You have been attacked! Your files are encrypted. A screen pops up with instructions telling you that your files will be destroyed if you don’t comply. The clock is ticking down. What do you do?
Unfortunately, ransomware attacks are on the rise globally. Attackers have learned that small to medium sized businesses are prime attack targets. It’s a numbers game to cyber criminals. Why take the risk of attacking a Fortune 500 company and asking for thousands of dollars when it easier and more profitable to attack 100 small businesses at $500 each.
Here is what ransomware attackers know: Small and medium sized businesses with less than 500 employees make up 99.7 percent of all U.S. companies and employ 56.8 million workers representing 48% of the entire U.S. workforce. Yet, most of the resources and advances in cyber protection technology are being pushed to Fortune 500 and large multi-national corporations. Less resistance and less security resources make the SMB market a prime attack surface.
So you have been attacked. What do you do? A few quick questions might run through your mind?
Do I have current and fully restorable back-ups?
Unfortunately, most small businesses do not have a routine back-up strategy. (If your company does not have a back-up and recovery strategy, get one! Back-ups are easy to do and are inexpensive.) Make sure your back-ups are not accessible via your network. A ransomware attack will encrypt your back-ups as well if they are accessible via your network.
Can we crack the encryption?
Typical ransomware software uses RSA 2048 encryption to encrypt files. Just to give you an idea of how strong this is, an average desktop computer is estimated to take around 6.4 quadrillion years to crack an RSA 2048 key. So, your odds of cracking the encryption are slim to none. There is a very slight chance that you may find some code available on the Net but the odds are unlikely and remember, the clock is ticking.
Am I really infected? Maybe this is just a scary scam?
It’s fairly straightforward to find out if you are affected by a ransomware virus. The symptoms are as follows:
- You suddenly cannot open normal files and get errors such as the file is corrupted or has the wrong extension.
- An alarming message has been sent to your desktop background with instructions on how to pay to unlock your files.
- The program warns you that there is a countdown until the ransom increases or you will not be able to decrypt your files.
- A window has opened to a ransomware program and you cannot close it.
- You see files in all directories with names such as HOW TO DECRYPT FILES.TXT or DECRYPT_INSTRUCTIONS.HTML.
OK This is real…I don’t have a valid back-up…the clock is ticking…what now?
- Disconnect: Immediately disconnect the infected computer from the network. Turn off any wireless capabilities such as Wi-Fi or Bluetooth. Unplug any storage devices such as USB or external hard drives. Do not erase anything or “clean up” any files or antivirus.
- Determine the reach: Where is the infected system and what it is connected to? Are there other network devices that are encrypted?
- Determine the strain: Check www.bleepingcomputer.com for help determining the strain.
- Evaluate Your Options: Now that you have some information about the reach and strain of the virus and an idea about your internal back-ups etc., you have four basic options. 1. Restore from back-up. 2. Decrypt using a third party decryptor. (unlikely) 3. Do nothing and lose your data. 4. Pay the ransom Unfortunately, most attack victims are forced to pay the ransom. Consider this an expensive lesson but do not be vulnerable to another attack. Most ransomware attacks are the result of phishing, spear phishing and social engineering exploits. Take steps to secure and back-up your data. A proper back-up strategy and a security awareness program to educate employees about the dangers of clicking or opening suspicious emails and attachments is one of the best investments you will make this year.
- Paying the ransom: Locate the payment terms. Most ransomware attacks will have very clear instructions on how much, what form of payment is required (typically Bitcoin) and where to send the payment. Follow the instructions closely.
- Obtaining Bitcoins: Using a Bitcoin broker site like http://www.LocalBitcoins.com will allow you to connect with a local seller. This may be your best bet in terms of obtaining Bitcoin the fastest. If you have time you can search the bitcoin exchange and set up an account. Bitcoin prices fluctuate so make sure you purchase a little more than the exact amount needed.
- Follow the instructions: The ransomware file will include specific instructions on where to send the payment. Once sent you may have to wait a few hours to receive the decryption key. Once you receive the decryption key you should be able to decrypt your device and save your files. Remember, there are no guarantees but in most cases decryption has occurred after payment.
- Finally: Understand that paying one ransomware exploit will not keep you from being attacked again. Take the necessary steps to protect yourself going forward.
Contact us today if you want to learn more about how to keep your company protected from Ransomware attacks.