Over the past decade, instances of ransomware-related cyberattacks have been on the rise around the world, and recent studies show that they are not going to slow down any time soon.
According to researcher Cyber Security Ventures, a new business or organization falls victim to a ransomware attack every 14 seconds. Over 2017 and 2018, phishing defense solutions provider Phishme found that ransomware attacks increased by over 90%. Due to the fact that ransomware attacks involve the unsolicited encryption and potential complete loss of data, they can be costly for individuals and organizations alike, both in terms of server downtime and money spent on recovery, according to the FBI and the Cybersecurity and Infrastructure Security Agency.
How to Take Steps to Prevent Your Network from Falling Victim to a Ransomware Attack
Both the U.S. government and industry professionals agree: the most important way to minimize one’s chances of experiencing a ransomware attack is to practice what is referred to as proper “network hygiene.”
This includes routines such as regular data backups, installation of operating system and software updates and limitation of programs’ abilities to run under conditions known to be friendly ransomware access points. In particular, networks should pay attention to what are known as “end-point” users by restricting certain permissions.
Here are several FBI and CISA-recommended ways in which one can best prepare a network for a potential ransomware attack and practice proper network hygiene:
- To ensure that files and other important information can be completely recovered in the event that a ransomware attack occurs, data should regularly be backed up and secured, either on a physical storage drive or secured cloud service. Another important measure that should be taken is the updating and patching of software and operating systems; according to CISA, most devices that saw ransomware attacks contained software or an OS that were not up-to-date.
- Networks used by multiple users – particularly those employed by large corporations or organizations – should limit the permissions of certain users with regard to their ability to download, execute or receive certain files. Administrators should also consider the security of email servers, as ransomware can be spread through embedded code attachments that are activated if macros are enabled. Both the FBI and CISA recommend enabling spam filter settings to block emails with “suspicious” codes.
- Only so much can be done at a purely network level to prevent a ransomware attack; user education is also essential to prevent unwary individuals from engaging in risky online routines or behavior that could pave the way for an attack. For example, workplace training should teach employees not to click on any unsolicited links or attachments and how to recognize potential scams, particularly those known as “phishing scams.”
Steps to Take in the Event of an Attack
When it comes to saving one’s data, time is valuable when a network is inundated with a ransomware attack, so taking the correct course of action can prevent what very well could be a costly and time-consuming recovery attempt, according to the FBI.
Depending on the level of ransomware protection and preventative measures used in a compromised network prior to an attack, the recovery process could range from simply isolating and deleting the malware to a frantic scramble to prevent its spread, let alone save important files and other information.
Assuming that a network did not have optimal preventative measures in place, here are the steps that one can take to stop a ransomware attack in its tracks before further damage can be done:
- Regardless of the ransom amount demanded or what any accompanying (and often threatening) message claims, victims of ransomware attacks are advised that they should NEVER pay any amount of money. The FBI explains that while paying a ransom may seem to be the quickest option to prevent a costly recovery process, it does not ensure that a ransomware victim will regain access to encrypted data. In addition, some users who chose to pay reported that they had been asked to pay more or fell victim to separate attacks. CISA notes that data regained through a ransom payment could still contain malware.
- Once a network user has determined that he or she has fallen victim to a ransomware attack, the decision must be made to either call relevant authorities to handle the recovery process, or attempt to rectify the situation immediately. In either case, the FBI and CISA recommend that law enforcement always be alerted.
- A victim has the best chance of saving as much data as possible by identifying and isolating the device(s) through which the malware was able to gain access. Once the device or devices have been disconnected from the network, a user should then isolate and shut down any other connected devices. Backup data linked to the network should also be taken offline, while any recoverable portions of encrypted data should be collected and secured.
- Once all devices and backups have been disconnected from the network and any unransomed data has been secured, passwords should be changed. Finally, the ransomware itself can be stopped by deleting both the registry values and program files, the FBI states. This step is recommended to be performed last due to the chance that encrypted data could be lost in the event that ransomware is fitted with a self-destruct feature when a user attempts to stop it from running.