Ransomware has become one of the highest quality weapons a criminal has at his or her disposal when it comes to cybercrime. Hacking techniques that were borne of mischief or political statements now are used by entire organized criminal organizations operating primarily in the online space.
But how to monetize it? Well, that’s where ransomware comes in. And the less you do as an IT decision-maker for your business or organization, the happier those criminals are: their target is softer.
While we’ve covered this many times through various blogs, the general concept for a ransomware attack in a cybersecurity context primarily involves a target, a vector, and an encryption. These concepts are simple on their face. A target is the person or organization at who or which the attack is aimed. A vector is the method or methods by which an attacker gains access to a system. The encryption is a method to lock data in a way that requires a key to unlock it.
The name “ransomware” is derived from its purpose: to encrypt important data that requires a key—to be sold—to recover that data.
In this article, we will examine what to do if your business or organization is hacked as well as how to defend your business against such attacks.
What you should do if you’re hacked
Many businesses and organizations each year find themselves in a tough spot: they’ve discovered a data breach, whether internally or via communications demanding payment. So…what next?
Each ransomware situation is very different—not only in attack types but also in implications due to a business or organization’s industry or professional area—and thus the attack can have varying ramifications. The first things to almost always do are to:
- Contact an IT security team to see if further damage may be mitigated, what damage has already been done, and ensure any remaining access methods for the hackers (often called backdoors or footholds) are closed and secured. Certified CIO can help in this area.
- Contact your attorneys and let them know you’ve had an IT security incident. Your attorneys will recommend how to communicate the security breach to other parties. Each industry is very different in this respect, and mistakes here can lead to differing levels of litigation—a.k.a. more time and money cost.
- Contact your Cyberinsurance provider, if your business or organization has one, so that they may be involved in next steps
Should you pay the ransom?
The easy and correct answer is no. Ransomware is illegal and peddled by criminal organizations. In fact, even participating in the exchange of the ransom demand may be an illegal act that funds terrorism groups. The money will go to an organization that participates in crime and will use it to boost their ability to commit further crimes. However, we acknowledge that the answer is much more difficult when the cost of recovery is more (and sometimes far more) than the ransomware demand. Some business and organizational decision-makers may see a binary choice—pay the ransom or fold.
This decision will be individual and should be discussed with the IT security firm and legal team prior to being made. However, some considerations should be taken. While most criminal organizations do indeed release the encryption key, there are no guarantees that it will indeed work and decrypt the data. Additionally, it may decrypt incompletely or at such a slow pace that restoration becomes a viable financial choice again (as happened with Colonial Pipelines).
How to avoid Ransomware altogether
While many aspects of an IT system’s security may fail and become the attack vector, one of the most difficult targets to harden is the human element. In this, at Certified CIO we adopt a “trust but verify” approach.
The trust portion is earned through training. We utilize traditional, episodic phishing training as well as have random emails sent to each staff members inboxes. These random emails appear to be phishing, but instead record clicks on would-be dangerous links. These emails are designed by both our in-house security personnel and the phishing experts at KnowBe4. (Get your free KnowBe4 Test HERE!)
The verify portion of our human security involves Cisco’s Duo MFA products. This requires an additional verification (essentially, “Are you trying to login?”) after sensitive data areas are entered, to include accessing one’s computer after logging out during the day or the previous day.
Outside the human factor, it is important to maintain regular and tested backup solutions. After all, ransomware won’t be a major problem if you can restore a recent backup.
(Side note: please do not use “I have backups” as an excuse to NOT call your legal team and an IT security team in the event of a security incident. The security holes that existed and allowed the attack to take place will also be restored…and for the next attack the bad guys will know they need an additional step to extort your money.)
Backup solutions come in many flavors but are only as good as the provider’s ability to deliver a backup if needed as well as the frequency by which the backups are taken. We have recently made the decision to change one of our offerings to our customers after testing and deciding that a former provider was no longer meeting our standards for delivery. (When was the last time your business checked on the status of backups?)
Overall, there still can be immense holes in your IT architecture if not kept up to date with industry standard protection. This requires a knowledgeable IT staff. If your business or organization is too small or simply would like to outsource IT…it’s what Certified CIO does. GET IN TOUCH WITH US!