‘Have I Been Hacked?’ How To Identify and Respond to Ransomware in Your Organization

Ransomware may be the fastest-growing risk to businesses across sectors. Attacks this year have jumped by 93 percent compared to 2020, a period which itself witnessed a 485 percent increase from the previous year. Cybersecurity Ventures projects damages caused by ransomware attacks will exceed $265 billion by 2031.

A proposed cybersecurity bill would hold countries harboring cyberattackers responsible for their actions in a manner similar to anti-terrorism measures.

How Does Ransomware Work?

Although cybercriminals use a variety of methods to execute a ransomware infection, common vectors include phishing emails, malicious attachments, unpatched systems, credential hijacking, free software downloads and malware-laced websites or advertisements.

Once the malware is deployed, ransomware spreads to other machines, encrypting them, stealing confidential data (like emails, login credentials and other intellectual property) and attempting to delete backups. Inevitably, the victim is expected to pay a fee (usually in cryptocurrency) in exchange for a decryption key that helps restore systems and services to their original state. Ransomware demands usually carry a payment deadline, which, if not met, can trigger an increase in the ransom payment. Attackers may also threaten to delete or sell hijacked data or release sensitive data to the public if ransom demands are not met.

Typical Signs of a Ransomware Infection

If you’re impacted by ransomware, the symptoms are fairly obvious. Some telltale signs:

1. Users cannot open files, discover a file is corrupted, or a file name extension seems unrecognizable.
2. Your desktop wallpaper suddenly changes, detailing instructions on how you can unlock your files by meeting the extortionist’s demands.
3. A related program or a website suddenly displays a clock, a countdown or a deadline urgently requesting that a payment be made, otherwise the ransom will increase and your data will be deleted.
4. A window to a ransomware program has opened and you cannot close it.
5. Suddenly names of all your computer directories have changed to, HOW TO DECRYPT FILES.TXT or DECRYPT_INSTRUCTIONS.HTML or something along those lines.

I Got Hit by Ransomware. What Are My Options?

If you’re hit by ransomware, it’s important that you make an informed decision on the next course of action. If your data is encrypted but not exfiltrated and credentials haven’t been leaked, then you have five potential options:

1. Restore from a recent backup. 

Restoring data from a recent backup is usually the ideal first choice, unless ransomware has corrupted your backups and data has been leaked or exfiltrated. Ensure you do a manual verification to determine your data is indeed backed-up and recoverable. Consider the time factor. How much data have you lost, and how long will it take for you to restore services? Downloading terabytes of storage from online backups is no easy feat. It could take days, and the downtime costs associated with the disruption could be significant. Explore the possibility of restoring shadow copies, (although recent ransomware strains have been known to delete shadow copies).

2. Decrypt files using a decryptor.

Ransomware is evolving continuously, but some older forms of ransomware may have antidotes available from mainstream security vendors, law enforcement agencies and independent threat researchers. As a disclaimer, this is usually not a viable solution, but there’s no harm in trying. Start by determining your malware strain. Most strains have version numbers, but these can be unreliable. Before you download an available decryptor or unlocker, ensure it is vetted by a reputable source. It might be a good idea to consult security professionals to determine if there are any pros or cons before you experiment with an unlocker.

3. Do nothing (lose your data).

One obvious option is not doing anything. If you are an individual, a small business or without a backup and you are not too concerned about the consequences, doing nothing may be a valid option. Remember to rid your machine of all forms of malware, install a clean copy of software and put some countermeasures in place to avoid such incidents in the future.

4. Pay the ransom.

Note that the FBI and other government bodies do not recommend paying the extortionists, citing how ransomware payments further instigate criminal behavior. In fact, four U.S. states have already proposed laws to ban ransomware payments. Before you consider making a payment, contact the FBI, your lawyers, security professionals and your insurance carrier to see if they can possibly help negotiate the ransom terms. Paying the ransom is not without its own risks. The U.S. Treasury Office issued an advisory warning that entities that facilitate these nefarious payments may run afoul of violating OFAC regulations.

5. Contact law enforcement.

As a first measure, it would be wise to include contacts for federal agencies in your security plan. Loop in your local FBI field office, CyWatch and the Internet Crime Complaint Center. Reporting advice can be found at the Cybersecurity & Infrastructure Security Agency.

It goes without saying: An ounce of prevention is better than a pound of cure. Given how backups alone won’t save the day, it’s still important to have the right technical controls in place to thwart ransomware attacks.