What to do when ransomware strikes?

​by Simon Ractliffe, Director and GM for South Asia and Pacific at SecureWorks​

Cyber criminals are not just targeting entire organisations but also every individual that works for, or conducts business with it. In August this year, thousands of Australians were targeted by a ransomware email scam purporting to be from energy company AGL, sending a fake bill and prompting the recipient to click and download a copy. This is concerning because once hackers gain access into IT systems, massive amounts of data can be encrypted and then extorted for a premium price from companies.

Ransomware strikes when you least expect it

The thing about ransomware is that it can strike at any time and when it does, organisations have little time to act. To add to the pressure, payments for some variants increase each passing day. Hence, without a well-defined plan in place, organisations will not be able to block and recover from attacks quickly enough. This article provides some areas for consideration should an organisation come under attack.

Understanding the basics

The first thing organisations need to know when they come under attack by ransomware, is the type of malware they have been hit with and how it works. Some variants can be decrypted without paying the ransom or obtaining a key from the attacker. Others are extremely well-built and offer no recovery path other than paying the ransomware fee for the key. Finding the key or its hash somewhere in the company’s system is ultra-time sensitive, so IT teams need to have the malware analysed quickly to decide how best to respond.

Protecting your clients’ data

It’s critical for CISOs, compliance officers and IT teams to discuss next steps if they have contractual obligations to deliver vendor or client data but have their hands tied because the data has been encrypted. Compliance requirements and the contracts an organisation has with vendors, partners and clients may dictate what can and cannot be done. In this case, it is advisable to present the organisation’s cyber insurance policy along with the issues and recommendations to an attorney who can advise whether or not the organisation has the legal authority to pay the ransom and if the company could be found guilty of being an accomplice to a crime.

If an organisation can’t get back its data without paying the ransom and still decide not to give in, have a discussion on whether there could be legal ramifications for not paying if client contracts state that it will “protect and recover their data by any means possible.”

Does paying the ransom solve the issue?

While ransomware attackers claim that they will hand over the key to the organisation to decrypt files when payment is made, they don’t always deliver. In instances like this, the organisation could end up losing both its files and money. Even if payment is made and the attacker had planned on returning the files, if the variant of ransomware gets shut down by authorities, the organisation may never be able to obtain the key.

In the event an organisation decides to pay the ransom, it’s advisable to seek guidance from the local law enforcement agency to confirm if it has any middle-man options for payment or payment recovery. Often ransomware payment may only be made via Bitcoin, Paycards or gift cards. An organisation could set up its own Bitcoin account or use a third-party service. Setting up a Bitcoin account, transferring funds to it and making payment to an attacker can be time consuming, so research in advance on how to do that in case the incident calls for it.

Recovery strategy from ransomware

First and foremost, it is critical for companies to have a backup and recovery strategy for all critical files – ideally using more than one method and having a copy that is not connected to the infected systems. In the absence of an Incident Response (IR) plan in place that provides direction in knowing which systems to put back online first, have a meeting with internal business teams to create an action plan.

Ransomware Security Tips

Here are a few tips for organisations that may go a long way:-

  • Be sure to back up your organisation’s data on a regular basis. Diversify back-up storage – for example, keep one copy in the cloud and one copy offline and keep both updated.
  • Exercise caution when it comes to links and attachments in your email or sent through social media sites. Even if it comes from someone you trust, if it looks suspicious, don’t open it. Ensure your employees know the risks and provide awareness training to reduce the risk.
  • Keep all software up-to-date. Apply security patches as they become available.
  • Familiarise yourself with and get alerts regarding known Ransomware file extensions.
  • Establish a back-up strategy that will allow you to recover quickly and prevent the backup data from getting encrypted.
  • Create and rehearse annually an IR plan that includes a scenario for being hit with ransomware.

Business leaders need to ensure that all of these security controls are in place and consistently deployed, and there should be stiff consequences if policies are not enforced at all levels of the organisation.