In the heat of the moment when your data and business critical applications are encrypted, clients are screaming at you, and your staff are looking to you for answers, many business owners like you make a critical decision. They opt to pay a ‘ransom’ to cybercriminals to have access to their data restored and business operations return to normal as soon as possible. It sounds reasonable after all. Your business has an infection, and you have access to the cure. But what if that cure is actually worse than the infection?
That is what we are seeing across businesses of all sizes and industries. In fact, according to a recent study, a staggering 80% of organizations that paid a ransom were struck again and by the same attackers.
Keep in mind as well that just because you pay the ransom, it does not guarantee your data will be restored. You are dealing with criminals and cybercriminals at that. You cannot find them and most certainly cannot take them to court for a breach of contract if they do not deliver after you pay. A headline making example of this is the recent Kaseya REvil attack. When the FBI leaned on the Russian government to use their influence to shutdown REvil, all of the encryption and decryption keys went along with them.
Top that with that perhaps you get some or all your data restored but you have simply just told the cybercriminals that you will pay the ransom. Why wouldn’t they go back to the same honey hole?
So, what are the alternatives? Going back to our infection/cure analogy, remember that ‘an ounce of prevention is worth a pound of cure.’ Investing in a layered defense to protect your computer systems, educating staff about how ransomware attacks can enter the organization, ensuring that you have a secure and reliable system for backing up critical data, and test that you are able to recover quickly. All of these actions must be proactively handled well before a ransomware attack occurs.
If you do fall victim to a ransomware attack, here are the immediate steps to take:
- Do not panic and immediately pay the ransom
- Isolate but do not shut down critical systems. If you power off devices, you will lose resident memory processes which can be essential for forensic incident response. Managed detection and response services as well as isolating infected computers is critical and can be performed by firms like QPC Security. These steps along with a rule at the network level to stop data exfiltration processes are the best courses of action to limit damage while still retaining the opportunity for forensic data capture. Only after incident responders have performed their actions can the systems be powered down. Do not power them back on until advised to do so by your internal IT or cybersecurity team (like QPC Security).
- Contact your cyber insurance carrier and ask for their breach coach. This resource should be a specialized attorney with experience in cyber-attacks.
- Notify the FBI if advised to do so by your breach coach attorney
Want to know more about protecting yourself and your business from falling victim to a cyberattack? Contact QPC Security today at 262-553-6510 or by visiting qpcsecurity.com.