EN
DE
Signs of a Ransomware Attack
If you notice files on your computer with strange names and extensions that will not open with any program, there is a good chance a ransomware attack is underway. Usually, the first sure sign of a ransomware attack is a screen announcing that your files have been encrypted.
Your screen might look something like this:
This is a terrible and increasingly common experience; ransomware attacks increased by over 700% in 2020. If you see a message like this and find that you can’t access your files, there is a high probability that your entire network is compromised. Ransomware is often programmed to infect as much of the network as it can before making itself known.
For most organizations, every minute of downtime translates to lost money. A survey showed that
the average ransomware attack costs $133,000 USD including downtime, ransom payments, network
costs, manpower, device costs, and lost opportunities. For 5% of respondents, the cost was in
the range of $1.3 million to $6.6 million. Most ransomware victims were hit an average of two
time, which points to the importance of an effective response. A good response can significantly
lower your chances of getting hit again.
Many ransomware attacks have demands with short time limits, so you need to act fast to save
your data. At the same time, it’s important to stay calm.
This guide will give you a general idea of what steps need to be taken in the event of a
ransomware attack. The following steps are some best practices that our team has developed after
helping numerous clients restore their operations after ransomware attacks.
1. Don’t panic.
It’s easy to get upset about business suddenly stopping, but it won’t help anything. Remember
that many organizations have been hit by ransomware attacks and made it through okay. Staying in
a calm frame of mind will make it easier to do what needs to be done. Taking all the appropriate
steps rather than rushing a badly organized response can actually lower the overall cost of
recovery and protect you from more attacks in the future.
2. Disconnect the infected devices.
Usually, a ransom demand will not appear until the ransomware has infected every device that it
can possibly access. It’s still a good practice to disconnect infected computers, because the
ransomware can potentially still spread based on network activity. If you notice the ransomware
before the demand is made, it is even more important to act quickly to prevent it from
spreading.
The moment you notice the malware, immediately:
- Disconnect all your drives from the network.
- Power off Wi-Fi, Bluetooth and disconnect ethernet cables.
- If possible, power off the entire network.
- Inform remote workers connected to the infected network, and ask them to disconnect and shut down their systems.
3. Notify your IT service provider and/or IT department.
Ransomware takes time to spread through a system, so if you detect an attack, you should act
immediately to prevent the infection from getting worse. This step needs to be taken even before
notifying your IT department, because every second counts.
You also need to notify your IT service provider as quickly as possible. If you have cloud
backups, for example, the infection may have already spread to your backups. It will be up to
the service provider to stop the attack. Acting fast may make the difference between being
forced to pay a ransom or not.
If your organization has an IT department, it is best to let them handle the ransomware response
as described in the following steps. They will need to access the system in a way that prevents
the ransomware from spreading. If your organization does not have an IT department, it may be
best to hire outside help. BeforeCrypt specializes in ransomware, many of our clients are small
and medium companies without a dedicated IT department.
4. Document the attack.
Take a screenshot or photograph of any ransom message. Also, take a screenshot of the appearance
of the encrypted files. Make sure to note the exact time the attack was discovered. If you can,
download copies of your system logs and server logs.
There are several reasons you need to carefully document the attack. Firstly, it can help
determine what type of ransomware has hit you. With some older ransomware versions, decryption
tools are available which can help recover your data. In the vast majority of cases, however,
there is no easy way out, but knowing the type of ransomware can help police to catch attackers
later on. If your organization has a cyber attack insurance policy, complete documentation may
be necessary to file a claim.
5. Notify the authorities.
You may or may not be legally required to report the attack. Depending on your country and the
type of the data breach, you may be required to file reports with more than one governmental
agency. For example, in the European Union, you may be required to file a report under the
General Data Protection Regulations (GDPR). In the United States, the Health Insurance and
Portability Accountability Act (HIPAA) requires companies in the health care sector to report
all data breaches.
If the nature of the data is of private or personal, such as usernames and passwords, you
are legally obliged under the GDPR for Europe and potentially US laws, to communicate the
data breach in the form of a press release/email to your colleagues and customers,
including, but not limited to:
- The type of breach which occurred
- A date and time of breach
- A thorough damage assessment
- Any actions you have taken (such as paying the ransom, restoring from backups, reporting to the law enforcement authorities, etc.)
- Providing suggested actions to your clients (such as changing username/password, etc.)
Being transparent is important. While it is natural that your company will suffer due to the news
of a data breach, the more proactive approach you take, the better it will be for your
organization.
