With cyber attacks on the rise, companies around the world have been forced to reevaluate their IT posture and take a more proactive stance on cybersecurity. And while preventative strategies have helped IT professionals safeguard their networks, databases and critical assets from a range of known threats, some hacking techniques have continued to cause major operational disruptions and financial losses. According to Varonis, a global provider of data security and analytics software, ransomware attacks are growing by more than 350% every year. But what makes this type of digital exploitation so appealing to cybercriminals?

Unlike other cyber attack methods, ransomware gives hackers an opportunity to make an immediate return on their activities by holding companies’ data and computing technologies hostage. Although there are a wide array of ransomware recovery services available on the open market, many organizations choose to pay the ransom to avoid large-scale data loss and production delays. This, however, only encourages hackers to continue launching these sorts of attacks and may lead to repeat security incidents down the line.

Whether a company pays the restoration fee or not, recovering from ransomware is often costly and time-consuming. Research from Cybersecurity Ventures estimated that ransomware resulted in over $5 billion in net losses for businesses in 2017 alone, a projection that could rise as high as $11.5 billion in 2019. Without a comprehensive ransomware recovery strategy in place, companies across industry lines may find it difficult to regain a stable footing after an organized attack. That said, the first step to preparing for ransomware infections is to understand what they are and how they operate.

How Does Ransomware Work?

Ransomware is a form of malware that encrypts files and operating systems to prevent users from accessing key data stores, rendering their computer completely inoperable. Once installed, most ransomware strains display a warning screen that provides detailed payment instructions that, if followed, will allow users to restore their access. After the ransom has been paid, hackers typically send the victim a set of decryption keys that will unlock their files and remove the malware from their IT system.

In most cases, ransomware spreads through spam and phishing emails, malicious attachments, or compromised websites, though every strain has its own unique attack vector. Other forms of ransomware attacks target vulnerabilities in Microsoft’s Server Message Block and Remote Desktop Protocol, bypassing many of the endpoint security protocols companies deploy. However, considering 92% of malware is delivered by email, per Verizon’s 2018 Data Breach Investigations Report, organizations should prioritize cybersecurity training to ensure their employees understand the risks.

Infected enter key on a computer keyboardRansomware can quickly spread between endpoints and lock down your critical business data.

5 Steps for Recovering Your Data Without Paying a Ransom

Ransomware developers are growing more sophisticated by the day, and many have started focusing on circumventing the tried-and-tested antivirus and anti-ransomware tools organizations rely on. While ransomware prevention is widely considered the most effective mitigation strategy, it can be difficult to build a defensive posture that completely eliminates the possibility of an attack. According to the Federal Bureau of Investigation, more than 4,000 ransomware incidents have occurred each day since January 1, 2016, representing a 300% increase from the previous year. To give your organization the best odds of protecting its sensitive information, preventing data loss and avoiding high restoration fees, consider these five steps when building a ransomware recovery plan:

Step 1: Isolate the ransomware infection

Ransomware attacks aren’t only a threat for the infected computer, as many strains are designed to spread through adjacent IT systems and lock down any files they can access. These more aggressive variants can also travel across wireless networks, making robust detection software crucial to your response and recovery efforts. If your IT team identifies a potential ransomware infection, their first course of action should be to disconnect the computer or device from the network by unplugging Ethernet cables and disabling Wi-Fi permissions. A quick response can prevent the malware from infiltrating your control center and critical data stores, leading to a much simpler recovery process.

Step 2: Identify the malware strain

After isolating the ransomware infection, the next step is to research the specific type of malware you’re dealing with. Most strains provide identifying details alongside their ransom requests, though this information can be intentionally misleading. There are a number of free resources that can help you learn about the variant you’ve identified, such as ID Ransomware, which may give you some ideas about how to remove it from your network and recover your data. This phase of the ransomware recovery process is crucial, as it allows you to create an informed action plan.

Step 3: Contact the authorities

The FBI urges all organizations that suffer a ransomware attack to immediately contact their local authorities, as this allows government agencies to keep track of known and emergent threats. Ransomware reporting can also lead to a greater understanding of cyber criminal behavior and may contribute to ongoing investigations. What’s more, law enforcement professionals may be able to offer clear solutions for successful ransomware removal and data restoration.

Step 4: Weigh the available options

There are typically four courses of action following a ransomware attack: Pay the ransom, attempt to remove the malware yourself, call in a data recovery company or wipe the infected systems and reinstall. Each of these options has its own benefits and limitations, though most IT experts caution against paying the restoration fee as there is no guarantee you’ll get your data back. Since information loss is considered the most expensive component of cyber attacks, according to Accenture, it’s important to select a recovery plan that reduces the chances of large-scale data loss.

Step 5: Remove the malware or reinstall

While it is possible to safely remove ransomware from your system and restore your data without paying a ransom, the process is often quite risky. For example, some malware programs have self-destruct features that will erase all encrypted files if a user attempts to bypass the payment screen. Currently there is no decryption tool that can completely remove every strain of ransomware, though some third-party companies may be able to support your recovery efforts at a cost.

The best way to ensure your systems and networks are free from ransomware is to perform a complete wipe of all storage devices and reinstall everything from safe backups and clean OS sources. It’s also a good idea to reformat your hard disks to ensure every trace of the ransomware infection is eliminated. Although this may be a labor intensive course of action, it can prevent you from doing irreparable harm to your systems and overlooking dormant malware. Companies that utilize a comprehensive backup strategy should be able to recover all their encrypted files without much trouble, but the true test of a ransomware recovery plan is what happens after a security incident has been resolved.

If your organization is looking to improve it’s IT posture and prevent costly ransomware attacks, reach out to the experts at Certitude Security for a personalized consultation.