions for your business moving forward.
5. Determine the best recovery action: You may elect to pay the ransom if you have limited options or when recovery cost exceeds the ransom demand. Regardless, you should always consider rebuilding suspect systems from scratch. This is often referred to as the “burn it down” strategy and is often used when it cannot be determined how the threat actor gained access to internal systems. A trusted security advisor should be engaged to help you make recovery decisions.

Options for Recovery

Once you’ve assessed the damage and cut off the threat actor’s access, you can start recovering your data. Here are a few options to consider:

1. Utilize Business Continuity solution: If you have a disaster recovery solution and plan, follow it. In many cases, critical systems can be run on Business Continuity solutions using known good backup points. Some solutions allow you to start up critical systems in the private cloud which may give you time to assess or rebuild.
2. Restoring from Backups: If you routinely back up your data, restoring from backup is an efficient course of action. Restore the most critical systems first.
3. Using Decryption Tools: Some ransomware strains can be decrypted using specialized tools. Even though these tools can help counteract cyber threats, they may not always succeed against all ransomware variants. Therefore, proceed with caution and only use them under the guidance of an IT expert.
4. Rebuild from scratch: If you don’t have good backups or can’t determine with certainty that the threat has been remediated, consider the “burn it down” strategy. Formatting and reinstalling all your applications provide the utmost assurance that your system is free of threats and is recommended for compromised workstations. Restoring files from archives or known good backups can be done after rebuilding the systems.
5. Paying the Ransom: Paying the ransom does not guarantee that you regain access to your data but sometimes paying it is the best option. Do not pay the ransom on your own, instead, engage a specialized security consultant that will negotiate with the threat actor on your organization’s behalf. Usually, your insurance provider will make this recommendation and will want you to use their negotiator. The bad guys will tell you they will increase their demands or won’t work with negotiators, but that is usually a ploy to extort more money from you.

Preventing Future Attacks

Protecting your business against ransomware threats should be a priority and the adoption of a comprehensive cybersecurity framework is key to prevention. Listed are the top steps you can take to reduce the risk of a future attack:

1. Educate Your Employees: All too often, ransomware slips into businesses through employees mindlessly clicking on dangerous links or downloading suspicious attachments. Training your employees to recognize and avoid these types of threats is crucial.
2. Implement MFA on all cloud and remote access solutions: Multifactor authentication is the best way to keep threat actors from using compromised credentials to gain access to cloud solutions like 365 and remote access tools that allow them to get to your servers and workstations from anywhere.
3. Backup Your Data Regularly and use a Business Continuity solution for critical systems: In the unfortunate event of an attack, regular backup routines can be your lifeline, ensuring your data is safe. Secure your backups by storing them in the cloud or on a separate device and verify that they perform adequately through regular tests.
4. Implement a Managed Endpoint Detection and Response solutions (MDR): Antivirus or Endpoint Protection is good, but alone, not good enough. Adding an EDR or MDR solution will provide more comprehensive endpoint defense.
5. Regularly Update Your Software: You can substantially reduce vulnerabilities, thus reduce the risk of a security breach by consistently updating your systems.

Ransomware attacks can be disastrous for businesses but can be mitigated with proper preparation. It’s essential to assess the risks of ransomware attacks on your businesses and develop a plan to minimize risk. The cost of protecting your business pales compared to neglecting it. As a business owner, you must approach cybersecurity with the same seriousness as any other business aspect. With planning and strategic action, you can avoid the potential disaster that a ransomware attack may bring.

Even the most comprehensive security measures can’t guarantee complete protection against threats. Cybercriminals are persistent, and ransomware attacks are ever-evolving. Therefore, businesses must stay current with best practices and respond as circumstances change. It’s vital to remain vigilant and constantly update security protocols to stay ahead of evolving risks.

Awareness of the newest technology is crucial in today’s cutthroat business world. Consider working with a reputable managed IT service and security provider. These providers often have the technical expertise and experience to keep cyber threats at bay while allowing you to focus on running your business. They can help you assess your IT environment, identify vulnerable areas in your system and recommend solutions that best suit your needs.

Know that your business is safe from cyber threats with BlackPoint IT‘s comprehensive cybersecurity solutions. We want to ensure protection from ransomware attacks and other digital dangers, so you can confidently focus on the expansion and success of your business. Act now—contact us today and protect yourself against any future risks.