How To Identify and Respond to a Ransomware Attack

According to a recent Datto Ransomware report, 85% of Australian managed service providers concluded that a ransomware attack was the most common threat to small business, with half their clients falling victim to such an attack.

We’ve put together advice to help you identify and respond to a ransomware attack to protect your business.

What Is Ransomware

Ransomware is a type of malicious software that makes your computer or its files unusable unless you pay a fee, often in the form of untraceable cryptocurrencies such as Bitcoin. It requires minimal technical expertise, is low cost and can result in significant financial harm.

Recovering from ransomware is almost impossible without comprehensive backups, which is why taking steps to protect yourself is so important. Learn more about ransomware and how to protect your business.

Most Common Ways to Be Infected by Ransomware

Ransomware attacks vary but they frequently rely on a victim clicking on a malicious link or attachment. The most common ways to become infected include:

• Phishing and Spam emails – cybercriminals pose as genuine users to trick you into downloading malicious software.
• Infected portable drives – USB flash drives can contain malware that automatically installs when connected to your business computer.
• Malicious websites – websites can host malware that phishes for sensitive information such as username and password credentials.
• Malicious plugins and applications – cybercriminals can bundle viruses with software shared via third-party websites, which can then be inadvertently installed.

How To Identify A Ransomware Attack

Unfortunately, ransomware attacks are usually difficult to detect fast enough to prevent damage. Bad actors employ clever social engineering techniques to install ransomware and encryption algorithms to scramble or ‘lock’ valuable data.

Once a single endpoint or computer is infected, ransomware can propagate throughout the network extremely quickly, making it almost impossible to respond in time. All too often, businesses don’t become aware of ransomware until it has announced its presence via payment demands.

However, there are some indicators of a ransomware attack for your technical people or IT company to be aware of:

• Increased CPU and disk activity for no obvious reason. This is caused by ransomware searching for, encrypting, and removing data files.
• Inability to access certain files – again, a result of ransomware encrypting, deleting, renaming or moving data.
• Unusual file system activity (e.g., hundreds of failed modifications) due to the ransomware attempting to access files
• Suspicious network communications. These are caused by interactions between the ransomware and the cybercriminals command and control server

How to Respond to a Ransomware Attack

The nature and significance of ransomware attacks vary, so it’s important to consider the steps required which apply to your individual situation.

If you don’t have the internal IT security expertise, consider hiring an expert IT services company who can guide you through your ransomware response and put together both a reactive and proactive cyber security strategy.

1. Disconnect your devices

When you disconnect your device, you disrupt the communication of the ransomware and limit its spread to other devices. Disconnect ALL devices from the internet, networks, and USB storage devices. This includes removing network and data cables, and disable wireless connections such as Wi-Fi, cellular data and Bluetooth. Do NOT connect your backup storage media.

2. Stop the Ransomware

   Before you shutdown devices, record key details such as the ransom note, website links, emails, or Bitcoin addresses. Always use an unaffected device to make these recordings. If your business uses Windows 10, you can use Task Manager to identify and stop the ransomware running on your devices.

3. Run a Malware Scan (Windows 10 only)

   Complete this scan using the malware scanning tool on your device. For Windows 10, search for Microsoft Defender or Antivirus, launch the malware scan and deleted any malware identified. Refer to the Australian Cyber Security Centre guide for further instructions.

Again, it is strongly recommended to take photos or notes of any suspicious programs, files, pop-ups, and     other key details you encounter while running the malware scan.

4. Document Key Details

   It is really important to record details of your ransomware incident as it will assist you after the attack and can lead to a better result. It’s also important to document for:

• Seeking assistance from a professional IT security company
• Making a claim with your insurance company, bank, or legal claim following the attack
• Reporting to your financial institution or lodging a report through CyberReport Australia
• Advising customers, colleagues, partners and friends.

5. Seek Professional Help

   The type of help required for your business may depend on the files or systems affected by the ransomware. Find a trusted IT security company or managed service provider such as Surety IT, who can assist you in minimising the damage and help your business recover from the attack.

6. Notify and Report

   Businesses may be required to notify customers of a ransomware attack. If you hold sensitive information such as customer financial details, you may also be required to report the incident to industry regulators.

How to Report a Ransomware Incident

• Contact your legal adviser to assist you in contacting customers, clients and suppliers.
• Contact anyone affected by the compromise including colleagues, staff, family and friends
• Report the incident to the Australian Cyber Security Centre
• If required by law, report any data breaches to the Office of the Australian Information Commissioner
• Contact your financial institution if you believe your bank or credit card details are at risk. They may be able to disable your account or stop a transaction.

Should You Pay the Ransom?

The Australian Cyber Security Centre recommends never paying a ransom as there is no guarantee that your data will be released, and it may also encourage future attacks. Ideally, try to identify the name of the ransomware Trojan. This information can help cybersecurity experts decrypt the threat and regain access to your files.

Despite this advice, many businesses choose to pay ransomware demands when attacked, after weighing the price of the ransom against the value of their encrypted data. If you are considering this option, keep in mind that you are dealing with criminals. Firstly, what looks like ransomware may not have actually encrypted your data, so ensure you aren’t dealing with ‘scareware’ before you send money. Secondly, there is no guarantee you will get your files back so always seek expert advice when considering paying a ransom.

Protect Yourself from Future Ransomware Attacks

As the old adage goes, prevention is better than the cure. Proactively implementing measures to protect your business from ransomware attacks including regular offline backups, staff education and update devices and systems is your best line of defence.

In Summary

Ransomware is a notoriously challenging form of malware for businesses to detect and defend against. If your business suffers a ransomware attack follow the response steps above and seek assistance from an experienced IT provider such as Surety IT.

Surety IT can help you:

• Confirm that you have indeed experienced a ransomware attack.
• Assist you to remove the ransomware and disconnect all devices
• Attempt to decrypt your files using a decryption tool
• Reconnect your devices and update your operating system and software
• Restore data from an unaffected backup
• Implement preventative measures to avoid future attacks

Read more about How To Protect Your Business from Ransomware Attacks.