DISCLAIMER: If your small business has been hit by a ransomware attack, please contact Ariento immediately for a free, no obligation consultation. Time is of the essence.
According to the FBI, ransomware is on the rise in the first half of 2016. Here's what you need to know:
What is ransomware?
Ransomware is malicious software that spreads throughout your system and connected systems encrypting files and preventing you from accessing them. To decrypt the files (and be able to access them again) one must pay a "ransom" to the hacker in order to receive the decryption instructions and key.
How does it work?
Ransomware is often introduce via a social engineering attack such as a phishing email with a malicious attachment or link to a malicious website. When opened or clicked, the system is infected with the ransomware. More recently, ransomware has also been spread via seeding legitimate websites with malicious code (such as through click advertising networks), through brute force remote desktop protocol (RDP) attacks, or unpatched software on end-user computers. Ransomware can also be introduced by plugging infected thumb drives or similar devices into your computer.
One the infection is present, the malware begins encrypting files and folders on local drives, any attached drives, backup drives, and potentially other computers on the same network that the victim computer is attached to.
What is a typical ransom amount?
It varies, but in our experience is between 1-4 bitcoins (~$695 - $2782 USD) for small businesses. We've seen as little as $200 to as much as $15,000.
What can I do to prevent ransomware?
- Ensure all users go through cybersecurity awareness training, such as Ariento's.
- Configure minimum privilege access control, only allowing users to access files and folders they need.
- Implement application whitelisting to prevent unauthorized programs from running even when a malicious link is clicked or malicious website is visited.
- Patch operating system, software, and firmware on digital devices immediately.
- Ensure antivirus AND anti-malware solutions are set to automatically update and conduct regular scans.
- Manage the use of privileged accounts—no users should be assigned administrative access unless absolutely needed, and only use administrator accounts when necessary.
- Disable macro scripts from office files transmitted over e-mail.
- Use virtual local area networks (VLANS) to segregate user, server,a nd management networks.
- Back up data regularly and verify the integrity of those backups regularly.
- Separate your backups. Make sure they aren’t connected to the computers and networks they are backing up.
How do I know if my system was infected with ransomware?
Users and organizations are generally not aware they have been infected until they can no longer access their data or until they begin to see computer messages advising them of the attack and demands for a ransom payment in exchange for a decryption key. These messages include instructions on how to pay the ransom, usually with bitcoins because of the anonymity this virtual currency provides. In most cases, the file extensions will be changed (for example, instead of .xls or .pdf your files will all be .lol!).
What should I do if my system is infected with ransomware?
There are five steps to follow:
- Immediately disconnect the infected system from the network
- Leave the system ON! Valuable information is often stored in the short term memory (or RAM) on the system. That information is lost if the system is turned off.
- Screenshot and save any ransom notes or instructions from the hacker.
- Contact a digital forensics expert, such as Ariento, to conduct an examination of the infected systems to determine the variant and scope of the infection.
- Contact an attorney. Contact us for a recommendation for experts that specialize in the field.
- Contact a cybersecurity expert, such as Ariento, to conduct a security assessment and assist in protecting you from future attacks.
If my business is a victim of ransomware, is that considered a data breach?
It depends. If the answer is yes or "I don't know" to any of the following questions, it may be considered a data breach. We always advise you speak to an attorney in the case of a potential data breach, and can recommend experts that specialize in the field if you contact us.
- Was the ransomware variant only ransomware, or did it have a backdoor in it that opened up a remote connection to your network?
- Was any information removed (i.e. breached) from your systems?
- Was that information unencrypted?
- Was that information personally identifiable information (PII)?
Should I pay the ransom?
We do not recommend paying the ransom, as these are criminals after all and there is no guarantee they will give you the decryption instructions and key. That said, if a business does not have backups in place, sometimes paying the ransom is their only shot at retrieving important files and staying in business.