5 steps to recovering from a ransomware attack

Barely a week goes by without ransomware making the headlines. With COVID-19 accelerating a hyper-connected world, ransomware attacks will become even more disastrous. For instance, the unfortunate death of a patient at a hospital in Germany was linked to a ransomware attack that disrupted emergency care.

What is ransomware and how does it work?

Ransomware is a form of computer malware used by cybercriminals to encrypt digital assets. They then threaten the victim to erase it or release it in the public domain unless a ransom has been paid. Phishing is probably the most common method of delivering ransomware although savvy criminals are also known to use a combination of social engineering techniques to fraud victims.

Once the malware is deployed and the victim’s data is encrypted, attackers display some sort of a screen with instructions on how to unlock files. Most ransomware strains use RSA 2048, an extremely strong encryption. There is no guarantee, however, that hackers will unlock your files after receiving payment.

Paying the ransom invariably involves the use of cryptocurrency (like Bitcoin) as it does not have any physical representation and is stored in anonymous digital wallets. Once the payment is made, scammers provide decryption software that starts the arduous process of decrypting the files.

Ransomware attacks are growing in volume and severity

Ransomware attacks have not only grown in volume this year but also in severity. Research suggests that the average ransom demand has soared by 100% in the first half of 2020 and then climbed another 47% in the second half of the year.

While the average cost of a ransomware attack in 2020 equates to a staggering $4.44 million, ransomware accounts for almost 41% of all cyber insurance claims in the first half of 2020.

Dealing with a ransomware infection

 Prevention is always better than a cure. Having said that, ransomware has become pretty common these days and even infects companies that are running up-to-date endpoint protection software. Ransomware surpassed payment card thefts this year and became the most common cyberattack vector.

If you have been attacked by ransomware recently, make sure you follow these 5 steps to regain control of your machine.

1. Start by figuring out what it is: If your system has been attacked by ransomware, you will start getting messages while opening files that your file is corrupted or that it has a wrong extension. You will also see instructions on your screen on how to make the ransom (to unlock these files) along with a countdown or deadline to make the payment.
2. Disconnect the machine: Immediately disconnect the machine from any network and disable WiFi and Bluetooth. Unplug any storage devices such as USB or external hard drives. To discover your “patient zero”, check the properties of the encrypted files. Start monitoring your processes and see if your CPU or GPUs is running extremely high in the middle of the night.
3. Determine the scope: Determine the extent of the damage. Was the infected computer connected to the network or any external storage device or even cloud storage when the infection happened? Are other machines displaying similar symptoms?
4. Determine the strain: Ransomware has different variants. Some encrypt files, others steal data and have a varying degree of ability to spread. Some offer alternative payment methods to Bitcoins. For certain low-profile strains, there are decryption tools available online.
5. Evaluate your response:  Take a note of the deadline to make your decision. Determine the scope of your risk in case of data deletion or exposure in the public domain. In all probabilities, you have four possible actions/responses:
   1. Restore from a recent backup: Locate any possible back-up copies of your data. Look for emailed copies and copies with cloud providers (Google, Dropbox, etc.) Look for shadow copies that were created during a system restore. Even if you don’t have a backup solution in place, it is still worth looking as there could be ways for you to recover your files.
   2. Decrypt your files using a third-party tool decryptor: Some mainstream antivirus companies and malware researchers have published encryption keys for several strains of ransomware. Try and determine the infection and search to see if an associated unlocker is available. Ensure the unlocker is from a reputable source.
   3. Do nothing (lose your data): Wipe the affected computer(s) clean. It might be a good idea to back-up encrypted files in case security experts uncover decryption keys for ransomware infections in the future.
   4. Negotiate/Pay the ransom: If you have exhausted all the earlier options, your only recourse might be to pay the ransom. Most security professionals recommend not paying the ransom because paying the ransom encourages more ransomware attacks in the future.

Paying the ransom does not end the ordeal

Studies indicate that paying the ransom doubles the average cost of ransomware attacks in the future. To proactively prevent ransomware attacks, businesses must have a defense-in-depth approach. This means that you need a combination of good next-gen endpoint protection, Data Loss Prevention (DLP) controls, spam filters, backups, network segmentation and security education for employees.

Since 95% of all breaches start with a phishing email, businesses must build good cyber hygiene and train employees to build muscle memory in recognizing online scams.

Stu Sjouwerman is the founder and CEO of KnowBe4, a developer of security awareness training and simulated phishing platforms, with over 30,000 customers and more than 20 million users. He is the author of four books, with his latest being “Cyberheist: The Biggest Financial Threat Facing American Businesses.” Contact him at ssjouwerman@knowbe4.com.