A hostage response plan for your data

Knowing your options when your system is afflicted with ransomware

By Laura Haight
Originally published as The Digital Maven in Upstate Business Journal, June 3, 2016

A countdown clock, a link to learn how to convert cash into Bitcoin, and a big red X across your computer screen. You are a victim of ransomware. Don’t feel special; ransomware attacks are one of the fastest growing cybercrimes.

This week, a new ransomware variant was released. ZCryptor has the ability to spread through a network as well as attached drives and USBs. This ability to takeover many devices through potentially one download is expected to make it very popular among cyberthieves and very dangerous for you. 

You are likely to be targeted if you are in particular industries or sectors that have a large amount of critical information and cannot afford to risk losing it or suffering a week or two-week delay while you restore your network and systems from backups. That means police departments, airports, doctors’ offices and hospitals may be particularly at risk.

  • Horry County, S.C., paid $8,500 to regain control of its school system website following a ransomware attack in February. The school system had 25 servers infected by the attack and was offline for a week.
  • Also in February, Hollywood Presbyterian Medical Center, a 430-bed facility in Los Angeles, paid $17,000 in ransom. The hospital said it made the decision to pay rather than hold out and take the time necessary to rebuild and restore all of its systems because it was in the “best interests” of patients. For many businesses, the easy path is “cave and pay,” but often the ransoms demanded are considerably higher.

You are more vulnerable if you are using older software, don’t patch your software or operating systems, don’t have a consistent and tested backup plan, or don’t have a business resumption or disaster plan in place. And because ransomware is closely linked to and delivered via phishing and malware, businesses that train employees to recognize these threats and to be skeptical of clicking on links in email messages are better protected.

Adhering to best practices will help you be more resistant to ransomware, but it might not protect you, and ameliorating the problem can still be costly. Two best practices that may protect you against ZCryptor is not allowing employees to install software (this ransomware is sometimes embedded in a fake installer for Adobe Flash), and advising employees to never authorize an application to run macros.

Will backups bulletproof you? Not necessarily. You are certainly better positioned if you have a solid backup strategy with off-site storage of your data. But for many small businesses, a more common process is backing up to external hard drives or flash drives attached to individual computers. Attackers know this, too, and will often search out attached devices and encrypt them as well. Backing up to network shares with removable media is a cost-effective approach; but off-site storage is a must. That’s a best practice for general emergency preparedness or disaster plan, as well as ransomware.

If you use external hard drives for backups, do not leave them connected all the time. Plug them in when the backup is to run, and then disconnect them. What’s not accessible cannot be hacked.

What to do if you are data-napped

Quarantine: Before you do any troubleshooting, handwringing or debating, pull the infected machine(s) off the network. Turn off any wireless or Bluetooth services. Disconnect any attached storage devices like external drives or USBs.

Decision time: Unlike a lot of other business decisions, you don’t have a lot of time for this one. Ransomware comes with its own countdown clock. So you need to make your move quickly, and your options are limited.

If you don’t have a backup, you can pay up or try to decrypt the affected systems yourself. There are companies that offer this service (note that they will charge you regardless of success), and some third-party decryptors you can buy, but there is a relatively small chance of success. Depending on whose computer has been infected, it can also mean critical downtime.

If you do have a backup, you have some more options, but they are more complex. Restoring from a backup after a ransomware attack means wiping the infected computer; rebuilding with a clean install of the OS, and clean installs of the software (this can take some time depending on how organized your company is); and restoring from your backup, after you have ensured the that you have not backed up any infected files or other malware that you will be reinstalling.

Final option: Do nothing. In assessing the importance of the encrypted files, think of other places where you might have them. For example, if you emailed the file to someone, a copy may still be in the receiver’s email. Or if you use a service like Gmail for your company mail, a copy could be archived online (outside of the scope of the infection).