Recently, a client of ours was the victim of ransomware. Now, I know what you’re thinking, how could that happen under my watch? I must admit, that was my first question as well. Let me take you through that day and the month that followed. I’ll leave out some details to protect my client’s identity and future security.

It was a Friday morning. Fridays are typically slow days for us. At 8:01 AM I received an email from an employee of one of our clients. I’ll call him Bob.  Bob said that when he got into the office, he found papers on the printer stating that they were the victim of ransomware. He attached a picture of the ransom note. So much for lazy Fridays.

Using our remote security tools, I was able to check all the computers on their network that we manage and found no evidence of ransomware. It turns out, the computer that was attacked was one that Bob had set up a few days prior without notifying us. It was virtually unprotected. Other circumstances, which I won’t go into here, increased this computer’s vulnerability. I told Bob to unplug that computer from the network and notify employees as they arrive not to connect their laptops or turn on any computers that were already off. I dispatched a Cyber Guy to go onsite and assess the situation.

Fortunately, only that one new unprotected computer was compromised. None of the computers we manage and protect were affected. The new computer only contained copies of data already available elsewhere, so no data was lost. They were able to resume operations fairly quickly without having to restore backups.

However, this particular strain of ransomware identified itself as one of the double-extortion kind. Not only does it lock all the files on the computer, but it sends a copy of the files to the hackers. Some of the files on this computer contained sensitive personal information. The ransom note said they will begin publishing this data on the Dark Web if they aren’t paid. Believe it or not, some ransomware gangs keep their word and don’t sell the data if the ransom is paid. Like any business, they need to protect their reputation or victims will stop paying their ransom. Still, there’s no guarantee of this. They may sell it anyway. Or they may hold on to it and ask for more money later. They may even get hacked by another ransomware gang who steals that data from them. The fact is, once there’s even a chance that data has been exfiltrated, it needs to be treated as such.

For over a month we worked with the client, their insurance company, their insurance company’s incident response (IR) company and their legal counsel. The client needed to identify everyone whose data may have been stolen. Counsel advised them of all the applicable laws and regulations in their state and their industry. When incidents like this happen, notifications need to be sent to victims and specific agencies within specified timeframes to avoid penalties. It’s time consuming and disruptive to normal operations. Not to mention, nobody budgets for ransomware. It was a rough road for them.

For many small businesses that don’t have adequate backups and security measures in place, this type of incident can shut down operations for days or weeks, followed by many weeks or months of recovery. Most small businesses can’t survive that. This is something I recommend avoiding at all costs.

How to avoid this type of ransomware attack

You’re expecting me to list all the “don’ts” that you’ve heard so many times before. Don’t open, don’t click, don’t reply, don’t call, etc. But this particular attack didn’t use the typical attack vectors you’ve been taught to avoid. There was no social engineering.  No malicious email with a link or attachment. No popup asking someone to click. No phone call directing someone to go to a website. There was no involvement by the victims. This was what we call a brute-force attack.  A bad actor found them—probably through a random internet scan—and found a vulnerability that allowed some level of access to this computer. Once in, the hacker was able to do their evil deed.

Protecting against this type of attack requires planning. Your network and computers need to be configured to defend against intrusions. This is not a DIY thing. I strongly suggest you contract a professional for this. But protecting is only the first defense. Detecting intrusions and responding quickly are just as important. Protections can fail or sometimes be bypassed. Given enough time, bad actors will find a way in. Like any good security system, being able to detect malicious activity and respond before damage is done is vital. This service is known as Managed eXtended Detect and Respond or MXDR.  I highly recommend you look into this service.

What to do if your business gets ransomware

Again, this is something you want to avoid. I can’t state that strongly enough. Don’t think there’s a simple checklist to follow after-the-fact and you’ll be out of it. Many small businesses go out of business after a ransomware attack. So spend some time and money up-front in preparation rather than waiting until after you’re attacked. But if you are already doing everything you can and you still get ransomware, here are the steps you should take, in this order (note that only two are slightly technical):

  1. If you have a cybersecurity company managing your network’s security (not just your IT department/provider), contact them first for advice. They will likely recommend what I’m listing here. But having more familiarity with your specific network and operations they may have additional instructions.
  2. Disconnect your internet router/modem. If a remote hacker is still lurking in the network, this will boot him out immediately.
  3. Disconnect the network connection from all computers. The easiest way is to locate and power off all network switches. If that’s not possible or practical, remove the network cable from each computer. For those using WiFi, disconnect WiFi or put the computer in Airplane Mode. Ransomware can spread from one computer to another. You’ll want to reduce the spread.
  4. If you have a ransom message on your screen, take a picture of it. You will need the exact information to share with those involved in responding.
  5. Call your insurance company. Hopefully you have a policy that covers cyberattacks. Even if you don’t your general liability may cover some costs. But the best thing your insurance company will do is connect you with an Incident Response company to do a forensic analysis to determine what happened and ensure nothing is still happening. They will also connect you with legal counsel that is well versed in the legal actions you need to take for the particular incident. They will provide instructions throughout the process. While you’re waiting for the process to start, continue with the following items.
  6. File a complaint with the FBI through their Internet Crime Complaint Center (www.ic3.gov). Don’t expect a response. They won’t do anything but collect the information for their records, but you should report it anyway.
  7. Notify your local police. A crime was committed, and you should report it. Again, don’t expect them to do anything except create a formal report. You may need this for insurance or for legal or regulatory compliance issues that arise later.

Investigations may continue for weeks or months. During that time, unless instructed differently, avoid deleting files, installing software or otherwise changing the environment. Think of your network as a crime scene; you don’t want to damage or alter evidence. This is especially important for IT people. Their instinct may be to search the web for a decryptor, install protective software, examine logs, etc. Doing these can damage evidence and negatively impact the investigation. Resist the urge to fix it yourself or let unqualified people try to fix it.

Protecting Your Reputation

One more thing: unless and until legal counsel has told you that a data breach has in fact occurred, don’t use the B word. They will give you the exact language to use. Until then, you may refer to it as a security event, or possibly a security incident. The words you use are important. Once the word “breach” is used it’s hard to recover your reputation, even if it turns out nothing was breached. Instruct employees not to discuss the event with media, especially social media. If questioned, have them defer to an appropriate PR person in your organization that can answer appropriately.