For a more complete discussion of this topic, along with the contact details of relevant offices,
check out our Ransomware Compliance Guide.
6. Find out the type of ransomware.
Have you heard of WannaCry? It was one of the most dangerous ransomware attacks to date. By the
time it was resolved, over 25% of the UK’s National Health Services (NHS) systems were
compromised, from servers to ventilators!
Every variant of ransomware is programmed differently, and hence treated differently.
While there are myriads of strains for any ransomware, the two most common types are:
- Screen locking ransomware
- File encrypting ransomware
The screen locking malware is marginally easier to resolve and recover from as compared to the
latter.
Depending on the type of ransomware, you may have different options.
7. Check your backups.
The best possible scenario is restoring your system to a backup from before the infection
occurred. To do this, you need to know when the infection happened so you don’t get infected
again. This is where your system logs can come in handy. System Restore is generally not a good
solution to ransomware, because you may restore to a disk image which has elements of the
malware hidden deep in your file system.
In some cases, ransomware may also infect your backups. In this case, there is very little you
can do besides give in to the attackers demands, or wipe your system and accept the loss of your
data.
8. Find the root cause of the ransomware attack.
In either case, you need to know how the infection occurred. Whether you pay the ransom or
restore your data with a backup, if you do not find the cause of the attack you are at risk of
another infection.
Most ransomware attacks begin through either phishing or exploits.
Phishing attacks usually happen in the form of an email or website. Hackers may impersonate
reputable businesses or government agencies by imitating the appearance of their emails or
websites, and then trick employees into clicking a link or downloading an attachment containing
the malware. There’s a good resource on phishing prevention here.
If the ransomware infection happened due to a vulnerability in your system, you will need to
patch that vulnerability before restoring your data. Many vulnerabilities occur from using older
versions of software, so you need to keep up to date with exploits and patches to minimize your
risk.
9. Assess your options.
At this point, you have 4 options.
- Using a decryption tool. This option works in very few cases involving out-of-date ransomware. It’s still worth checking, but it’s unlikely that any such tool will work. If you know what ransomware version is affecting you, you can check if a free solution is available here.
- Restore from backup. If you have a recent backup, and your backup is clean, this is the best option.
- Pay the ransom. This is the worst option, but many organizations have no other choice.
- Accept the loss of your data. If you can avoid paying the ransom, it is better to do so. Giving in to attackers demands encourages them to attack others, and makes the problem worse. Many times, the decision comes down to a simple economic calculation; is the cost of losing the data greater than paying the ransom? If yes, many companies make the difficult decision to pay the attackers.
10. Back up encrypted files.
Backing up encrypted files is an extremely important part of the process, soon after isolating
the incident and discovering the ransomware variant you are dealing with, your next course of
action should be to create a backup of all encrypted files. In case something goes wrong during
the decryption process, you will still have a copy of the files so you can try again.
11. Restore your data.
If you have a safe backup, after fixing the vulnerability that enabled the attack you can restore
your data. Attackers are also aware of this, so many ransomware variants will prioritize
encrypting backups first. Before using any backup to restore your system, make sure the backup
does not contain any hidden ransomware.
If you have no other option, however, you may need to pay the attackers.
We don’t advise victims of ransomware attacks to deal directly with attackers. Attackers may try
to take advantage of you and pressure you with empty threats. For example, attackers may claim
that an ordinary ransomware attack is actually leakware attack (described in detail here) which
can be more dangerous. You need to have a good understanding of your position when dealing with
attackers. Attackers may not actually know the value of the data. Inexperienced negotiators may
accidentally divulge information that leads the attackers to increase their demands.
Teams of criminals conduct most ransomware attack. We collect data on hundreds of ransomware
cases to understand the method of operation of different groups, and the best methods for
dealing with them. In many cases, hiring professionals to handle communications and payments can
be cheaper than dealing directly with the attackers yourself.
Another factor to consider is the time that it will take to restore a backup. In case there are
terabytes of data to restore, it could take days to restore from backup. If your organization is
losing a lot of money because of a suspension in operations, it
could be cheaper to pay the attackers and decrypt the data than to wait for a full restoration.
If the backup is not up to date, you need to calculate the cost of data lost since the last
backup.
12. Communicate with attackers.
Unfortunately, in many cases there is no other option but to communicate with the attackers. We
recommend working with experienced professional negotiators to avoid complications. There are a
number of complications that can come up in the course of communications.
Attackers demand more payments.
