Ransomware: a CIO’s recovery guide

The pandemic has led to a surge in ransomware attacks. What should firms and their CIOs do if their systems are infected?

There have been many business winners in the pandemic, from online retailers to PPE suppliers to Zoom. Unfortunately, ransomware hackers are part of this lucky group. 

Ransomware attacks have increased by 102% in 2021 compared to 2020, according to Graeme McGowan, a fellow of the Chartered Institute of Information Security and cyber risk and security consultant for ESA Risk. He says this is in part due to the rise in working from home, which meant many employees were using their own devices on poorly secured home networks, often without proper IT support.

The danger, then, is very real. However, Conor Byrne, managing director of Cribb Cyber Security, notes that “companies have often made some efforts to block the ransomware attacks but often don’t have a plan in place for how to deal with an attack.”

So what should companies and their CIOs do when they suffer a ransomware attack?

Should I pay the ransom?

The temptation for many companies, particularly those that have no disaster recovery plan in place, is to pay the ransom. The question is, should you?

McGowan’s answer is an emphatic “no”.

He says: “There is no guarantee that the perpetrator will free up your network and its data. Not only will you be paying a criminal group, but you are also more likely to be targeted in the future.”

Some cybercriminals do send the decryption key, but others simply take the money and run, knowing there are many more targets out there. A survey from cybersecurity specialist Sophos found that 92% of targeted companies didn’t get all their data back.

“Attackers often won’t release the encryption keys, but they will take and sell your data,” says Byrne. “This may lead to the ICO delivering large fines for the information breach.” 

Why time matters

When a ransomware attack occurs, time is critical. Call on in-house expertise if available or seek help from a third-party cybersecurity expert.

The first step is to contain the breach by isolating infected device(s) from other computers and storage devices. Disconnect them from the internet, whether through wired, wireless or mobile connections. Any networked computer can be a spreader.

Once contained, the nature of the breach should be investigated. If you’ve received a ransom note, you may know which ransomware has infected your system – this can help with disinfection and removal. 

You’ll likely need to conduct a deeper forensic investigation. This includes identifying which accounts were accessed and where the attacks came from. It means analysing system logs in detail.

As soon as you know what you are dealing with, you can start to eradicate it. This includes resetting passwords, removing malware, and closing ports. The Europol-backed No More Ransom project includes tools to deal with commonly used ransomware, such as Prometheus and Ragnarok. 

Only when you have removed all traces of the ransomware can you restore the network. This isn’t simply a matter of reconnecting computers to the network. Administrators will need to reset login credentials, especially administrator-level accounts, wipe infected devices and reinstall the operating system. It can be a lengthy process. 

Resorting a system to health 

If you’ve invested in regular backups, you can now restore the system to health. However, verify that any backup you use is free from malware. Using a system restore – effectively turning the system clock back to a time before the infection – is usually not sufficient.

It’s easy to focus only on the technical aspects but communicating with stakeholders is vital. This includes your bank, the police and your insurers, as well as employees, clients and suppliers.

Companies are often reluctant to reveal the breach, fearing bad press or a plummeting share price. Yet if news leaks, trust can be lost. Develop a communication strategy so that the right information reaches the right stakeholders in a timely fashion. This will help ensure you comply with any breach notification laws. 

It’s important to understand how critical the issue is and its effect on operations before notifying external parties. The worst scenario is that a panic ensues, with teams unable to focus on recovering the systems and operations.

Once you’ve restored your networks, monitor them for at least two weeks to ensure they’re “clean”. The UK’s National Cyber Security Centre, in conjunction with four other international cybersecurity agencies, has a much more detailed technical advisory for companies who have fallen victim to ransomware.

Recovery from a ransomware attack

If you survive the attack – and a large proportion of companies do not – putting a disaster recovery plan in place that ensures data is backed up is vital. This means that in the event that your data is encrypted and held ransom, “you are not subject to paying a ransom and hoping for the best,” says McGowan. 

“By investing in disaster recovery, you are investing in control. Only businesses that invest in a hardened security posture, as well as a validated disaster recovery programme that tests and restores data backups from off-site and preferably offline locations are adequately prepared.”

Byrne says: “If you are only going to do one thing, carry out a restore from backup. So many companies think their backups are good and then they fail on restore. Do a recovery at least once per year.”

Companies also need to invest in helping employees identify threats, he says.

“As ransomware is basically a con trick, it is really important that the users recognise the emails and communications that lead to an attacker being able to get the ransomware onto their computer.”

All companies should also implement a trusted cybersecurity and information governance framework such as the UK’s Cyber Essentials Plus or ISO 27001. Then employ an external security advisor and external data protection officer who can audit what’s been done to ensure it is fit for purpose.

The problem isn’t going away, believes McGowan.

“As a CIO, how am I going to manage the new world of work? I may have 50 members of staff but only three permanently in the office with the rest scattered around the UK. It is going to be a prevalent issue for a long time to come.”