With the move to working from home and remote access to systems over the last year or two, both IT Security as an overall objective and Online Security have increased in importance as a particular concern in IT departments.
In parallel with the move to online access, hackers have increased their attacks, thinking that organisations won’t have stepped up their Online Security profiles, leaving opportunities for them to use new and existing attack vectors.
Both commercial organisations and home users must step up their Online and IT Security defences.
Simply put, a ransomware attack is where an attacker encrypts all or part of an IT installation, preventing legitimate users from using applications and data. They demand payment, usually in cryptocurrency before supplying a decryption key.
The encryption malware is commonly supplied via a phishing exploit, or uploaded from an insecure device, for example, a flash drive attached to equipment by a user.
Problems with Ransomware
Before a solution is implemented, the organisation’s IT systems are shut down, leading, at the very least to customer dissatisfaction and loss of business. At worst, especially for an e-commerce organisation, it might threaten business survival.
The obvious solution is to pay the ransom, decrypt your systems and return to normal.
There are several major problems here:
- The hackers might never supply the decryption key or supply one that does not work;
- Recovering to a sound footing takes longer than the business can sustain;
- The recovery process leaves malware embedded in your systems;
- By admitting that you are willing to pay, you are leaving yourself open to a repeat attack; and
- Your business reputation takes a heavy knock, and customers stop using you, fearing that their financial information will be or has been compromised.
Surviving a Ransomware Attack
The most vital activity that IT can do to counter ransomware and make a quick recovery is to have good, malware-free and accessible backups of the current systems environment. This will include copies of all corporate databases and vital information. Most prudent organisations don’t allow users to keep vital information on their desktops, rather in central user directories on a shared resource. That eases the problem.
Negotiating with the hacker is a long and tedious process, and may ultimately fail. Even if the hacker provides an unlock key, it may not work, or only work partially. Trying to work out the decryption key is also a long process, probably doomed to failure.
The quickest way is to go back to bare metal. Reformat and reload systems servers from backup images, similarly with data repositories. Take care that the backup is before the ransomware attack. Some work may need to be reprocessed.
How to go about that depends on the configuration of the systems and what has been affected by the ransomware attack. Systems may need to be recovered in a specific order.
One thing to be careful of is with a hot standby site, ensuring that it is not also affected by the ransomware. If there is an automatic database update, then it may also have been infected. If it hasn’t, then switching to it is a cost-free and effective recovery method.
Preparation is the best weapon
If you haven’t been hit by a malware attack, then it is only a matter of time. The FBI say that the only secure site is one that has not been hacked yet.
The first and most important thing is to have a Business Continuity Plan. A Ransomware attack is a company-wide thing, which requires a coordinated response from all sectors of the business, not just IT.
It should include:
- Define manual processes which allow essential business activities like sales order taking, dispatch and payments to continue;
- PR tasks to allay customer fears and to provide regular progress updates; and
- Have a management team, including senior management, tasked with overseeing the resolution of the problem, and providing the executive authority to provide resources.
Ransomware can mean the end of a business, but with preparation and calmness can be quickly overcome. Preparation can reduce the panic levels associated with a ransomware attack, and help with the return to normal activities.