What to Do if Your Company Is Held Hostage by Ransomware

What is ransomware?

Ransomware is a type of malicious software (malware) designed to block access to a computer system or files until a ransom is paid. Ransomware can infect a computer network in a variety of ways, such as through phishing emails, malicious websites, or software vulnerabilities.

Once ransomware infects a system, it typically encrypts the victim's files and displays a message demanding payment in exchange for the decryption key. The ransom payment is usually requested in cryptocurrency, such as Bitcoin, as this is more difficult to trace.

What are the consequences of ransomware?

Ransomware attacks can cause significant disruption at considerable cost to businesses and individuals. Depending on the target, a ransomware attack can also have wider implications affecting national security and public health and safety.

Here are some of the most common consequences of a ransomware attack:

• Data loss: Ransomware can encrypt or destroy important files, resulting in the loss of critical data that can be difficult or impossible to recover.
• Financial losses: Ransom demands can be in the millions, and organizations may also incur additional expenses related to restoring data, investigating the attack, and implementing new security measures.
• Business disruption: Ransomware attacks can cause severe operational disruptions, preventing organizations from accessing critical systems and data, and leading to lost productivity and revenue.
• Reputation damage: A successful ransomware attack can damage an organization's reputation, eroding trust with customers, partners, and investors. In fact, 20% of ransomware costs are attributed to reputation damage.
• Legal and regulatory issues: In some cases, organizations may be required to report ransomware attacks to regulatory authorities, and may face legal or financial penalties for data breaches or other compliance violations.
• Increased risk of future attacks: Once an organization has been targeted by ransomware, it may be more vulnerable to future attacks, as attackers may view the organization as an easy target for further exploitation.

Overall, ransomware attacks can have significant financial, operational, and reputational consequences. Which is why learning how to prevent ransomware is so important in the first place!

Real-world ransomware examples

In the first half of 2022 alone, there were more than 236 million ransomware attacks globally. Let's take a look at just five real-world ransomware examples, the type of ransomware they were hit with, how it happened, and the impact:

UK's National Health Service- WannaCry ransomware

In May 2017, WannaCry ransomware affected more than 200,000 computers in 150 countries, including those used in the UK's National Health Service (NHS). This wasn't a targeted attack on the NHS, but rather the ransomware spread through a specific Microsoft Windows vulnerability. Most of the NHS devices infected with the ransomware were found to have been running the unpatched Microsoft Windows 7 operating system.

The attack resulted in more than 19,000 canceled appointments. The disruption to services, the cost of additional IT support and consultants, and the cost of restoring data and systems affected were estimated to be around £92 million.

Mondelez International, NotPetya ransomware

In June 2017 a ransomware strain known as NotPetya affected Mondelez International, the maker of Oreos and Ritz Crackers. The ransomware exploited a vulnerability in Microsoft Windows allowing it to spread quickly throughout networks with outdated security software. The ransomware paralyzed 1,700 of Mondelez's servers and 24,000 laptops. This is one of the most expensive ransomware examples on our list. The downtime, lost profits, and remediation costs totaled more than $100 million in damages. The amount should be enough to make you skip to read on our section on how to prevent ransomware!

Colonial Pipeline

In May 2021, the Colonial Pipeline, which supplies nearly half of the fuel consumed on the US East Coast, was hit by a ransomware attack after attackers gained access to its system using a single stolen password. Colonial Pipeline ended up paying the demanded ransom payment of $4.4 million in Bitcoin. Although the Justice Department managed to recover $2.3 million of it, the attack forced Colonial Pipeline to shut down its operations.

JBS, Sodinokibi Ransomware

In June 2021, JBS, the world's largest meat processing company, was hit by a ransomware attack that disrupted operations across their facilities in Australia, Canada, and the US. Experts believe access to the system was gained via leaked employee credentials from a breach a few months previous to the attack.

The Brazil-based company paid $11 million in Bitcoin to the gang to avoid the disruption that they believed would threaten food supplies and risk higher food prices for consumers. The payment was criticized by politicians as it would encourage more ransomware attacks.

Kaseya, REvil ransomware

In July 2021, a ransomware attack targeted Kaseya, a software company that provides remote IT management services to businesses globally. The attacker took advantage of flaws in Kaseya's software to infect 50 managed services providers (MSPs) that used its products, affecting more than 1500 businesses. The hackers demanded a ransom payment of $70 million in Bitcoin in exchange for a universal decryption key. Kaseya denies paying the ransom, but claims to have gotten the decryption key from a “trusted third party”.

What to do if your company is held hostage by ransomware

Don't be fooled into thinking that your company is too small to be a target for ransomware attackers. Any and every company is at risk, no matter its size, reputation, revenue, or industry. If your company has already been hacked with ransomware, there are several immediate steps you should take:

Contain the attack

Disconnect the affected systems from the network to isolate the infected system(s). By unplugging network cables or disabling Wi-Fi, you can prevent the ransomware from spreading further through the network. Then, inform your IT team or MSP immediately, so they can assess the situation and take steps to contain the damage.

