How do I prevent a ransomware attack on my business?

In 2021, there was a significant increase in the use of ransomware against businesses in the United States, United Kingdom and Australia.

Ransomware is malware that encrypts user data and grants network access to threat actors. Once they gain access to a company's data, they threaten to release sensitive information and disrupt business operations until the victim pays a ransom, hence the name.

Unfortunately, paying the ransom does not guarantee that the threat actor will unlock your files or that your data will be safe. In fact, the U.S. government's Cybersecurity and Infrastructure Security Agency (CISA) does not recommend paying ransom at all, as the more profitable ransomware becomes, the more common and complex it could become.

Instead, ICAR, along with the United Kingdom's National Cyber Security Centre (NCSC-UK) and the Australian Cyber Security Centre (ACSC), have made recommendations to prevent ransomware attacks and minimize their impact.

How did ransomware become more common and more dangerous?

The increase in ransomware attacks can be attributed to the COVID-19 pandemic in several ways. First, the use of cloud-based networks sensitive information and critical infrastructure accessible to malicious actors on the web. Second, the pandemic lowered incomes for many households as lockdowns and supply chain issues persisted, making illicit online activities - such as using ransomware - an easier way to make money.

As ransomware becomes more profitable and accessible, hacker organizations are becoming more complex. There are now entire organizations with customer support services that walk victims through the process of paying ransom and decrypting their files.

These companies increased their profitability by selling stolen data to other crooks. This means that once a victim's data was stolen, multiple criminal organizations could use it to threaten and extort them.

How can ransomware get into my network?

The most common strategy employed by threat actors is phishing. Phishing is a scare tactic in which cybercriminals pose as a legitimate entity, such as the IRS, law enforcement, or anti-spam software, and contact individuals to inform them of a problem - for example, a problem with their last tax return, an arrest warrant, or, ironically, a security breach in their network.

To solve the problem, they ask victims to click on a link, which then downloads ransomware to the user's computer, giving the threat actor access to their data and network.

How can I prevent ransomware from affecting my business?

Here are the steps that CISA, ACSC and NCSC-UK recommend a company take to prevent ransomware attacks:

• Keep software up to date.
• Train employees on how to detect phishing and manage ransomware attacks.
• Use unique passwords and enable multi-factor authentication (MFA), especially on administrative accounts.
• Segment networks so that breaches only affect parts of the network rather than the entire network.
• Limit the operations that take place in the cloud.
• Activate spam filters.
• Back up your files regularly, separately from each other, and on a separate network.

Above all, they recommend not paying the ransom, as this would encourage cybercriminals to continue using ransomware to extort money.

How to react to a ransomware attack?

If ransomware gets into your company's network, it's important to act quickly and follow these best practices:

1. Record the name of the file that was downloaded and the content of the ransom note. You can do this quickly by taking a picture of the screen with your phone. This will also be useful when working with IT professionals and authorities.
2. Turn off the infected device. This interrupts the encryption process and may even prevent the ransomware from spreading across the network. Don't turn the device back on yourself - get help from an IT professional.
3. Manually disconnect all other devices from the network. By turning them off with the power button or unplugging them, they are disconnected from the network, which can slow down the propagation.
4. Change the passwords. Activate MFA if you have not already done so.
5. Locate the backups. Do not connect uninfected backups to the network, as this will expose them to the malware. If you do not have uninfected backups, an IT professional can help you recover your encrypted data, but there is no guarantee that they will be successful.
6. Remove the ransomware. This is done by erasing the infected disks and devices and reinstalling their operating systems, which permanently deletes the data stored on them.
7. Restore the information from the backup. Once your computer and network are free of ransomware, you can safely upload uninfected backups.
8. Notify the authorities of the attack. This can help protect you from a new attack and prevent threat actors from targeting others.

While ransomware has become more common in the age of the home office, your business can take steps to prevent and recover from attacks. By responding quickly to security breaches and reporting them, you minimize both their impact on your business and the likelihood of them happening again.