You might think you’ll know when you’ve become victim to a ransomware attack. And in one sense you’re right. Hackers always let you know. Otherwise they’d never get their pay-out.
However, in another sense you’re wrong. And the reason is that, despite the very obvious ransom demand on your screen, you became a victim some time before, with, for example:
- A compromised server you didn’t notice
- Someone succumbing to phishing, which started a trail of back-door entry
So – in this article, we’ll go into detail about ransomware and how you can prevent your business becoming the latest victim.
Let’s dive in.
Are You a Good Target For a Ransomware Attack?
Everyone is a target.
Firstly, everyone has assets. And it’s easy money for gangs to encrypt your data, lock your system, and demand a ransom.
Secondly, they can simply exfiltrate your data (without encrypting it) and extort the payload. The threat of exposing data is equally bad for any business.
Thirdly, most businesses – including SMBs – have time-dependent reasons for needing to get their operations back online soonest. Ransomware relies on this!
Lastly, if you think ransomware often targets major companies – using tools to assess what the victim can afford to pay – you’re right. In 2021, there were ransomware incidents against 14 of the 16 critical U.S. infrastructure sectors.
But – you may be part of a supply chain to those businesses.
So – overall, you’re a good target whatever your size – but especially vulnerable if you have
- outdated infrastructure and apps,
- an unpatched OS, or
- loose security protocols.
Around 67% of SMBs go out of business within six months of a breach.
Is Ransomware Attack on the Rise?
Yes. It remains a good business model: Nearly everyone pays up (but see below where we’ll discuss this further).
In addition, the perpetrators find:
- Their earnings multiply as they sell your data or your trade secrets to others.
- Your breached data can supply opportunities for them to gain entry into other businesses.
- Any email information they steal is useful for fraud – and your browser data for indirect re-use.
Where Do Ransomware Attacks Come From?
In brief… criminal gangs. Examples of ransomware groups include
- DarkSide – who were likely behind the ransomware attack on Colonial Pipeline in May 2021, and
- REvil – who are thought to have demanded the ransom from JBS foods a month later.
Conti – using Ransomware-as-a-Service (RaaS) – and Black Basta are more recent ransomware actors.
There are many others. So the main question is…
Can Ransomware Attacks Be Detected
Yes. Before you get the ransomware notice on screen, you have several opportunities for early threat detection. These include:
- Unusually high network activity or data transfers: A hacker may be trying to install malware on your system or extract data.
- Suspicious logins: Your server logs will show unusual login attempts or successful logins from unknown sources.
- Pop-up messages or alerts on your screen – especially those asking you to enter sensitive information.
- Unexplained changes to settings or files, such as new programs, file extensions, or encrypted files: Malware is now on your network.
The ransom note is simply when they make themselves known – to get paid!
But the evidence of a successful ransomware attack proves that clues are often ignored or mis-read! For example:
1 User lockout after three failed login attempts
Clue: Someone is trying to guess the password. Maybe a brute-force attack to launch malware?
Wrong reaction: “This user frequently forgets their password. It’s not serious.”
2 Large amounts of data being downloaded
Clue: It’s from a sensitive file server. Maybe data is being exfiltrated because the user account is compromised?
Wrong reaction: “The user is in finance – they need this information for a project. Ignore it.”
It’s easily done! And however the breach happens, your ransomware attacker can gradually gain admin access and control your whole network.
So, you need to use this detection time to avoid a business-wide disaster. IT outsourcing to a managed services provider (MSP) can mean this time is used expertly.
But how should you respond to a full-blown, successful ransomware attack?
How to Respond to Ransomware Attacks
Deciding when, and if, to pay a ransom is complex.
No one wants to encourage attacks by making them effective. Yet paying gets your business up and running again.
However, although you may recover your data by paying up, it’s already gone onto the dark web! It’s now compromised data that you’ll have to report and make public.
Nevertheless, you still have a choice: to pay or not to pay.
You might pay when
- the data are critical and you have no backup, or your backup has been targeted too (a current tactic of gangs),
- you need to avoid more financial and reputational disruption,
- the payload is small,
- you need to resume business fast, or
- you feel it’s likely your data will be returned unexposed.
On the other hand, you may refuse to pay when
- you have non-targeted backups elsewhere to recover your data from,
- the demand is extortionate and will mean closing your business,
- the attackers have a history of not releasing data even after receiving payment,
- you have the means of removing ransomware (see below), or
- paying would violate laws and regulations.
Before responding to a ransomware attack, you should consult with cybersecurity experts and legal people to find the best solution for you. However, sometimes, paying the ransom demand may be your only viable option.
Let’s look at another crucial question.
Can You Remove Ransomware Yourself?
Yes and no.
You can:
- Find, identify, and then remove the ransomware program (if it still exists – some delete themselves) with anti-malware; then see if there’s a decryption tool available online to retrieve your files.
- Or – revert your computers and networks to factory settings and restore data to a recent state if you have clean backups.
But you can’t:
- Decrypt locked files by buying the ransom key once you’ve deleted the malware! With the malware gone, there’s no point in paying for a decryption key!
A much better way than relying on removing ransomware after the event is to partner with IT support services beforehand. This also improves your security posture and makes you less vulnerable to successful attacks. That’s because IT services
- monitor your systems 24/7,
- note suspicious events, and
- take prompt action.
We Can Help You Survive a Ransomware Attack
Outsourcing your IT to a managed service provider like Uprite means you gain excellent proactive cybersecurity and IT management, as well as efficient backup and disaster recovery.
We’re proud to serve many SMBs in the wider Houston, San Antonio, and Dallas areas. Get in touch with us today and let’s keep your business safe!
Stephen Sweeny, CEO of of Uprite.com, with 20+ years of experience brings tech and creativity together to make cybersecurity simple and IT support seamless. He’s on a mission to help businesses stay secure and ahead of the game!