Do This First If You’re Hit With a Ransomware Attack

Small and midsize businesses never used to have to worry about ransomware attacks. They were too small, too unknown and hackers went to the bigger companies with the deeper pockets. But that is now ancient history. Would you know what to do if you see the dreaded ransomware message?

Small Businesses Are Big Targets for Cyber Attacks

Today, small businesses are actually the biggest targets. As larger companies have taken steps to shore up their cybersecurity, a lot of smaller companies have not, making them soft targets.

Cybercrime has been on the rise for more than a decade, but skyrocketed 600 percent since the start of the COVID-19 pandemic. No one is safe. Businesses of all sizes, across all industries, are being targeted — even cities, states and local governments.

The cost of a cyber attack goes far beyond just the ransom demands.  According to an insurance report, about 20 percent  of small businesses that are breached are going to spend a minimum of $250,000 in remediation. And remediation just means “acceptable levels.” Companies may still have lost data or money, but they’re able to keep the doors open and resume business.

Springing the Ransomware Trap

A ransomware attack is when a malicious program (malware) infiltrates a computer or network and locks all the files so that the business can’t access them without an encryption key. The attacker basically is holding the company’s data hostage and claims they’ll provide the key for a payment.

But you won’t get the “ransom note” the moment the malware hits your system. Instead, it runs silently in the background, searching your system, spreading through the network and looking for additional targets, including other computers, file servers and backups. After all, the more data it encrypts , the more likely you are to pay the ransom. Once it achieves enough data, it triggers the encryption and the ransomware message notifying you that you’ve been hit.

The “ransom note” comes in the form of a message that appears on your screen and likely the screens of every infected device. It will simply announce that your files are locked and demand you pay a ransom, usually in a form of cryptocurrency like Bitcoin, Etherum or Monera, which are all difficult to trace. There might also be a countdown clock or a time deadline for when your files will become locked permanently.

Sophisticated cyber criminals might even provide a phone number to a “support team help desk” to aid you in making the ransom payment. The implied promise is that if you pay the ransom, the data will be unlocked.

But these are criminals, remember, so the ransomer doesn’t always provide the key, even if the ransom is paid. And the keys provided don’t always work. The FBI and most cybersecurity experts will tell you not to pay the ransom. Depending on your industry, there may even be legal repercussions if you DO pay. But it’s your business on the line. So what should you do if you’re hit with a ransomware attack?

I’m Hit (By Ransomware)! What Now?

Don’t panic. (We recommend taking a few deep breaths.) If you get the dreaded ransomware screen, follow these steps:

1. Take a photo of the ransomware message. It may come in handy later when you are restoring your data or making a police report.
   
2. Turn off the computer and unplug it; both from the power outlet and the network. That way it can’t continue to infect other devices. Of course, it may have already, but you could prevent additional spread. Take additional photos and shut down any device with a ransom message.
   
3. Notify your IT team or managed service provider (both if you have them). Experienced technicians may be able to unlock your data using anti-malware systems they’ve previously installed or through a site called nomoreransom.org. Law enforcement can also help and your IT or MSP tech will contact them.
   
4. Contact your insurance company (and your cyber insurance carrier if you have one).
   
5. Contact your lawyer or legal counsel to determine if you have a legal requirement to notify law enforcement of the ransomware attack.

What NOT to Do If You Receive a Ransomware Message

It’s not a pleasant message to receive. But don’t let that trigger some of these really not helpful responses:

• DON’T be so embarrassed or scared that you don’t alert people right away. Keeping the attack a secret could have big consequences, from legal actions to fines and more. Some businesses are legally required to report a potential data breach.
  
• DON’T immediately pay the ransom. You might be able to recover your data with a free key. And there’s also a (slim) chance that your files aren’t actually encrypted. It’s not unheard of for someone to fake a ransomware attack and try to scare you into sending the ransom. Remember step 3: Don’t take any more action until your IT team or MSP tech have had a chance to review the system.
  
• DON’T use the computer until it has been cleared by a cyber security professional. Even if you paid the ransom and got the data unlocked, the malware that started it all will still be present, continuing to put your data security at risk.

The BEST and WORST Case Scenarios

You could get lucky and the attack is either fake or limited to a small area of data or a few systems that are not critical to your business. But let’s face it, very few businesses are that lucky. 

The BEST case scenario is you are already an Aeko client and recovery is relatively easy. We simply restore data from the most recent, uncorrupted point. No paying the ransom or extensive recovery fees. Your business is open and humming along with little disruption.

There’s a wide range of bad outcomes, but the WORST case scenario is probably that you pay the ransom and the cybercriminals still leak your data or don’t unlock your system. So, you end up with all the costs of remediating the breach and recovering your data without the encryption key — in addition to the ransom you already paid.

Is It Over? After the Ransomware Attack

Time for another deep breath. It’s over. You can recover. It’s time to apply some lessons learned. Here’s a checklist of items to make sure you have before the next cyber attack hits:

• A comprehensive business continuity and disaster recovery (BCDR) plan
  
• Good endpoint protection software that can protect your devices from known ransomware, viruses or other malware
  
• Training for yourself and all endpoint users on the methods criminals use to gain access to systems, including phishing, sim hijacking and websites offering free downloads
  
• Best password practices in place across your business, including using multi-factor authentication (MFA) and a password manager
  
• Backups that are tested regularly so you know they’ll work when they need to
  
• Attack simulations to find weak points in your system
  
• Consistent training to help your team avoid falling into the traps

A managed service provider (MSP) and certified information security manager (CISM) can help you or your in-house IT team with this process and stay on top of the latest cybersecurity trends. 

Need help? Contact us or book an appointment. There’s no pressure and no obligation.