Ransomware and Ransomware Incident Response
Ransomware is malware that encrypts files or data, leaving the victim no choice but to pay a ransom to regain access. The threat actor usually leaves a message with instructions for payment via cryptocurrency.
Ransom attacks typically gain a foothold inside an organization through phishing emails that include malicious links or attachments with downloader functionality. Once the malware gains access, it searches for and encrypts valuable data or files. Once the data or files are encrypted, victims are left with few options: pay a ransom, recover from backups, or hope there’s a free decryption key available.
Interestingly, Ryuk—the ransomware that infected news outlets and North Carolina’s Onslow Water and Sewer Authority in late 2018—was most likely spread by Emotet or TrickBot, two information-stealing Trojans that target specific networks and then deliver other malware such as Ryuk. The cybercriminals behind such attacks can be very patient and spend months infiltrating a network before launching an attack.
Once a computer is infected with ransomware, no security software or system restore can return those files to normal. Cybercriminals are willing to take that risk because they know many victims will pay up.
This type of ransomware attack can cost a company millions of dollars in lost revenue and downtime. That’s why organizations should strive to have a well-thought-out incident response plan to address threats like these. This plan should include steps such as isolating infected systems, deleting and replacing infected central system instances, wiping and restoring affected endpoints with clean backup data and changing all system, network and account passwords.