Detect, protect, and prevent: Don't fall victim to a ransomware attack

Is your team’s data safe?

According to the European Union Agency for Cybersecurity, between May 2021 and June 2022, around 10 terabytes of data were stolen each month by ransomware threat actors. 58% of the data taken included employees’ personal details.

With ransomware continuing to make the headlines, how can you protect your business from such attacks? With so much information online about them, it’s hard to know where to begin.

That’s why we’ve done the heavy lifting for you. In this guide, we explain what ransomware is, with six steps on how to help prevent one from happening in the first place, and another six tips on how to manage an attack if the worst happens.

What is ransomware?

Ransomware is a type of cybersecurity attack that prevents users from accessing their system and demands ransom payments in order to regain access. Ransomware authors usually order that payment be sent via cryptocurrency or credit card, and attackers target individuals, businesses, and organisations of all kinds.

Better still – how do I prevent an attack from happening in the first place?

Defending against ransomware requires an all-hands-on-deck approach that brings together your entire business.

Here are six steps to take to help prevent an attack:

Maintain backups – thoughtfully

Although backing up data can help in the recovery from an attack, make sure your backup files are appropriately protected and stored offline so they can’t be targeted by attackers. Using cloud services can help reduce the impact of a ransomware attack as many retain previous versions of files, allowing you to roll back to an unencrypted version.

Put company-wide plans in place

Create an incident response plan, so your IT team knows what to do during an attack. Security awareness training is also key to stopping ransomware in its track – when employees know how to spot and avoid malicious emails, they can help protect the business too.

Protect your endpoints

Endpoint protection is vital as endpoints can represent an ‘entry point’ for a hacker into a company network. And with hybrid working set to stay, the need for a secure network on-the-go couldn’t be more crucial.

Keep systems up to date

Ensure your business’ operating systems, applications, and software are regularly updated. Applying the latest updates helps to close security gaps that attackers are looking to exploit.

Introduce an Intrusion Detection System (IDS)

An IDS looks for malicious activity by comparing network traffic logs to signatures that detect known malicious activity. A robust IDS will regularly update signatures and alert your business quickly if it detects potential malicious activity.

Review port settings

Many ransomware attackers take advantage of Remote Desktop Protocol (RDP) port 3389 and Server Message Block (SMB) port 445. Consider whether your business needs to leave these ports open and think about limiting connections to only trusted hosts.

What if the worst happens – how do I manage an attack?

Although prevention is the best form of defence (read on for prevention tips), if your business finds itself under attack, by acting promptly, you can limit the damage.

Six quick steps to take in event of an attack:

Don’t panic and never pay the ransom

Try to stay level-headed. Most people rush into paying the ransom before analysing the gravity of the situation. According to research, it doesn’t always pay to pay, with 80% of businesses who pay the ransom getting hit a second time. Taking a step back with a calm head can sometimes open doors for negotiations with the attacker, and result in a better outcome than an immediate reaction.

Report to local authorities (and/or the appropriate local regulator in your country)

As soon as you notice an attack, notify local authorities (which could be the police, or local government agency, depending on where you are based). Ransomware is a serious crime and needs to be investigated – at the very least, your action will help others to avoid a similar fate.

Isolate systems

Isolate the affected systems as soon as possible – ransomware typically scans the target network and can gain access to other systems. Sever the affected systems from the network to contain the infection and stop the attack from spreading.

Disable maintenance tasks and disconnect backups

Immediately disable automated maintenance tasks, e.g., temporary file removal on affected systems, to prevent them from interfering with files that might be useful for forensics. Since most ransomware strains immediately go after backups to slow down recovery efforts, secure your backups by disconnecting them from the rest of the network. Lock down access to backup systems until after the virus is removed.

Identify the type of ransomware attack

Use a free service such as ID Ransomware to determine the ransomware strain. You’ll be asked to upload a sample of the encrypted file, and any ransom note left behind.

Reset passwords

Change all online and account passwords once you have disconnected the affected systems from the network. After the ransomware gets removed, change all the system passwords once again.

Prevention is always better than cure, so taking steps to avoid a ransomware attack is crucial. In the event of an attack, however, acting quickly can help to limit the damage. According to research, it should take mature businesses just 10 minutes to investigate an intrusion, yet only 10% are able to meet this benchmark. Make sure you’re one step ahead, with a plan in place to deal with the worst-case scenario.

Keen to read more widely about how you can protect your business? Check out our tips for managing increased risks of cybersecurity in the new world of remote working.