In our last post on the topic, we looked at how Ransomware is developing and evolving. We discussed some of the ways that you can prevent yourself falling victim to a ransomware attack. As well as how you can improve your cybersecurity overall. This week we’ll take a look at the steps you can take to recover from a ransomware attack. Looking at the processes, practices and procedures you need to have in place to successfully resurrect your business if you get hit.

Ok, I’ve been hit by ransomware. What do I need to do?

“The first question to ask is can you get any of your data back?” says Nutbourne Technical Director Patrick Burgess. “If so, what can you get back? If you can get some data back, then the chances are you can operate the business in some capacity. However, If you have a dated approach, i.e. all your information is stored in one place and it’s been encrypted by ransomware, then you have huge exposure to that ransomware  – and you need to resort to restoring data from your backups.” 

The second question is “Who do I need to tell about this? There are usually quite a few people both internally and externally who need to be involved in your response. Client engagement teams need to keep clients up to date, internal response teams need to be mobilised and the board needs to action any business continuity plans. 

Externally you need to let your insurance company know as soon as possible so they can verify the actions you are taking and the steps you take, additionally you need to decide if and when you need to disclose to the ICO the breach under data protection,” Patrick adds.

Ransomware attacks are becoming autonomously intelligent, so they don’t require someone to manage them, other than for initial distribution. Once ransomware has encrypted your files, it reports back to the distributor, letting them know that it has found a target and that it’s a business. Once the distributor knows they have all your files then it’s going to be very hard to get them back if you don’t have a robust backup and business continuity plan,” Patrick says. “Make sure the right people are involved before making spontaneous decisions.”

Should I pay the ransom?

First things first, you need to understand the situation you find yourself in and the options you have to recover data without paying,” Patrick says. “If you are unable to recover then, whilst inadvisable, you may be left in the unenviable position of considering paying the Ransomware domain. Before you do this getprofessional and legal advice from experts who understand how this process works.”

It’s worth pointing out that ransomware companies have an incentive to return data. They know if the company they’ve attacked cannot operate then it cannot pay it’s bills and will soon be out of business. So there are examples of companies who have paid and had their data unencrypted, but that is by no means guaranteed and doing so will likely highlight you as a future target for more advanced threat actors

Most importantly remember Ransomware becomes headless after a while,” Patrick adds. “They grow and adapt iteratively and can be modified by anyone. Sometimes there are versions that contain coding mistakes, or where their command and control servers have been taken down. In those cases, the ransomware is just floating around the internet. It’s able to perform the first part of its task and seed a network and encrypt files – but it’s just reporting back to nobody. So in that instance you could pay a ransom into the Bitcoin wallet, but there’s nobody at the other end that knows anything about it and therefore no one who will unlock your files.”

How do you mitigate the risk?

There’s no two ways about it, the threats are becoming increasingly advanced. So any old systems, legacy software, platforms and software that are no longer supported by patches, are now very vulnerable. They’re open to more attacks because there are more holes in the system.

“It’s often the case that companies don’t have the money or plans in place to respond quickly to these threats if they’re attacked,” Patrick says. “In the immediate aftermath of an attack, there’s a tendency to dramatically overhaul the system, which can be a false economy. It’s a break-fix mentality that focuses less on tune up and more on reinvention.

“IT is moving away from that kind of model, which is good news for companies on smaller budgets and their subsequent cybersecurity solutions. There’s a move towards a subscription-based model. This means that upgrades are smaller but constant, so you are well protected and also less vulnerable. It also means that your IT is kept moving in the right direction. So you’re not paying £50k for a five year system, but £10k a year for a system that’s never out of date. This allows you to have a smaller budget. If you’re iteratively making things better all the time, rather than saving that money up, it also becomes much more financially viable to stay one step ahead.”

Are there some simple, cost effective solutions?

Yes, there are. Microsoft, for example, offers free Office 365 licenses for email to charities. You can have as many as you want. And you then get a modern secure email platform, free of charge. You’ve got to pay to do the project, but normally that’s quite reasonable and is only a one-off cost.

Microsoft also give massively reduced prices for their E3 plans and their business plans to charities as well. This product would give you your Office software and your security patches at a reasonable price as well. It doesn’t have to be a case of spending a lot of money to get this right. 

Patrick says. “It comes back to identifying what your information is and where your threats are. What are the biggest risks to the business? How can we make things move forward?”

What’s one thing I can do today to mitigate my risk of ransomware attack?

“I always recommend diversifying the network,” Patrick advises. “So take all of your eggs out of one basket. Move some of your business-critical data – the core of what you need to run – into the cloud. If your info is not all in one place, then there’s a much better chance you will get back up and running in the event of a ransomware attack.

“We see many clients taking their email out of the local environment and putting it into the cloud. And many others take their CRM system, databases, and move them to the latest version of the cloud as well. If you’ve got a Sage account system, don’t have that on the same database locally, move your Sage accounts to Sage Cloud. Start to diversify, over time, and you will see benefits.”

Most importantly though, when it comes to cybersecurity solutions, is that you need a robust and tested backup solution in place so you can recover if anything happens.

There’s an increasing focus on cyber insurance, isn’t there?

Cyber insurance is a growing market. It is something Nutbourne recommend businesses take out, especially those on smaller budgets. “It’s something we regard as critical for businesses now.” says Patrick. “The big providers like Hiscox, Chubb and Aviva offer some great policies, which are affordable month to month. They mitigate a huge amount of risk.”

The policies can be worth their weight in gold, because in the event of a ransomware attack, you have peace of mind over the cost of investigation, fines and rebuilding work (policies differ of course, this is a generalisation) – you have passed that risk immediately. “It gives you some breathing space to hire people or teams to rebuild your data, your systems and your network. All things that could preserve or even save the business.” Patrick says. “Remember though, no insurance policy or amount of money in the world canrecover data that is unrecoverable. So you can’t pass the responsibility for your backup and disaster recovery plan, just the cost of implementing it and recovering. 

“Of course, if you are breached you may need to give the ICO answers. You will have to demonstrate what happened, how it happened and what was lost. You will need someone to provide that professional information. And if you don’t have that in-house, which most businesses don’t, someone’s going to have to come and do that. And that’s not cheap. If you don’t have cyber insurance or something to cover that cost, then it’s a problem.”

Overall, the best way to prevent and recover from ransomware is to be prepared. Have a riskbased business continuity plan in place. Make sure you have all the information available to hand regarding how to implement it, when to implement it and who to call. If you’d like to find out more about our cybersecurity managed services and IT support, then get in touch! Contact us today on 0203 137 7273.