Every year that goes by puts you at greater risk of a ransomware attack — and at risk of incurring greater damages.
The financial effects of ransomware are increasing as attackers have discovered new techniques that produce better and longer lasting results in their favor. For example, double extortion is an increasing trend. In double extortion, not only must organizations pay a ransom in exchange for a decryption key, but also a second ransom for data that the attackers have exfiltrated.
As technology advances, attackers continue to find new ways to avoid detection and become more innovative in their schemes.
Just a couple of weeks ago, a competition pulled together several white hat hackers to find vulnerabilities in various systems and applications. In a single day, the group of hackers discovered 12 zero-day vulnerabilities that had never been detected before.
Imagine how many vulnerabilities are being discovered by full-time hacker teams each month. A disastrous ransomware attack is a real possibility for your organization.
How Bad Is a Ransomware Attack?
The purpose of a ransomware attack is to make the target device inaccessible for the targeted organization, but accessible to the bad guys. To recover access to the device, the organization must pay a ransom — usually, a hefty one.
If you’re lucky, the attack locks you out of a printer or a laptop and that’s it. You have to replace the device, but you can avoid the ransom.
The more common scenario is closer to the other end of the spectrum. Attackers encrypt your web server, making it unusable. Or your file server is locked down, and all the entire company’s files are held ransom. If they get your database server that sits behind your web server, your primary form of business is shut down and your entire business grinds to a standstill.
On top of that, the attackers have access to everything that’s on the encrypted device. Any sensitive data is now susceptible to exposure.
If you haven’t prepared ahead of time, your options are severely limited. Most likely, you’re paying the ransom and making a public announcement that you’ve been breached. This “solution” will have devastating long term impacts on your business. Every time a current client or a prospect sees your name in lights on Google, you’ll need to explain why they should trust you even though you’ve received a Scarlet Letter.
Real-life Stories of Ransomware Attacks
I’ve seen it happen firsthand. I knew one organization that had ransomware spread across the workplace, encrypting everything within the office and jumping from machine to machine. It essentially dragged the company to a halt for days while they tried to figure out how to dig out of it and put all the pieces back together.
Another organization got ransomware on their production environment. Their code repository server got attacked, and even their backup servers were hit. They had no recovery mechanism and they were dead in the water for weeks.
The financial impacts on these organizations were enormous:
- They were paying people who weren’t able to work.
- They lost business each day they were shut down.
- They took a hit on their reputation as they had to make a very public announcement.
Those impacts have long term effects that don’t just go away once your systems are restored. A single ransomware attack can put a company out of business.
How to Prepare for a Ransomware Attack
Before we continue, let me be very clear: this section is the most important part of this article, by far. If you’re the victim of a ransomware attack, the only thing that will give your organization a chance is if you’re prepared.
If you haven’t prepared and you have a ransomware attack, you are going to be in real trouble.
Let’s walk through the steps for preparing your organization to survive a ransomware attack.
1) Think through various scenarios
Think through all the implications and possibilities. If you have remote workers, what happens if the attack spreads across remote worker devices? What if it’s going through your office and your corporate servers get encrypted? What happens if ransomware attackers access your production environment?
You don’t want to have an event, only to then discover you have a problem
Organizations need to look differently at their environment. You need to play those what-if scenarios. What if ransomware gets onto your laptops? If you have a distributed workforce, how will you get new machines to your people? What are all your potential ripple impacts?
Consider all of the scenarios that are relevant to your business.
2) Have a gameplan
Play scenario games. What happens if a ransomware attack hits this or that area? What’s the first thing you do? What’s the next thing, and the thing after that? At each step of the scenario, ask yourself if you have everything in place and what gaps exist.
Some important questions to ask:
- Do you have backups of your local machines?
- Do you have spare devices that you can send to your workers?
- Do you have backups of your local and cloud servers?
- Is the backup location connected directly to the primary location? (If so, the backup is at risk of getting encrypted as well.)
This is where your disaster recovery and business continuity plans take center stage.
How often do you back up your data? Is it valid to within a day? Within 30 minutes? This is called your recovery point objective (RPO), and the ideal RPO varies from business to business. You’ll need to figure out the right RPO for your organization and validate to make sure it’s running on that schedule.
Also be aware how long it will take to recover your data. This is your recovery time objective (RTO). Your recovery plan will look different if it takes four hours to recover your data or five days.
3) Test and validate periodically
One of the most important things that many organizations fail to do: they put all the time into preparation but don’t validate. Then they get hit with an attack, and it’s at that moment when they realize their mistake. They have all their backups configured to run, but they weren’t running. Or for some reason, the backups have failed but nobody was aware.
So it’s critical to test thoroughly and periodically.
It often helps to have a third party to help you develop and test your recovery plan. TCT can recommend numerous Service Providers whom we trust.
What to Do if You’re Attacked with Ransomware
Even if you’re thoroughly prepared, you can still get hit with a ransomware attack — but your chances of suffering minimal damage are substantially improved. If you do get attacked, there are several scenarios that could play out:
- You recover everything from a backup and don’t pay the ransom.
- If it’s a limited attack, you recreate everything from scratch and don’t pay the ransom.
- You pay the ransom and hope it doesn’t happen again.
These options depend on how much preparation you’ve done before your ransomware attack.
Any time you have a security-related event, bring in your legal counsel — someone who is familiar with the IT and cybersecurity arena, not a business attorney.
If you’ve prepared ahead of time…
The good news is that this isn’t the end of the world. You can pull out your disaster recovery/business continuity plans and run through the steps towards recovery. This is a fairly streamlined process, especially if you’ve put in the work and performed regular training internally.
Any time you have an incident like a ransomware attack, part of your disaster recovery should include hiring a vetted forensics company that can assist you to discover what happened, the full impact of it, what data has been accessed, etc.
Get your arms around what occurred and all of the potential ripple effects. Do your due diligence to determine the security impacts for your organization, your customers, and your vendors/partners.
If you didn’t adequately prepare…
You need to act fast. Seconds count — literally. The quicker you can get someone in, the quicker you can stop the spread of the attack.
Your very first steps are to contact legal, insurance, and a forensics company who can help you with both discovery and recovery. What happens next will vary, depending on your organization and the situation itself. Your forensics company can guide you through the analysis and lead you through the process in combination with legal and insurance.
You’ll need guidance from security experts and legal experts. Work with them to determine the right approach for recovery from the attack.
Unfortunately, to get your business back, you may need to pay the ransom — especially if you haven’t done the prep work beforehand. But even if you’re well prepared, there’s no guarantee you can avoid the ransom 100 percent of the time. That said, your chances are astronomically better if you’re doing your due diligence to prepare.
Protect Your Company with TCT
A ransomware attack isn’t something you can avoid simply by putting your head in the sand or plugging your ears to reality. But if you prepare ahead of time, you can usually mitigate the damage to your company, avoid paying the ransom, and keep your business alive.
TCT has walked with companies through the shock and awe of ransomware attacks and we can help proactively protect your organization. Need to know where to start? Let’s talk.