Contact law enforcement

If your systems have been hit by ransomware, report the incident to relevant law enforcement authorities. All ransomware incidents in the US should be reported to either the FBI, (the Cybersecurity and Infrastructure Security Agency (CISA), or the U.S. Secret Service. You can do so by visiting stopransomware.gov.

The ransom message will most likely tell you what type of ransomware has been used to invade your system. Check with law enforcement agencies about possible existing decryptors. Their security researchers have already broken the encryption algorithms for some types of ransomware. If you're lucky, you could be back online fairly quickly without having to pay any ransom.

Investigate the attack

First, determine what systems have been affected and what data has been compromised, and whether it's possible to restore from backups or whether you may need to pay the ransom.

The next most important thing to find out is how the attack was executed. Knowing how it happened means you can close any vulnerabilities and avoid being hit again.

Chances are, you'll need the help of cybersecurity experts to carry out a deep investigation that will help you understand the full extent of the attack and what you need to do to get back online safely.

Restore your systems

After you've contained the attack, you can begin the process of restoring your network. Reset all credentials including passwords, wipe infected devices, and reinstall the operating system.

If you have backups, then recovering your data and applications will be much quicker. Only use backups if you are confident that they haven't been exposed to the ransomware.

Once your networks have been restored, monitor the systems for at least two weeks to ensure everything is 'clean'. This will let you take quick action to remove any potential threats before they can spread and inflict further damage.

Implement additional security measures

Once the ransomware attack has been contained, implement additional security measures to prevent future attacks. This could include updating software, implementing stronger passwords, or deploying additional security software. Also, ensure employees have adequate and continuous training. Make sure technical and non-technical staff have an understanding of how to prevent ransomware attacks.

Should you pay the ransom demand?

The question to pay or not to pay the ransom is a difficult decision. And as you can see from our ransomware examples, there is no one-size-fits-all answer. Here are some factors to consider when deciding whether or not to pay the ransom:

Legal and regulatory considerations: Paying the ransom may violate certain laws or regulations and may open the company up to legal and financial liabilities. Before you decide, consult with legal counsel to avoid any further complications.

Cost-benefit analysis: Consider the cost of paying the ransom versus the cost of recovering the data through other means. Restoring from backups or rebuilding systems could be the cheaper and easier option. In other cases, repaying the ransom might be the most cost-effective option.

Trustworthiness of the attackers: Really, how trustworthy are cybercriminals? There is no guarantee that paying the ransom will result in the safe return of data. Chances are the attackers will see your willingness to pay as a green light to demand additional payments. That said, some ransomware gangs are a little more “business-like” in their attacks. Consider the reputation and track record of the attackers before deciding to pay the ransom.

Impact on the organization: You might decide that the potential impact of a ransomware attack on the organization is enough to warrant paying the ransom. Paying the ransom might be the most effective way to avoid the risk of data loss, business disruption, and reputational damage.

Ethical considerations: It's not just your own company that you need to consider. Paying the ransom supports criminal activities and this is likely not going to align with your company's values and principles. Paying might do more damage to your company's reputation than the loss of data would.

Ultimately, the decision to pay the ransom should be made on a case-by-case basis. Take into account the specific circumstances of the attack and your organization's priorities and values.

Of course, ideally, you'll already have a plan in place for responding to ransomware attacks before they happen. But if you don't read on.

How to prevent ransomware attacks

Preventing ransomware attacks requires a proactive approach to cybersecurity. Here are some best practices that organizations can follow to avoid becoming one of our next ransomware examples:

Keep software up-to-date: Regularly update all software, including operating systems, applications, and security tools, to ensure that known vulnerabilities are patched.

Use strong passwords: Encourage good password hygiene throughout your company. This includes using complex and unique passwords for all accounts and avoiding using the same password for multiple accounts. Passwords should also be changed regularly, and multifactor authentication should also be implemented.

Be cautious of email attachments and links: Phishing is the most common entry point for ransomware. Be cautious of email attachments or links from unknown or suspicious sources, or any email that requests you to download anything.

Implement security software: Use a reputable anti-virus or anti-malware solution and keep it up-to-date.

Back up important data: Regularly back up critical data to a secure, offline location. This will help ensure that data can be restored in the event of a ransomware attack.

Train employees: Educate employees on cybersecurity best practices, including how to identify and report suspicious emails or activity.

Restrict access: Limit access to sensitive data and systems to only those who need it. Use access controls to ensure that employees can only access data and systems necessary for their job functions.

Test backups: Regularly test backup and recovery processes to ensure that data can be quickly and accurately restored in the event of an attack.

Be prepared

Ransomware attacks are a serious threat to businesses of all sizes. It's important to learn how to prevent ransomware from happening but sometimes even with the best cybersecurity measures in place, it's still possible to fall victim.

In these situations, companies have to make the difficult decision of whether to pay the ransom or not. But it's more than just the money at stake, there are also legal and regulatory considerations. Then there is the trustworthiness of the attackers, the impact on your organization and your loyal customers, and not to mention, the ethical considerations to weigh up.

By looking at ransomware examples, having a plan in place for responding to ransomware attacks, and consulting with legal and security experts, companies can mitigate the risks associated with ransomware attacks and protect their data, finances, and reputation.

To learn more about how to protect your data, check out more from the Hoody Privacy Hub!