How to recover from a ransomware attack?

Posted by Claude Gagné, Present Group 11-10-2022 10:15 AM

With the increasing sophistication and scale of ransomware attacks, hiding your head in the sand and hoping not to be among the victims is, without doubt, a doomed strategy.

Ransomware is now more likely to strike your business than any other form of disaster and could, in fact, be more damaging. You need to assume that your company will be the victim of multiple attacks and be prepared for them.

It’s a matter of choosing between two alternatives:

  • Invest in a plan now and adapt your preparedness as time and the threat evolves.
  • Pay a ransom, and experience more or less prolonged downtime and/or the slowing down of your systems, until you invest in a plan.

An irrefutable statement

  • The reason enterprise ransomware revenues are growing so fast is because more and more companies, in all industries and sizes, are paying higher and higher ransoms.
  • Why should you wait until you have an attack before you have a plan?

Why are so many companies paying the ransom?
Essentially three reasons explain the prosperity of cyber criminality:

  • Victims have no choice but to pay, as their data AND backups have been rendered unusable. But even if victims do manage to decrypt their data, that doesn’t mean they are off the hook, as they still have to invest weeks or even months of effort to make their systems fully functional.
  • Paying a ransom is often the cheapest option. An example is a well-known Quebec company, which allegedly refused to pay the ransom, but then spent an enormous amount of money, compared to the ransom demanded, to respond to the attack that destabilized its operations.
  • Victims are able to recover a lot of part of their data from backups, but highly confidential data has been infiltrated. They must therefore pay the ransom in hopes that the information is not published on the Dark Web.

In reality, paying the ransom does not guarantee that you will be able to recover your data or that you will not fall victim to the same attack again, especially if you do not do a thorough analysis to determine how the cybercriminals infiltrated the network.

In addition, you will most probably need to reinstall all of your applications if you are not sure you can eradicate the threat. And it is common to see that it will then take several months to get back to normal thus increasing the real cost of the ransom.

In any event, if we are not careful, paying ransoms risks becoming an operating cost just like paying for electricity. This is somewhat reminiscent of the protection that traditional thugs offering their victims.

3 examples of how current ransomware works
Today’s ransomware is much more sophisticated than its predecessor. New versions appear without being detected by the most common traditional antiviruses, since they operate based on the recognition of a static signature.

  • Instead of encrypting as many files as possible as quickly as possible, they can remain inactive, and be backed up multiple times, so that they are activated during a restore.
  • Or the ransomware may initiate the encryption process slowly to avoid being detected. In some cases, it first encrypts files based on the last access date, starting with the oldest data and then working its way to the most recent files.
  • In other cases, ransomware can specifically target file extensions corresponding to backup software.

What are the vectors of attack?
To counter the threat, you need to know how ransomware can infect your systems. These methods of accessing your systems are known as attack vectors.

How to defend against this threat?
According to George Washington, "Preparing for war is the best way to preserve the peace". So, of course, it is vital to put in place a protection respecting the best practices.

Contact our IT security experts, they will be able to offer you the best cybersecurity advice and solutions for your business.

Claude Gagné, Present Group.