“Don’t Panic!”: Lessons to Be Learned from Ransomware

If you’ve ever watched a detective show, you know a murder suspect must have a motive, a means, and an opportunity to commit the crime. If we think about ransomware — malware that holds computers or data hostage—every cybercriminal on the planet has all three. As we discussed in our first article[1] in this series, hackers can make millions of dollars off a single strain of ransomware, so the financial motive is strong. In our second article[2] , we learned that the means for a ransomware attack are available to even the most unsophisticated criminals in return for a small cut of the action — and opportunities to deliver the malware abound, from phishing attacks against users to embedding it in legitimate software patches. It’s no wonder that businesses and consumers are falling victim, and the worst part is that, as fast as systems can be resurrected, they can be “murdered” again. (This is starting to sound like a zombie movie.)

Until the security community figures out how to stop it, ransomware infections may be as inevitable as death and taxes. But the better you handle them when they happen, the less chance you will be plagued by them over and over again. In this chapter, we’ll look at things you can do to lower the likelihood of a malware attack, and how to handle one if it happens, both during the attack and after.

Building Your Defenses

Obviously, there is no perfect defense against ransomware. If there were, attacks wouldn’t have increased by orders of magnitude, especially in the last couple of years. That said, there are steps you can take to reduce the risk. Training staff to spot and avoid phishing scams and not to open unsolicited email attachments will help keep ransomware out, and, according to a study by Ponemon Institute, it can have up to a 50x ROI by preventing multiple types of attacks. Keeping software up to date helps stop attacks that take advantage of known vulnerabilities. Infosec experts also recommend a layered approach to security that includes firewalls, web scans, and anti-virus software.

Prevention is great, and it will fend off some ransomware attacks, but your most important defense against ransomware is mitigation — planning ahead to limit the damage and to help recover quickly from an attack. You can be better prepared before a ransomware attack hits by establishing a relationship, or MSA, with a breach response vendor. An MSA will provide you with access to preferred pricing, will provide guaranteed service level agreements for each incident, and you will incur no charges until you need breach response services. Calm Under Fire

With the current explosion of ransomware, there’s a good chance that a ransomware attack will get through, despite your best defenses. Unfortunately, there are so many strains of ransomware and so many different attack tactics that no one can tell you exactly what to do when faced with the doomsday clock or pirate flag symbol. But here’s what not to do: panic.

One of our associates, an IT consultant, dealt with a ransomware attack recently at a client of hers. Her story demonstrates many of the things that you should do, starting with keeping calm. This consultant (at her request, we just call her “D.”) provides IT services for smaller companies that don’t have their own IT staff. Recently she was contacted by an employee at one of her clients, a manufacturing company with around 50 employees, who said the files on her computer were suddenly changing names. She sent a screen grab showing the altered filenames, so D. did a quick Google search and discovered that a ransomware attack was in progress.

The ransomware was still in the process of encrypting files and hadn’t displayed a ransom screen yet, so D. told her client to immediately disconnect the affected server from the network, disconnect all servers from the Internet, and tell all employees to stay off the network and not open any files until she could assess the situation. When she arrived onsite, she found the main server was totally corrupted and was seeking file shares on the network to encrypt more data. At that point, the client’s business was badly disrupted, so a decision was made not to do forensics to track the source of the attack, and instead to try to restore the systems from backups. Even without forensics, it took 48 hours to fully recover from the attack.

D. has a lot of takeaways from the ransomware attack and its aftermath. First of all, she and her client did a lot of things right. “All the servers were backed up both to NAS servers and to the cloud, so we could restore the systems and get everything back on track with no business loss to my client. We also didn’t panic and pay a ransom. I suspect that paying gets you listed on the Dark Web as an easy target, setting you up for more attacks. Instead, we spent the money on next-generation security software that made it much easier to detect and clean up the malware in my client’s system and will help me spot and stop attacks in future. Thank goodness we spend money on that instead of paying ransom.” Things she learned? “We could have restored the systems faster if I had told everyone to stay off the systems entirely and go to paper-based work until things were back to normal. It’s an inconvenience, but it would have speeded up the recovery. We also discovered some files on the network that had been created outside the file server and hadn’t been backed up. We had to get those off the network first, for safety, what had to be kept. So in future, we’ll be encouraging users to keep everything where it will be backed up. And I’m also considering a backup strategy for the NAS servers.”

If your organization is faced with a ransomware attack, do what D. and her client did:

Don’t panic!

Don’t turn off systems (that can make things worse), but do isolate them from the network and the Internet.

Do get online and do your research. At least you can find out what kind of malware you’re dealing with, and you may find decryption and other tools available to help restore your systems.

Don’t let scare tactics push you into paying the ransom before you’ve explored other options.

The ransom decision can be a tough one. Like D., the FBI warns against paying a ransom in response to a ransomware attack. It states that paying ransom encourages this kind of criminal activity. As a first step, the FBI contacts your local FBI field office to request assistance. On the other hand, if you’re in a situation such as the recent attack on healthcare organizations, such as UVM Health Network — and lives may be at stake — you have to balance those risks. In any case, take the time to find out what you’re dealing with and to assess your options and risks before making the ransom decision. If you have good backups and can recover quickly, you may not need to pay at all.

Be an Unequal Opportunity Target

The only possible upside to the ransomware crime wave is that it may be the tipping point that drives businesses to prepare for the worst, be it malware attack or data breach. D. says her client has a new resolve and commitment to creating a really solid incident response plan, because this incident made it clear that attacks aren’t 100%preventable. “These systems had good firewalls, anti-virus, and anti-malware software running, but it obviously wasn’t enough. And while we didn’t get to do forensics, the files began to be encrypted just after the weekly software updates started, so the ransomware was probably introduced through a software update, not a user error.”

Data extortion techniques will continue to accelerate, warns CrowdStrike in its 2021 Global Threat report. There are so many yet-to-be-answered questions about ransomware: What tactics will hackers try next? How can we stop it? Is it a data breach? When to pay and when not to pay? The only certainty is that criminals will continue to have motive and means to attack for the foreseeable future. The best we can do is to limit their opportunities through user awareness, choosing the best cybersecurity we can afford, and through preparation that enables us to respond and recover as efficiently as we can. The more we can keep ransomware from being a fast track to riches, the less criminals will invest in its future.