Ransomware: What to do if your business is hit
FYI, this story is more than a year old
Eighteen months ago, ransomware hit headlines around the world with the massive WannaCry and Petya outbreaks which spread across 150 countries. Since then, cryptojacking and other types of cyber threats grabbed headlines while ransomware incidents declined.
And while the lower attack volume may suggest that file-encrypting ransomware is no longer a risk, that’s not the case. Ransomware has evolved to be more sophisticated, crafty and targeted and remains a threat to businesses of all sizes.
A case in point is GandCrab which kicked off 2018 with a flurry. Since its January debut, new versions of the ransomware have been released as soon as a decryptor is developed.
Using the ransomware-as-a-service (RaaS) model, the cybercriminals behind GandCrab concentrate on development and take a cut of the proceeds letting others with lesser technical skills run the campaigns.
In late September, the Australian Cyber Security Centre reiterated the need for businesses to remain vigilant of ransomware and the damage, both reputational and financial, it can cause. Without access to their files and data, a business can be crippled for days.
Their clients may no longer trust the business to keep the clients’ data secure. Moreover, with the introduction the EU General Data Protection Regulation, businesses can also potentially face significant fines for non-compliance.
As an SMB, you may think it’s a big business problem and your business is too small to be a target. Rather, SMBs are soft targets for cybercriminals.
Generally, SMBs have less-sophisticated security programs in place and are unlikely to have IT or dedicated IT security staff to manage and respond to cyber threats.
Of course, preparation is always better than response. There are many sources for steps to prevent ransomware in the first place.
However, if your business does fall victim to a ransomware attack, your best recourse is to have a plan of action already in place to help limit the damage.
The advice from law enforcement agencies across the globe is never to pay a ransom.
Stay calm and refer to a playbook
One of the difficulties that SMBs encounter is the lack of a clearly defined and readily available procedure to follow in the event of a ransomware infection.
There are readily available playbooks online that can help SMBs handle cybersecurity incidents in a calm and organised manner. These response plans include a step-by-step guide on how to detect, contain and remediate incidents that involve ransomware or any kind of cyber attack. SMBs can also develop their own playbook tailored to the setup of the business. The playbook can include:
Escalation channel directory – a list of people to be notified in your company in the event of a ransomware attack
Notification guidelines – reference material on the notification process of a cyber attack to a regulatory body (i.e. PCI or NDB) that is specific to your industry
Incident Response templates – a collection of documents such as an incident handling checklist to be used for record keeping and tracking of a ransomware incident.
Disconnect the infected systems from network access
Ransomware like WannaCry contain routines for spreading across the network. Isolate the infected devices from all, wired and wireless, network connections. You don’t want it to propagate to other machines especially to your file or database servers.
However, do not turn the infected computer(s) off. Doing so risks removing criminal evidence as well as possibly removing critical files which could be used to decrypt.
Check what type of ransomware infected your systems
Take a picture of the ransomware message screen. Security researchers have created web-based portals to help users by providing basic information on existing ransomware. Two of the sites worth mentioning is ID Ransomware and No More Ransom Project. Both sites can help identify the ransomware that hit your systems and whether there are readily available tools to decrypt your files.
Check if you can recover the files
Modern Windows OS by default, saves the previous states of the system in case of breakdowns or BSOD (blue screen of death) errors. Check if you can restore the previous state of your system using System Restore Point or Volume Shadow copies. Note that some destructive ransomware such as WannaCry, Locky and Cryptolocker also delete these system snapshots to make recovery of files more difficult.
Locate your backup
Some computer devices pre-installed with Windows or Mac OS when purchased may have been set to backup automatically in a recovery drive or in the cloud. Check with your supplier for these functionalities and how it can help you recover your files.
If you have your files backup on an external hard drive, avoid connecting it to the ransomware-infected device as it is still active, and your backup files can be encrypted.
As best practice, SMBs are recommended to follow the 3-2-1 backup strategy on making their data resilient against ransomware attacks. This strategy takes three copies of the data, stored in at least two different mediums with one copy stored in a location not accessible on the internet.
Call an external Incident Response Team (IRT)
Consider investing in an Incident Response Team retainer from a cybersecurity firm. While the retainer will only be activated when you need them, build the relationship ahead of time so the IRT understands your company’s IT infrastructure and network and how things operate in your company.
Available 24/7, incident responders have specialised skills and tools to help identify how attackers compromised your network and will remediate the attack to get your business back up and running quickly.
Without an IRT retainer in place, unforeseen delays related to contracts, non-disclosure agreements, payment terms and so on will ultimately jack up the total cost of a forensic investigation.
Cyber attacks – including ransomware – is the new normal. SMBs need to be prepared as every business – no matter what size – is a potential target for cyber attacks.
Article by Trustwave Spiderlabs senior consultant, Digital Forensics and Incident Response (APAC), Michael Marcos.