In Part 2 of this series on cybercrime I explained what Phishing is and how a particular form of phishing, known as ransomware has come to prominence and accounts for a reported 97% of all phishing attacks. In this section I will explain the steps we at IT.ie highly recommend that you immediately take to reduce the effect of the attack on your IT systems.
OK, so you’ve received a mail from a source that may or may not be known to you. The mail heading looks genuine enough, in that it may seem relevant to the department you work in, accounts, procurement etc. Anyway, when you open the mail, you find that there is a link or a number of links you are encouraged to click on. You click on the link and in this example, nothing happens. You move on to your next email.
Then anything from a few hours to approximately 3 days (depending on the amount of files) you are met with a message similar to this.
Congratulations, you are now the unlucky winner of a ransomware attack. For all intents and purposes, your computer is unusable to you and some, or more likely, a large amount of all of your folders have now been encrypted.
Immediate actions on discovering a ransomware attack?
Disconnect: Without doubt the first thing you must do is disconnect the infected computer from the network and even power down everything. Don’t panic, the instant you see a message resembling the one above or if you suspect that a link you have clicked on may contain a virus of any kind, remove the Ethernet cable from the back of your computer to prevent the virus spreading to other computers and servers on your network.
Report: Your next step should be to report the attack or suspected attack to your systems administrator or office manager. It is vital that all users on the network be made aware of an attack or attempted attack to ensure the vigilance of other users on your network. It is likely that other users have also received similar phishing emails and your quick response may prevent further damage.
Assess: Have your onsite IT support or IT support company immediately investigate the source of the attack and the likely impact to your systems, and to confirm if it was, in fact, a ransomware attack. While most ransomware attacks are the real thing, there are numerous cases of fake ransomware events that don’t actually encrypt your files at all and other variants that can be defeated by traditional antivirus and malware tools.
Should you pay the ransom?
This is a decision that you alone are going to have to make but you must first consider a number of factors;
- The people you are paying, are criminals whose sole motivation is to deprive you and your company of your hard-earned cash (paid in bitcoin) and so you are contributing to the ill-gotten gains of a criminal enterprise.
- If you pay, you are in fact more likely to be attacked again, as you are seen as a soft target.
- There is no guarantee that the cyber criminals will unlock or have the ability to unlock your files. Ransomware is often sold to criminals in what is known a Ransomware as a Service (RaaS), in that the developers of the virus sell it on to other criminals who simply have a method of distribution but may not have the technical ability to unlock your files, once you have paid.
- Is it a single machine or the all machines connected to the companies network and what impact does the loss of data and downtime have on your operations?
- You may decide that the payment of several hundred euro is a small price to pay to have your valuable data available and systems back on line again. There is no reliable data available to determine what percentage of victims pay up, as company’s rarely admit to paying ransoms as this would also be an admission that their networks were compromised.
- We at IT.ie would strongly advise that you do not pay, however we understand that you may be in a position where you have no other choice and we will support your decision and advise you on the steps to take.
What should you do to prevent data loss?
Backup, Backup, Backup – I can’t emphasise this strongly enough; if you want to be certain that your company’s data is not lost for ever, then you must engage with an online backup service provider. If you have a reliable and secure online backup service, you will have the ability to recover your files regardless of the reason for the loss, whether it be, ransomware, fire, flood or simple human error. Online backup is inexpensive and guarantees the integrity of your valuable data. IT.ie are regularly contacted by companies that suspect they may have been the victim of a ransomware attack. Once we have established that you are the victim of an attack and advise you on the steps to take to minimise the damage, we will then investigate if you have an online back up service. If you have, we can usually have you back to full capacity within several hours depending on the severity of the attack. If you do not have an online back up service, then I’m afraid you are going to be left with some very difficult decisions to make. Please read our post on “Online Backup V Online Storage“.
The team at IT.ie are available to talk you through the best online backup options available to you and your company. Please go to our page here for a guide to online backup pricing. Regardless of whether you engage our services or the services of another provider, we strongly urge you to immediately protect the integrate of your data with a reliable and secure online backup service.
In the final part of this series I will briefly explain some of the other forms of cybercrime and how it can affect your business and summarise the series with the steps you and your team should take to protect your valuable data.