If your company is hit by ransomware, what does recovery look like? Do you pay the ransom or not? Does it make a difference?
Unfortunately, there’s no simple “Yes” or “No” answer. Several elements are at play within a ransomware attack. Unfortunately, complications may continue long after the initial resolution.
Good cybersecurity practices and understanding the complexities of these costly attacks are the best way to protect yourself.
For over 25 years, WEBIT Services has been passionate about education and effective security practices. As a result, it has helped hundreds of clients build solid cybersecurity procedures through the years.
By reading this article, you will learn the anatomy of a ransomware attack, how to respond to an attack, and what you may encounter in the aftermath.
What does a ransomware attack look like?
It’s important to note that attacks are entirely random in the initial stages. These rarely begin as targeted attacks, so no business is too small or too large for these cybercriminals.
Hacking programs will initially look for a network weakness. Vulnerabilities are often a security hole (i.e., a lack of firewall or multi-factor authentication) or poor cybersecurity practices (i.e., sharing login credentials or clicking suspicious links).
Once the program exploits the vulnerability, malware can sit undetected for months, learning your system, procedures, and data. It will eventually use this information to cripple critical systems.
Once activated, the ransomware program will wipe whatever backups it can reach and encrypt critical systems.
Encryption turns all data into code, so you cannot use devices or programs. As a result, productivity comes to a halt. In addition, if backups are erased, you have no way to restore saved data and functionality.
Cybercriminals demand payment in exchange for the encryption key. This key is supposed to remove the encryption and restore the infected system.
How do I know if my system has ransomware?
Ransomware attacks are easy to identify and come in one of two forms.
- An infected device powers up, displays the encryption code, and will not function. Then, you receive a pop-up or email communicating the cybercriminal’s demands.
- You receive a pop-up or email message alerting you that your system is infected and will be encrypted if the cybercriminal does not receive payment by a specific time.
In both cases, your infected system’s functionality is held hostage.
How much is the ransom?
There’s no hard and fast price for a ransomware payment. Cybercrime is constantly evolving, so it’s difficult to predict the costs or demands of attacks.
In 2021, the average ransom payment was $812,360, a 4.8% increase from 2020. However, individual ransoms can be larger or smaller depending on the situation.
Cybercriminals want untraceable payments, which often take the form of gift cards or cryptocurrency. This way, cybercriminals can safely claim their prize without fearing authorities tracking the money.
Responding to a ransomware attack
A timely response is one of your best defenses when facing an active ransomware attack.
Essential contacts in a ransomware attack
As soon as you realize that your system is under attack, you must contact three groups:
- Your lawyer
- Your cyber insurance representative
- Your IT provider or internal IT team
Your lawyer will help you address the potential legal ramifications of an attack. This includes repairing your reputation with clients and handling possible lawsuits resulting from the attack.
Your cyber insurance can help make ransom payments and mitigate the cost of business inactivity during the attack. However, it will only do so if you followed effective security practices before the attack occurred.
Before enrolling in cyber insurance coverage, you must agree to implement particular cybersecurity practices. As a result, insurance will refuse to pay if an audit uncovers that you did not follow these security procedures.
Finally, your IT provider will assess the damage to your system, analyze the ransomware software, and work on bringing your system back online.
All three parties can help recommend additional experts and services if needed during and after the attack.
What happens if you don’t pay the ransom?
In some situations, restoring your system without paying the ransom is possible. This will depend on the severity of the infection and the availability of system backups.
Removing the ransomware
Your IT provider’s priority is to get your system back online and functioning as quickly as possible.
It will work to isolate the infected system, analyze the ransomware’s function and origin, and make sure all traces are erased from your system, if possible.
Once the ransomware is isolated and removed, your provider can begin restoring your system. Once it’s fixed, your provider will reset all system passwords and logins to prevent the cybercriminals from returning.
Specialist support may be required if the ransomware is difficult to remove.
These specialists locate or eradicate the ransomware.
First, they audit your system, procedures, and actions before and after the attack to find the infection. Sometimes, their service ends after locating the malware.
Other times, the specialists will remove any remnants of the ransomware for an additional fee.
These investigations are costly and can take months to complete.
Restoring your system with backups
If the backups are correctly stored and isolated, the ransomware program will be unable to affect them. In this case, your system can be restored using the clean backups.
The time this takes will depend on the kinds of backups utilized. For example, it takes much longer to restore data using file backups than using image backups.
However, you may still lose data depending on how recently the backups were saved.
For example, let’s say you back up your system weekly, but the ransomware attacked on day five of this cycle. You would lose five days of data because you had not reached the new weekly checkpoint.
Restoring your system without backups
In a worst-case scenario, you have no backups. They were either wiped out by the ransomware, the backups were corrupted, or you were not backing up the system.
In this case, you often must rebuild your system from scratch. Unfortunately, rebuilding can take days or even months, depending on its complexity.
What happens if you pay the ransom?
In brutal attacks, you may feel like you have no choice but to pay the ransom. However, paying cybercriminals does not guarantee a smooth restoration.
Firstly, paying the ransom does not guarantee that the ransomware or encryption is removed.
Sometimes, cybercriminals lie and do not provide an encryption key regardless of payment. Other times, they lack the skills to remove their own encryption and ransomware. As a result, you lose money and IT functionality in both situations.
In response, you must remove the ransomware and restore or rebuild your system, processes that can take months to complete. The downtime results in additional lost revenue.
Sometimes, it’s illegal to pay the ransom. In these situations, cybercriminals are from embargoed countries that must not receive funding from the United States.
Before making any payments, contact your lawyer and cyber insurance. They can offer guidance on whether paying the ransom is legal. They will also help you contact the appropriate parties about the attack and ransom if needed.
Even if you pay the ransom and the encryption is deactivated, you must still audit and examine your system to verify that the malware is eradicated. This process can take months.
Next steps towards addressing potential ransomware attacks
Solid security practices are the best defense again ransomware attacks. Once an attack takes root, there’s no easy way to address it. As they say, “An ounce of prevention is worth a pound of cure.”
Once your system is infected, you must first contact your lawyer, cyber insurance, and your IT provider to decide the next steps.
You may be able to avoid paying the ransom if the infection is contained and you have quality backups. However, paying the ransom does not guarantee system restoration.
If your provider does not perform quarterly risk assessments or discuss incident response plans, it is a red flag. Neglecting these two practices may mean your provider does not understand effective security practices and is putting you at risk.
WEBIT Services has built solid IT security practices and strategies for hundreds of clients in the greater Chicago area.
If you are looking for a new IT provider, schedule a free 30-minute consultation to see if WEBIT can help.
If you are not ready to make a commitment but would like to learn more about cybersecurity, we recommend the following articles: