April 25, 2017

What to Do When Ransomware Strikes

Knowing how to prevent ransomware is becoming one of the most critical issues in cyber security.

Ransomware is a type of malicious software that attacks computer systems and blocks access to files or systems by locking the screen or using encryption – unless a ransom is paid.

According to a Malwarebytes study published in 2016, 40% of large businesses in the U.S., U.K., Canada, and Germany experienced a ransomware attack in 2015.

In the U.S. alone, there were more than 4,000 ransomware attacks a day in 2016, a 300% increase compared to 2015.

The Rise of Ransomware 2017 Ponemon survey showed that while small businesses are significant targets, too many think they’re too small to be at risk and are unprepared when an attack does occur.

Here’s what to do when ransomware strikes:

NOTIFY: When a ransomware pop-up box appears, the employee should immediately report the ransomware demand to the company’s security team or lead. Since ransomware is a crime, the proper authorities should also be notified.

DISCONNECT: Identify all infected devices, then turn them off and disconnect them from the network and WiFi. Take infected computer equipment to the IT department.

ALERT EVERYONE: Assess the extent of the infection. Alert everyone on the network about the attack by email, and post warnings on company message boards. Physically cheque that everyone in the workplace knows what is happening.   

RANSOM DECISIONS: Not sure how to remove ransomware once it strikes? Whether a company pays the ransom or not depends on the situation. According to the Ransomware Survival Guide by Proofpoint, paying may restore the data but there's no guarantee, and the money will actually fund additional criminal activity. The Ponemon research showed that 48% of companies paid an average of $2500 in ransom; 52% of respondents did not pay the ransom. If companies didn’t pay a ransom it was because they had a full and accurate backup.

RESTORE: The best ransomware security strategy includes regularly scheduled data backups. Many experts say backing up data makes it possible to recover files without having to pay. They recommend backing up ‘mission-critical’ data every two to four hours, and keeping back-ups off-site and off-line. Restore the backed up files to a new device or the same device after IT has repaired the hard drive.

ASSESS THE INCIDENT: Once all systems are restored, determine who experienced the first sign of an attack in the office and how exactly the ransomware entered. The recent surge in ransomware emails is part of a cybercrime trend to fool people into being unwitting accomplices, according to the Ransomware Survival Guide. Attacks take advantage of users’ lack of awareness and typically require them to open malicious document attachments.  

IMPROVE INFORMATION SECURITY: Put mail gateways, web filters, antivirus software in place, and ensure these systems and software are kept up-to-date. Since most ransomware is transmitted through email, mobile, and social media, provide on-going training so employees know what to do, what not to do, and how to avoid ransomware (never click on unknown links and verify all messages before opening file attachments).

Learn how to protect confidential information from creation to secure destruction by a trusted document destruction partner.