The number of Ransomware attacks is increasing every year. In 2020, the cost of these attacks was over 20 billion. This is compared to 11.5 billion in 2019 and 8 billion in 2018. For those of us that have not been affected by a ransomware attack, lets step through the process of what really happens and review the most common questions of such an attack.
Phase 1: Realizing you have been attacked
If you are able to login to your computer, you may not be able to open a recent file you were editing or you may receive a phone call from a co-worker asking where you stored that last revision of an excel spreadsheet you were both working on.
Your computer may not boot, you think you have a hardware failure and contact your IT professional. Chances are they will not answer because they are working on why recent backups have failed or why the database will not come on-line or addressing several other issues that are not working.
At some point, someone will see the dreaded readme file indicating all files have been encrypted and the threat actor is holding your critical data hostage.
Phase 2: Determine the degree of devastation
- At this time, you cannot open any file that you previously had access to.
- You also realize:
- Every file located on servers, NAS devices, domain joined computers etc. have all been encrypted.
- Many of the servers and desktops will not boot or running extremely slow.
- Soon you will determine this attack has moved outside the local office to devices at remote office locations or workers at home connect via VPN.
- Your company’s operation has come to a screeching halt and no one is able to work.
Phase 3: We can recovery the data from backups
With any luck, your data is recoverable from backups, however, it will take days to recover. Assuming the backup data is not encrypted.
During this time of uncertainty, the threat actor reaches out to demand a ransom. Initially, you refuse to pay a penny for this attack on your network.
The process of recovery begins, and you are starting to feel confident that your business may be operational in a day or two.
Phase 4: They gotcha!!!
This is where is gets complicated. You realize you can only recover 75% of the data and the other25% of the data is not recoverable.
Most or all data on local computers was never backed up and these computers will need to be wiped and have the operating system reloaded for them to be useable.
You reach out for data recovery services for the unrecoverable data and computers but the estimates are outrageous.
It’s about this time that the threat actor sends you a list of compressed files containing personal or financial data on employees and customers.
Phase 5: Insurance, Attorney and Forensics
Now, upper management contacts the insurance company, who recommends a law firm, which brings in a forensics team.
Now you determine paying the ransom is the best option and the negotiation process begins. This process can take several days depending on the insurance firm procedures and how cooperative the threat actor is.
You will need legal advice to determine how to inform employees and clients about your data breach.
The forensics team will come in for 4 to 6 weeks and try to determine how the breach happened and where it started.
In summary, an actual attack may not be as bad as the above mentioned. But it will be worse because it happened to you. After you fully recover, you will need a new process to protect your business in the future.
Following are common questions about Ransomware
q1. How long does it take to recover from a ransomware attack?
a1. Average is 6 to 7 days
q2. What is the average ransomware payout?
a2. Average payout is $178,000
q3. How quickly does ransomware spread?
a3. Average time to start encrypting files is 3 seconds
q4. Should I report ransomware to the police?
a4. You should always report a ransomware attack to law enforcement.
q5. Is cloud storage safe from ransomware?
a5. It can be if syncing to a local drive