Help! My company suffered a ransomware attack. Now what?
Published on 24/08/2020 in Tech, tips & tricks
Your company has been attacked by hackers. They take your data hostage and demand a ransom for their release. The, occasionally literal, million-dollar question is: what is the best way to deal with it? Is negotiation an option?
Wouter Vandenbussche, Proximus Cybersecurity Solution Lead: “Has your company been the victim of a ransomware attack? Then your only option is damage control. And that is no easy task considering that your data is completely inaccessible. That means you have no idea where the damage is and what kind of impact it will have.”
You need to know which data are crucial for keeping your business running and protect them from ransomware.
Wouter Vandenbussche, Proximus Cybersecurity Solution Lead
Protect the crown jewels
In the event of a ransomware attack, the first task at hand is to gain insight into what is going on. “The top priority is always your crown jewels, the information crucial for keeping your business running. That varies for each company. The only way you can limit the damage of an attack is if you know what the crown jewels are and can monitor their status.
An educational institution's crown jewels held hostage
“One example of an organization that had its crucial data taken hostage, was a Dutch educational institution. They were the victim of a ransomware attack last year. Several crucial data and systems as well as their backup servers were blocked. A week later, they ended up paying the hackers EUR 200,000 because if they did not comply, their students would not be able to graduate, their staff would not be paid, and their researchers would not be able to continue their research.”
Rebuilding your business after a ransomware attack can take months or even years.
Get specialist help and call the police
“Once you have been attacked, you immediately need to get a specialized incident response team involved. Most companies specializing in cybersecurity offer that service. They have access to decryption software and provide advice on what you need to do to get your business back on its feet. However, ransomware attacks are also a crime. That means you also need to call the police right away.”
The Proximus Cyber Security Incident Response Team (CSIRT) monitors your data and network security. The team is on-call 24/7 and is ready to offer on-site assistance any time.
Do not pay the ransom
The big question is how to limit the impact of an attack. “That is contingent on the situation. If your company is attacked by outdated ransomware with a known encryption key, there exists an antidote. For attacks by new ransomware, there are two avenues you can choose. You can negotiate with the hackers or refuse.
Negotiation, which boils down to giving in to their demands, is not recommended. Before you know it, you will be confronted with six- or seven-figure amounts. The cost is enormous and there is no guarantee that it will work out. Frequently, the decryption software you are sent is ineffective. There is always a very real chance that the damage to your network and systems will be irreversible.”
A single offline server rescues a global transport company
“Most companies that have been victimized ignore the demands and attempt to rebuild their infrastructure. Because you company’s core is paralyzed, it could be a job for the long haul, which can take months or even years.
Like several other companies, a transport company was the victim of the NotPetya attack in 2017. Their computer systems and terminals at the ports all flatlined. Over a space of ten days, they installed 45,000 new computers and 4,000 new servers. Their saving grace was a single domain controller in Ghana that was offline due to a power outage during the attack. They were able to use it as a back-up for the 150 other domain controllers affected by the attack. Without that stroke of luck, there is a good chance the global transport company would no longer be around.”
Do you have any cybersecurity-related questions? Contact us to talk to one of our security experts.