Story image

Ransomware: What to do if your business is hit

08 Nov 2018

Eighteen months ago, ransomware hit headlines around the world with the massive WannaCry and Petya outbreaks which spread across 150 countries. Since then, cryptojacking and other types of cyber threats grabbed headlines while ransomware incidents declined.

And while the lower attack volume may suggest that file-encrypting ransomware is no longer a risk, that’s not the case. Ransomware has evolved to be more sophisticated, crafty and targeted and remains a threat to businesses of all sizes.  

A case in point is GandCrab which kicked off 2018 with a flurry. Since its January debut, new versions of the ransomware have been released as soon as a decryptor is developed.

Using the ransomware-as-a-service (RaaS) model, the cybercriminals behind GandCrab concentrate on development and take a cut of the proceeds letting others with lesser technical skills run the campaigns. 

In late September, the Australian Cyber Security Centre reiterated the need for businesses to remain vigilant of ransomware and the damage, both reputational and financial, it can cause. Without access to their files and data, a business can be crippled for days.

Their clients may no longer trust the business to keep the clients’ data secure. Moreover, with the introduction the EU General Data Protection Regulation, businesses can also potentially face significant fines for non-compliance.

As an SMB, you may think it’s a big business problem and your business is too small to be a target. Rather, SMBs are soft targets for cybercriminals. 

Generally, SMBs have less-sophisticated security programs in place and are unlikely to have IT or dedicated IT security staff to manage and respond to cyber threats.

Of course, preparation is always better than response. There are many sources for steps to prevent ransomware in the first place.

However, if your business does fall victim to a ransomware attack, your best recourse is to have a plan of action already in place to help limit the damage.

The advice from law enforcement agencies across the globe is never to pay a ransom.  

Stay calm and refer to a playbook

One of the difficulties that SMBs encounter is the lack of a clearly defined and readily available procedure to follow in the event of a ransomware infection.

There are readily available playbooks online that can help SMBs handle cybersecurity incidents in a calm and organised manner. These response plans include a step-by-step guide on how to detect, contain and remediate incidents that involve ransomware or any kind of cyber attack. SMBs can also develop their own playbook tailored to the setup of the business. The playbook can include:

  • Escalation channel directory – a list of people to be notified in your company in the event of a ransomware attack

  • Notification guidelines – reference material on the notification process of a cyber attack to a regulatory body (i.e. PCI or NDB) that is specific to your industry

  • Incident Response templates – a collection of documents such as an incident handling checklist to be used for record keeping and tracking of a ransomware incident.

Disconnect the infected systems from network access

Ransomware like WannaCry contain routines for spreading across the network. Isolate the infected devices from all, wired and wireless, network connections. You don’t want it to propagate to other machines especially to your file or database servers.

However, do not turn the infected computer(s) off. Doing so risks removing criminal evidence as well as possibly removing critical files which could be used to decrypt.

Check what type of ransomware infected your systems

Take a picture of the ransomware message screen. Security researchers have created web-based portals to help users by providing basic information on existing ransomware. Two of the sites worth mentioning is ID Ransomware and No More Ransom Project. Both sites can help identify the ransomware that hit your systems and whether there are readily available tools to decrypt your files.

Check if you can recover the files

Modern Windows OS by default, saves the previous states of the system in case of breakdowns or BSOD (blue screen of death) errors. Check if you can restore the previous state of your system using System Restore Point or Volume Shadow copies. Note that some destructive ransomware such as WannaCry, Locky and Cryptolocker also delete these system snapshots to make recovery of files more difficult.

Locate your backup

Some computer devices pre-installed with Windows or Mac OS when purchased may have been set to backup automatically in a recovery drive or in the cloud. Check with your supplier for these functionalities and how it can help you recover your files.

If you have your files backup on an external hard drive, avoid connecting it to the ransomware-infected device as it is still active, and your backup files can be encrypted.

As best practice, SMBs are recommended to follow the 3-2-1 backup strategy on making their data resilient against ransomware attacks. This strategy takes three copies of the data, stored in at least two different mediums with one copy stored in a location not accessible on the internet.

Call an external Incident Response Team (IRT)

Consider investing in an Incident Response Team retainer from a cybersecurity firm. While the retainer will only be activated when you need them, build the relationship ahead of time so the IRT understands your company’s IT infrastructure and network and how things operate in your company.

Available 24/7, incident responders have specialised skills and tools to help identify how attackers compromised your network and will remediate the attack to get your business back up and running quickly.

Without an IRT retainer in place, unforeseen delays related to contracts, non-disclosure agreements, payment terms and so on will ultimately jack up the total cost of a forensic investigation.

Cyber attacks – including ransomware – is the new normal. SMBs need to be prepared as every business – no matter what size – is a potential target for cyber attacks.

Article by Trustwave Spiderlabs senior consultant, Digital Forensics and Incident Response (APAC), Michael Marcos.

Slack's 2019 feature roadmap unveiled
Including shared channels across organisations, workflow automation, greater email and calendar integration, and streamlined search.
Hootsuite leads the social engagement charge - Forrester report
“Hootsuite leads the pack with its seller focus and scale,” writes Forrester principal analyst Mary Shea.
Waikino School's $10k win turns shipping container into STEM learning hub
A school in the Coromandel now has an interesting base for its STEM learning projects – a decked out shipping container complete with solar panels and a 3D printer.
You're invited: Adobe Symposium 2019, Sydney
The event will bring together 4000 business leaders, marketers, IT and digital experts, as well as creative professionals to Sydney’s International Convention Centre in the heart of the city.
Toshiba launches fast rotary cutter for B-EX6T1 printer
Intended primarily for industrial applications, these popular printers combine state-of-the-art technology with usability, reliability and low TCO.
How to avoid disappointment from SEO 'cowboys'
"Many business owners, even marketing managers, can find themselves out of pocket for thousands of dollars before they know it because they don't understand some of the fundamentals."
Why accelerating the uptake of tech in the NZ economy is crucial
“Historically, New Zealand has been more of a tech taker than a tech leader."
Breakthrough research to revolutionise internet communication
Every email, cell phone call and website visit is encoded into data and sent around the world by laser light.