29/08/2018
Marcel Reifenberger

Nowadays, it’s a sad reality, cybercrime and ransomware attacks are one of the most common threats in modern-day business.  It’s surprising then that so few organisations have clear procedures in place in the event of an attack.

Marcel Reifenberger CISO & CSO, CANCOM SE (@soc13tyhacker) Make contact

As soon as you receive an email stating, “All data will be encrypted’ or ‘your public domain will be shut down!’, most people’s reaction is one of panic.  And that´s why it is critically important to do the right things, in the right order. My first piece of advice is simple: ‘ NEVER, EVER PAY THE MONEY’. For 3 good reasons:

Firstly, there’s no guarantee payment will stop the attack anyway.

Secondly, attacks are based on algorithms linked to command-and-control servers. If the server gets destroyed (for whatever reason), the attack system can no longer recognise the payment has been made; so, the attack will go ahead anyway.

Thirdly, if a cyber-criminal successfully extracts money, you may open yourself up to further attacks. (It’s not uncommon for attackers to just change their name and send another demand shortly afterwards.)

Find out how our 24/7 service is designed to reduce the number of security personnel your business needs to hire, train and retain.

So, how exactly should you respond to a ransomware attack?

It may sound obvious, but it’s important to calm down.  As human beings, we often tend to over-react. Sit down, take a deep breath, read the message again, then start to figure out the important facts like:

  • Who is attacking you?
  • Which attacking method is being used?
  • When will the attack occur?

If you have technical skills, it’s time to start investigating:

  • Is the attacker (well) known?
  • Has the meta-data of the email header been changed?
  • What were the stages of delivery, which servers did it hit?
  • Did the attacker use anonymiser procedures to hide his identity?
  • Is the virtual wallet you are being asked to pay into empty?

Even if not part of the technical team, contact your local authorities and ask for their advice. (Remember to share the mail as an attachment - do not forward it). Also, call your insurance company.  Most insurers now offer special cyber threat insurance for organisations.

Normally, you will be given at least some warning before an attack. So, as soon as  you notice the message double check the following:

  • Updates/patches for your systems
  • Backups
  • Connections (e.g. ports, firewall rules)
  • Security system/features

It is important to know that just receiving a message doesn´t necessarily mean you will be attacked. Millions of threat emails are pushed out by algorithms. And only some of them turn out to be true.

If you’re one of the lucky ones and haven’t yet been the victim of a ransomware attack, don’t get complacent.  Now, more than ever before, it’s important to have proper security procedures in place to keep your data and valuable IP safe.

 

Marcel Reifenberger

C(I)SO CANCOM SE

@soc13tyhacker

This article was originally published in German at CANCOM.info

If you are concerned about ransomware attacks or are looking to improve security, find out how OCSL can help you with around-the-clock network protection.

Thought piece