There has been another high-profile ransomware attack and this one could possibly be more significant that the ones before.
We covered ransomware awhile back, on what it was and how it is a growing threat. You can read that blog here.
Just last week, Colonial Pipeline, which accounts for 45% of the US East Coast’s fuel, was attacked by ransomware. It took down its systems and forced them to shut down operations.
Also last week, Scripps Health, a very large hospital network with over 10,000 employees and 7,000 patients, got taken down by a cyberattack.
https://www.10news.com/news/local-news/scripps-health-ceo-addresses-cyberattack-in-an-internal-memo
and
both cover that news and the implications they are still dealing with.
In the past year there has been well over $215 million in damages from ransomware attacks around the world.
With most of the workforce still working from home in 2021, due to the Covid-19 pandemic, its making cyberattacks and ransomware much easier to pull off. Where employees and their PCs were once safely behind the office firewall, are now at makeshift workstations in their home office, bedrooms, or kitchen, using all manner of cobbled-together technologies to get the job done.
Companies now have a MUCH bigger attack surface. This is due to employees now on all different networks and at various locations. They are no longer working within their organization’s network and covered under its normally secure protection and firewall settings. Some are smart and using a secure VPN connection to stay within their office’s network protection, but most are not. ZDNet has a great article by Danny Palmer on this topic as well.
If you suspect you or your company has been affected by Ransomware, I am sure your first thought is to shut down or reboot all the computers and server(s) in your office. This is something that you DO NOT want to do. Shutting down or rebooting may lead to restarting a crashed file-encryption process and potential loss of encryption keys stored in the memory.
Experts instead recommend that victims just hibernate their computer(s) and disconnect it from their network. (Easiest way is to pull out the network cable from the back of it, if it is hardwired to the internet). If you suspect more than one machine is affected, disconnect the office network switch(s), and cut its connection to the internet to keep the infection from spreading further if possible. Once done, it is advised to reach out to a professional IT support firm for further steps.
Victims should take note that there are two stages of ransomware recovery process they must go through.
The first is finding the ransomware’s artifacts — such as processes and boot persistence mechanisms — and removing them from an infected host.
Second is restoring the data if a backup mechanism is available.
When companies miss or skip the first step, rebooting the computer often restarts the ransomware’s process and ends up encrypting the recently restored files, meaning victims will have to restart the data recovery process from scratch.
In the case of enterprises, this increases downtime and costs the company operating profits.
To learn more about dealing with ransomware attacks, you can check out the Emsisoft guide on how to remove ransomware and Coveware’s first response guide on dealing with a ransomware attack.
Above all please keep up with regular training and remind your employees and co-workers, not to click on any questionable links or download anything that they are not sure of. Stress that if they should ever question something, it is always best to just ask their IT department about it first. While it might create more work to make sure something is legit or safe for you to use, it will tremendously save the company in the long run from massive expenses incurred from getting infected by ransomware.
Stay safe out there everyone.