Security Magazine says in early 2023, businesses experienced a significant uptick in ransomware attacks. It seems we’re far from in the clear, particularly in the manufacturing industry, where an early 2023 attack surge put these companies at the top of the ransomware target list.
What’s going on? And how can companies protect themselves? How does ransomware work? The more you and your employees know about this malware threat, the better. Knowledge is power in cybersecurity circles, and this is particularly true here because just a few preventative steps can stop these attacks cold.
Here’s what you should know about ransomware, how it works, and how to stop these attacks.
Ransomware is malicious software (malware) designed to encrypt a victim’s files or lock their computer system, holding it hostage until the company or individual pays a ransom.
Ransomware typically begins with the initial compromise, where the malicious software enters the victim’s system, often through a phishing email.
Then, the ransomware executes its code, launching a payload that encrypts the victim’s files, rendering them inaccessible. A ransom note appears on the affected devices, demanding payment for the decryption key. If the victim agrees to pay, they follow the instructions provided; the ransomware is usually paid off through cryptocurrency transactions.
Alternatively, data extortion may occur, where valuable information is stolen and held hostage. Recovering from an attack involves removing the malware, restoring files from backups, and addressing the breach’s aftermath.
Businesses typically experience these ransomware attack stages:
Hackers continually evolve their techniques for delivering ransomware malware. Some of the most typical delivery mechanisms today include:
It varies. According to a 2021 report, the average ransom demand was $750,000. A 2022 report puts that number much higher, at $4.7 million.
Ransomware targets the vulnerable. Small businesses are the targets of 82% of ransomware incidents. Hackers may target specific industries with the potential for capturing a high ransom. Or companies with valuable business data can make them a target.
A ransomware hacker looks for companies with fragile cybersecurity measures such as outdated software, weak passwords, unpatched systems or lacking regular employee training.
Ransomware attacks are orchestrated by various threat actors, from organized cybercriminal groups and state-sponsored actors seeking political gain. Some ransomware launches from so-called “hacktivists,” are motivated by ideological causes. Individual hackers may be seeking income. Finally, insider threats, such as a disgruntled employee, can launch a ransomware attack. (Read more: Internal IT Threats: How to Protect Your Business)
The perfect storm for a ransomware attack is a phishing email and a computer or IT system without the latest security upgrade. Ransomware is a malicious file. In most cases, an individual must click on a file link to download the malware. Every employee in your organization creates the potential for ransomware risk.
The behavior of ransomware varies depending on its design. Some ransomware may focus just on encrypting files without further propagating itself. Other ransomware may target specific file types, spreading laterally across a network or focus on shared drives to infect remote devices. Ultimately, ransomware spreads by exploiting our vulnerabilities.
The first step in handling a ransomware attack is to isolate and contain the affected systems so the virus will not spread further. Time is of the essence as you assess the scope and severity of the attack. Reporting the breach to stakeholders, including marketing and PR teams, is essential for controlling messaging around the security incident.
If you lack the security resources, reach out to cybersecurity experts that specialize in ransomware. Ransomware is a crime; you should also report the attack to law enforcement. Finally, mitigate the damage by recovering and restoring files. As part of this process, consider what the organization has learned from the attack to shore up defenses moving forward.
In a ransomware attack, the first thing to do is take immediate action to isolate and disconnect the affected system from the rest of your network. This step is critical to stopping the damage quickly before it spreads. It gives you time to focus on ransomware removal within a smaller area of damage within your IT infrastructure.
Ransomware removal from an infected system is a complex process that requires cybersecurity expertise. Some of the general steps necessary to remove ransomware include:
Law enforcement agencies say you should not pay the ransom. The reality is that, even if you pay, there is only a small likelihood you’ll get your data back. Only 8% of companies get their data back, even after paying the ransom.
Related: Do you need cyberinsuranace?
The duration of a ransomware attack depends on its complexity, the type of malware and the effectiveness of your response. The time it takes to detect the ransomware attack is essential in how long it lasts and how far the damage spreads. Your ability to isolate infected systems and implement remediation can limit the attack’s duration.
After you remove the ransomware, the time for recovery depends on whether you have clean, recent backups to restore files or if you must rebuild data from scratch. Even your decision on whether to pay the ransom can affect the length of the process.
If an organization decides to negotiate and pay the ransom, the logistics will affect your recovery time.
It can take weeks for the dust to settle after a ransomware attack, even for a small business. If you pay the fine, you will only recover about 65% of your data, on average. The data restoration process and the investigation and analysis of what went wrong take time, as do the steps for enhancing your organizational security processes.
Communication and reporting to internal and external stakeholders are also necessary to share your progress. While small companies may worry less about a public relations nightmare caused by a ransomware attack, larger organizations, such as hospitals or local government institutions, often face negative public scrutiny. Above all, organizations must clearly define how they will prevent similar ransomware incidents, even as they try rebuilding.
The best way to stop ransomware is to prevent an attack from occurring in the first place. While no method can provide 100% protection, implementing security measures can significantly reduce your risk. For example:
Worried about ransomware? The Sikich cybersecurity team is expert in mitigating the risk of ransomware and other threats to your business. Contact us to discuss your options.
This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.