• 07948 570815
  • This email address is being protected from spambots. You need JavaScript enabled to view it.


Infected with Ransomware: Now what?

Infected with Ransomware: Now what?

Ransomware attacks have been global over the last 12 months, including high profile attacks against Cleveland Council in the UK and CD Projekt Red.

These all caused significant damage to reputation and stock, as well as big financial losses.

According to the UK’s official National Cyber Security Centre (NCSC) ‘2020 annual review’, the number of ransomware attacks last year tripled compared to the previous year, and this upward trend is expected to continue throughout the year. That, paired with a spike in ransomware attacks on the UK education and research sector, makes ransomware one of the leading concerns in the cybersecurity community.

Before we look into prevention and response, we need to establish what such an attack entails. Ransomware is a type of malware that uses encryption techniques to block a user from accessing their own data or device. For a business this could mean being unable to open any of their databases or even log in to their computers, bringing the entire business operation to a halt and causing often significant financial damage in the process.

small businessesAlso see: What sort of security software and backups do I need for a small UK home business?

Once a malicious software is on a network, the cybercriminal has effectively taken the business’ data hostage and would request a ransom to be paid in order for the data to be released. As with any ransom situation, there is no guarantee that the attacker will release the data once the ransom is paid putting organisations in an extremely difficult situation.

Traditional ransomware attacks use withholding data as the motivating factor for payment, however, ransomware tactics are ever-evolving and new types of threats are on the rise. Recent attacks have shifted from simply preventing the owner from accessing their data to using the victim’s sensitive information to blackmail them into paying a ransom and damaging their business reputation.

Once in the system, cyber attackers focus on uncovering valuable information through extensive reconnaissance. They then use the information gathered as a threat to publicly release and inflict irreparable damage to the reputation of the business, unless the victim pays the ransom.

With ransomware on the rise, it is essential that business owners take additional steps to avoid becoming a victim of cybercrime. The best approach for your Security Operation Centre experts to implement would be a “defence in depth” strategy. This involves creating a technical architecture with multiple failsafes, meaning if one defence layer is penetrated, there are multiple other defence mechanisms in place to protect your data and business.

A simplified example of this would be to implement both an email gateway and an endpoint-based antivirus tool. If an email harbouring a malicious document was able to bypass the security checks provided by the email gateway, the endpoint antivirus acts as a second security check upon attempted execution of the malicious document.

cloud securityAlso see: Tips to help secure your cloud data in the UK

Unfortunately, there is no flawless Cyber defence approach or plan, so the occurrence of a successful ransomware attack can never be completely ruled out, which is where having a good response strategy comes into play. In light of the current cybercrime trends seen in 2020 and those projected for 2021, the Littlefish Cyber team would also advise organisations to include a ransomware scenario in their incident response plan (if they haven’t done so already). Being prepared for all scenarios means Cyber criminals are less likely to catch you off-guard, which sometimes makes knowing how to respond to the best form of defence.

AdvertisementMalwarebytes Anti-Malware Premium - 1 PC / 1 Yearamazon uk

If a ransomware infection is confirmed, the organisation’s cybersecurity team should:

1. Immediately disconnect the infected devices from all network connections, whether wired, wireless or cellular.
2. Reset credentials including passwords, ensuring the initial focus is placed upon administrator/privileged accounts.
3. Securely wipe the infected devices and reinstall the OS.
4. Before restoring from a back-up, ensure that the back-up source is free from any malware. Back-ups should only be restored from if there is 100% confidence that the back-up and the destination device is clean.
5. Connect devices to a ‘known good’ network to download, install and update the OS and all other software.
6. Install, update, and run antivirus software.
7. Reconnect to the organisation network.
8. Monitor network traffic and run antivirus scans to identify if any infection remains.

Organisations should also ensure they have implemented an effective offline back-up strategy to cover all possible angles. This will allow in the event of a malicious attack, including ransomware, for the organisation to return to a ‘last known good state’ reducing the impact of data loss on the business.

See our Help and Advice articles to help keep you safe.

Photo by Dlanor S on Unsplash


More From Our Blog