Ransomware attacks are becoming increasingly common. These attacks involve malware that encrypts files on a computer or network, rendering them inaccessible. The attackers demand ransom payment in cryptocurrency to provide the decryption key. If you experience a ransomware attack, stay calm and take the following steps.
1. Disconnect infected devices from networks
As soon as you detect a ransomware attack, disconnect all infected computers and devices from wired and wireless networks. This prevents the malware from spreading to other devices and backups. Unplug Ethernet cables and disable Wi-Fi and Bluetooth on infected devices.
2. Determine the strain of malware
Identify the ransomware strain if possible. There are dozens of variants, including CryptoLocker, WannaCry, Ryuk, Conti and Phobos. Knowing the strain helps determine your options for removal, decryption and data recovery.
3. Do not pay the ransom
Security experts warn against paying the ransom. Doing so does not guarantee the attackers will provide a working decryption key. Paying also encourages more ransomware crime. Even if you pay up, the attackers may delete your files anyway.
4. Isolate or power off uninfected devices
To prevent the malware from spreading, isolate uninfected computers and devices on the same network. Turn them off if possible. Just leaving them disconnected from the infected network may not be enough, as some strains can spread via Wi-Fi signals.
5. Determine the scope of the infection
Figure out how many devices across your network were infected. Check PCs, laptops, file servers, NAS drives, backup storage, smartphones, tablets, printers, VoIP phones and any other connected equipment. The more systems compromised, the more challenging and expensive recovery becomes.
6. Check online backup history
Review your cloud backup history to determine when clean, pre-infection backups were made. Use those to restore your systems once the malware is removed. Offline backups may also be usable if protected from infection.
7. Consult incident response firms
Consider hiring professional incident responders if the attack is devastating enough. Reputable firms can isolate malware, restore data from backups and harden security to prevent a repeat. This very quickly becomes expensive but may be the only viable solution.
8. Wipe and reinstall infected systems
For extensive infections, it may be easiest to wipe hard drives and reinstall the operating system and software from scratch. Be sure to apply all security updates after reinstalling. Restore your data only from known good backups.
9. Boost your defenses
Update antivirus software, firewalls, filters and signatures across your network. Harden remote access, patch management and privileged account security. User education and training are also key to prevent falling prey again.
10. Test for lingering malware
After containing the attack, run thorough scans to check for dormant ransomware remnants. Attackers frequently leave backdoors to enable future access. Continuously monitor for suspicious activity going forward.
Key steps during a ransomware attack
Here are the key steps to take during an active ransomware attack:
|1||Disconnect infected devices from networks|
|2||Determine the malware strain|
|3||Do not pay the ransom|
|4||Isolate or power off clean devices|
|5||Check scope of infection|
|6||Review backup history|
How ransomware infects networks
Cybercriminals use various methods to infiltrate networks with ransomware, including:
- Phishing emails with infected attachments
- Compromised websites that download malware
- Remote desktop protocol (RDP) brute force attacks
- Software vulnerabilities that enable execution of malicious code
- Droppers or downloaders installed by other malware
Once on a system, ransomware uses encryption algorithms to lock files and often spreads across networks for maximum impact. Some strains delete or steal data even if ransom is paid.
Most devastating recent ransomware strains
Major ransomware strains from the past several years include:
|WannaCry (2017)||– Infected 300,000 systems across 150 countries
– Disabled UK National Health Service hospitals
– Used EternalBlue exploit
|NotPetya (2017)||– Masked as ransomware but was wiper malware
– Crippled global firms including Maersk, Merck, FedEx
|Ryuk (2018)||– Attacked municipal networks, hospitals, schools
– Extorted over $150 million from victims
|Sodinokibi (2019)||– Also known as REvil, hit 400+ firms worldwide
– Compromised celebrity law firm Grubman Shire Meiselas & Sacks
Average ransom amounts
The average ransom payment has skyrocketed, exceeding $200,000 in some quarters according to research:
However, only 65% of ransomware victims managed to recover their data after paying up, according to Sophos.
Most affected industries
Examples of industries most impacted by ransomware attacks include:
- State and local government
- Transportation and shipping
- Financial services
These industries tend to have complex networks, valuable data and insufficient cybersecurity budgets and awareness. Healthcare organizations are often underprepared and overworked.
Warning signs you may be under attack
Signs a ransomware attack may be underway include:
- System slowdowns, crashes and reboots
- Encryption progress bars display on files
- Folders, files and icons disappear
- Error messages about corrupt or inaccessible files
- Ransom notes appear on screens demanding payment
- Programs and services stop functioning
At this point, the malware is actively encrypting and spreading. Disconnect infected devices immediately.
How to prevent ransomware
Steps to protect yourself and your organization from ransomware include:
- Back up data regularly and keep some backups offline
- Install, update and properly configure antivirus and anti-malware software
- Be extremely cautious of phishing emails and do not open attachments or click links from unknown senders
- Enable spam filters and multi-factor authentication
- Only download software from trusted sources; do not “sideload”
- Patch and update operating systems, software and firmware
- Segment networks and limit excessive user privileges
- Disable RDP if not absolutely needed or put behind VPN
- Educate employees on cybersecurity best practices
Should ransomware attacks be reported?
Absolutely. Ransomware attacks should be reported to:
- Local law enforcement
- FBI or Secret Service Cybersecurity field offices
- U.S. Treasury Department (for attacks on critical infrastructure)
- Internet Crime Complaint Center (IC3)
Reporting helps authorities track ransomware attackers, trends and global threats. It also helps you demonstrate due diligence to customers and compliance enforcers.
Will cyber insurance cover ransomware?
Most cyber insurance policies cover some ransomware-related losses, including:
- Extortion payments (although not recommended)
- Cost of investigation
- Restoration of compromised data
- Business interruption losses
- Crisis management services
- Cyber extortion expenses
- Computer forensic expenses
- Public relations services
However, insurers are increasingly limiting coverage for firms with poor security controls. Maintaining backups and prompt attack reporting also help ensure coverage.
Using ransomware decryptors
Security researchers sometimes develop free decryption tools for specific ransomware strains. Two options include:
- NoMoreRansom.org – Collaboration between Europol, law enforcement and researchers with over 140 free decryptors.
- Avast Decryption Tools – Free decryption tools for strains such as Shade, HiddenTear, Jigsaw and more.
Decryptors are not available for all strains. Little hope exists for unlocking files without the attacker’s private key. Still, decryptors are worth checking for newly emerging ransomware.
Should you pay the ransom?
Most experts recommend not paying ransoms for the following reasons:
- No guarantee you’ll get decryption key
- Attackers often increase demands after initial payment
- Paying encourages more attacks
- Ransom funds support criminal activities
- Payment may violate laws against supporting terrorism
However, some organizations calculate that paying is cheaper than losing critical data and productivity. Weigh the risks carefully before deciding.
Ransomware attacks can be devastating but proper preparation and response limits the damage. Isolate infections immediately, assess the impact, restore from clean backups and harden defenses across the board. With vigilance and sound security practices, you can minimize both the frequency and consequences of ransomware attacks.