In 2021, there was a significant increase in the use of ransomware against organizations in the United States, the United Kingdom, and Australia.
Ransomware is malware that encrypts users’ data and grants network access to threat actors. Once they have access to an organization’s data, they threaten to leak sensitive information and halt business operations until the victim pays a ransom, hence the name.
Unfortunately, paying the ransom does not guarantee that the threat actor will unencrypt your files or keep your data secure. In fact, the U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) does not recommend paying ransoms at all, since the more profitable ransomware is, the more common and complex it could become.
Instead, CISA – alongside the United Kingdom’s National Cyber Security Centre (NCSC-UK) and the Australian Cyber Security Centre (ACSC) – has specific recommendations for how to prevent ransomware attacks and minimize their impact.
How Has Ransomware Become More Common and More Dangerous?
The increase in ransomware attacks can be attributed to the COVID-19 pandemic in more ways than one: First, the use of cloud networks by businesses, government bodies, and schools has made sensitive information and critical infrastructure accessible to bad actors on the web. Second, the pandemic has lowered the income of many households as lockdowns and supply-chain issues have persisted, making online illicit activities – like the use of ransomware – a more accessible way of earning money.
As ransomware has become more profitable and accessible, ransomware enterprises have become more complex. There are now entire organizations with customer support services that walk victims through the process of paying the ransom and unencrypting their files.
These enterprises have increased their profitability by selling stolen data to other scam artists. That means that once a victim’s data has been stolen, multiple criminal organizations could use it to threaten and extort them.
How Could Ransomware Get Into My Network?
The most common strategy threat actors employ is phishing. Phishing is a fear tactic in which cyber criminals pose as a legitimate entity – such as the IRS, law enforcement, or antimalware software – and contact individuals to inform them of a problem – say, an issue with their most recent tax filing, an arrest warrant, or most ironically, a security breach in their network.
To address the problem, they tell users to click on a link, which then downloads ransomware onto the user’s computer, giving the threat actor access to their data and network.
How Can I Prevent Ransomware from Impacting My Organization?
Here are the measures that CISA, ACSC, and NCSC-UK recommend an organization take to prevent ransomware attacks:
Most importantly, they recommend not paying the ransom, since that would encourage cybercriminals to continue using ransomware to extort money.
How Should I Respond to a Ransomware Attack?
Should ransomware breach your organization’s network, it is important to act fast and follow these best practices:
1. Record the name of the file that was downloaded and the contents of the ransom note.
This can be done quickly by taking a picture of the screen with your phone. It’s also useful when working with IT professionals and the authorities.
2. Turn off the infected device.
This interrupts the encryption process, and it may even prevent ransomware from spreading through the network. Do not turn the device back on yourself – enlist the help of an IT professional.
3. Manually disconnect all other devices in the network.
By turning them off using the power button or by unplugging them, they are disconnected from the network, which may slow the spread.
4. Change your passwords.
Enable MFA if you haven’t already.
5. Locate backups.
Do not connect uninfected backups to the network, as that will expose them to malware. If you have no uninfected backups, an IT professional may be able to help recover your encrypted data, but there is no guarantee that they’ll be able to.
6. Remove ransomware.
This is done by wiping infected drives and devices and reinstalling their operating systems, which permanently deletes the data that was stored on them.
7. Restore information from the backup.
Once your computer and network are ransomware-free, it is safe to upload uninfected backups.
8. Notify authorities of the attack.
This can help to protect you from being targeted again and prevent threat actors from targeting others.
While ransomware has become more commonplace in the era of working from home, your organization can take steps to prevent and recover from attacks. By quickly responding to security breaches and reporting them, you minimize both their impact on your organization and the likelihood that they will strike again.