Attackers sometimes simply don’t keep their word. An important part of negotiations is
communicating in such a way that the attackers have the impression that you are willing to lose
the data, or that you don’t have the budget to make additional payments.
Attackers using communications to find additional targets.
Attackers will sometimes use information gained through communications to target individuals for
identity theft or more attacks. When communicating with the attackers to arrange payment, we use
anonymous, disposable e-mail addresses to protect our clients.
Decryption tool does not work.
Sometimes, the decryption tool provided by the attackers will not function. In this case, you
need to verify that the key is correct. In some cases, there may be multiple keys, which can
complicate the decryption process.
The decryption tool is carrying a trojan.
Hackers will sometimes collect a ransom, but plant another virus in the decryption tool they
provide. It’s a good practice to receive the decryption tool in a safe environment like an
isolated virtual machine and check it thoroughly before deploying it.
Losing contact with the attackers.
Because the hackers are criminals, many are constantly on the run. Sometimes their email
addresses may be shut down by law enforcement, leaving you unable to communicate with them. For
this reason, we have compiled a database of specific groups based on their method of operation,
and have alternate methods to get updated contact details.
The best negotiation strategy will depend on a number of factors, including:
- What group you are dealing with.
- What their behavior has been like in the past.
- How much information they have about you.
- How well they understand the value of the compromised data.
We keep records on publicly reported cases, as well as documenting all of our experiences with
ransomware recovery cases. We then use this information to refine our negotiation strategies to
get the best results for our clients.
Is paying the ransom legal?
In all jurisdictions we know of, paying the ransom is legal. The FBI is neither in favor nor
against paying attackers. On their website, they state: “Paying ransoms emboldens criminals to
target other organizations and provides an alluring and lucrative enterprise to other criminals.
However, the FBI understands that when businesses are faced with an inability to function,
executives will evaluate all options to protect their shareholders, employees, and customers.”
The FBI IC3 Public Service Announcement The FBI, recommends that the businesses should
have a solid prevention plan (such as training employees and sturdy prevention control methods)
and a business continuity plan in the event of catastrophic data loss.
13. Acquiring and transferring cryptocurrency.
Attackers demand ransoms in the form of Bitcoin or other cryptocurrencies. In order to obtain
Bitcoin or another cryptocurrency, you will need an account at a cryptocurrency exchange or
broker. This usually requires a know-your-customer/anti-money laundering (KYC/AML) verification
process. This can take days, especially if you need a large sum.
Coinbase and BitPanda are the two of the most popular websites to buy and sell
bitcoin. Some options exist to purchase Bitcoin by means of debit or credit cards and PayPal,
but these options usually come with high fees attached. Another advantage of hiring a
professional ransomware response team is that we already have Bitcoin reserves for this reason,
so there are no delays or additional fees. You should be aware when making cryptocurrency
payments that transactions are absolutely irreversible. It’s important to be very careful to
enter all data correctly, because if you make a mistake, the funds cannot be recovered. You
should also be careful to use appropriate network fees. Failure to do so can result in delays or
the transaction not going through. A complete guide to Bitcoin network fees can be found
here.
When making payment, you should also take care to comply with the United States Office of
Foreign Assets Control (OFAC) regulations. The OFAC is responsible for enforcing sanctions on
criminal and terrorist organizations. If you make a transfer to an OFAC sanctioned entity and do
not document it with law enforcement, you could face legal consequences. There is more on this
in our Compliance Guide.
14. Take steps to improve security.
As the survey mentioned earlier in this guide showed, ransomware attacks hits most victims more
than once. Part of the reason for this is due to improper handling of the first attack. It’s
understandable to want to get back up and running as quickly as possible, but it is important to
take some precautions to ensure you don’t get hit again.
First, it is important to completely remove all of the ransomware and malware. Secondly, it’s
important to check all versions of your software for vulnerabilities and make sure everything is
up to date.
In the aftermath of a ransomware attack, you may need to adjust your operating procedure. For
example, you may want to make backups on an offline storage medium or server isolated from your
network. Anti-virus screening during the process is also important. Here is a good guide on
ransomware-proofing your backup procedures.
It’s also important to educate all employees on security practices for opening email attachments
and external websites.
Life goes on.
Try to keep a positive attitude. Feeling desperate or depressed will not help anything. Look at
it this way; a ransomware attack is an opportunity to improve your operating procedures and
security. This could make your organization stronger in the long run. Although ransomware
attacks have contributed to the bankruptcy of a few companies, most victims make it
through just fine. If you feel overwhelmed, you are welcome to contact us for a free
consultation.