It is always better to be proactively prepared and prevent ransomware attacks than having to react after an attack occurs. Paying the ransom is not recommended.
Law enforcement and IT Security companies have joined forces to disrupt cybercriminal businesses with ransomware connections. The “No More Ransom” website is an initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre and two cyber security companies – Kaspersky Lab and McAfee – with the goal to help victims of ransomware retrieve their encrypted data without having to pay the criminals.
Steps you can take to prevent a ransomware outbreak:
- Require all devices to have active, up to date antivirus software installed that cannot be disabled by the end user.
- Educate all users about the risks of ransomware and appropriate use of email.
- Educate your users about how to view file extensions and which file extensions can potentially cause problems.
- Do not let users be local administrators and/or run email or web browsers as an administrator or privileged account.
Steps you should take to prepare for a ransomware outbreak:
- Ensure that you have working backups that can be used to restore all critical or essential data.
- Test your restoration processes, know how to long a restoration will take.
- Ensure that the backup system is segregated from users so that if a user’s machine is infected with ransomware, it cannot spread to the backups.
- Educate your users about how to report an outbreak of ransomware and what steps they should take right away.
Steps you should take after an attack occurs:
- Eradicate the infection.
- Restore from backups.
- If the backups are encrypted or destroyed by the ransomware, check to see if the keys to decrypt your data are available from a free source, rather than attempting to pay the ransom.
The Crypto Sheriff link will help the people behind the NoMoreRansom.org site check whether there is a solution available. If there is, the site will provide you with the link to download the decryption solution. See https://www.nomoreransom.org/crypto-sheriff.php?lang=en.
Of course, if the NoMoreRansom.org site is not able to decrypt your files and you are unable to restore your files from backup, you have to assess the risk of actually paying the ransom. Remember that paying the ransom may not result in the restoration of your files. But for some companies, the choice is to cease business forever, or pay the ransom. It is much better to have all of the preventative and recover controls in place before ending up facing such a decision.
Paul Hill has worked with SystemExperts as a principal project consultant for more than twelve years assisting on a wide range of challenging projects across a variety of industries including higher education, legal, and financial services. He joined SystemExperts full time in March 2012 and coordinates the SMARTday practice.