How Should a Company Handle a Ransomware Attack in 2023

Cybersecurity is easily one of the most challenging fields, primarily because of the knowledge it takes to succeed. Cybersecurity requires experts in programming and information technology who recognize the threats presented by cybercriminals. While cybercrime might seem like a non-issue to the average person, it remains a consistent issue worldwide. 

Thousands of databases store sensitive information about businesses, customers, and financial data that could cause serious damage if the wrong people access it. The lucrative nature of this information has driven people with low moral standards to attempt to access these databases illegally. This risk remains a major issue despite information technology advancement over the last decade. The biggest problem with cybercriminals is that the evolving nature of technology has led them to enhance their skills over time. 

When we introduce a new security measure, cybercriminals work tirelessly to find a vulnerability they can exploit. With decades of evolution to learn from, most cybercriminals have managed to develop highly effective hacking techniques. Even the oldest techniques have been updated to match modern security measures that would otherwise repel a lesser criminal.

One of the most common cyberattacks is the execution of ransomware, which has survived information technology’s evolution and remains a viable weapon for cybercriminals. The problem is that modern criminals’ evolved ransomware is resilient to certain strategies that repelled previous versions. Companies must adapt new techniques and tools to repel a ransomware attack in 2023.

A Malicious Cybercriminal

What is Ransomware?

In the world of information technology, several threats could compromise the safety and integrity of a network. Some people bypass firewalls directly, while others attempt to gain physical access to an authorized device. The most common threat to a network is malware, which is essentially a program created to launch an attack on a network’s security system. 

Malware is often used as the end-all term for viruses and other malicious programs, but it is merely a generic term. Multiple subtypes of malware use different methods to access and compromise secure data. Ransomware is one of these malware types, and it attempts to force the victim into a corner. The simplest definition of ransomware is that it is a blackmail virus that can put companies and individuals in a precarious situation.

Ransomware is programmed to infiltrate a network or device and encrypt the stored data to prevent the owner from accessing it. This encryption prevents the network owner and other authorized users from using the data properly. Typically, ransomware is deployed via a trojan attack or phishing scam that deceives the user into believing it is a legitimate file. Once the files are encrypted, the one responsible for the attack offers to restore access to the data once the victim pays them. 

Otherwise, the cybercriminal threatens to publish sensitive data to the public sphere. Some ransomware viruses are extremely advanced, whereas others are simple, but they remain a common threat to computer systems worldwide. This is hardly surprising since ransomware has been around for decades.

A Ransomware Attack

The first recorded example of a ransomware attack occurred 34 years ago, in 1989. This attack was the AIDS Trojan, a type of malware created by an evolutionary biologist named Dr. Joseph Popp. Popp’s version of the virus encrypted the directories on his victims’ C: drives, making it impossible for them to access sensitive information. Popp deployed the virus and was caught by New Scotland Yard before being detained in Brixton Prison on 11 charges of blackmail. Popp used his program to extort money he funneled through the PC Cyborg Corporation. 

Popp claimed that the money he obtained through his virus would be donated to AIDS research, hence the name of the AIDS Trojan. Unfortunately, Popp’s actions set a dangerous precedent that cybercriminals would use to create more intricate versions of his original trojan.

In the 3 decades since Popp developed his version of the virus, the advances in programming have given contemporary hackers more effective attack vectors. This has turned to combat cybercriminals into a constant battle where cybersecurity efforts must constantly enhance their approach to account for new tools and tactics. The question of the hour is the standard plan for countering ransomware as of 2023.

Step #1: Alert Your Response Team

Any company that handles a major network or database needs to have an effective cybersecurity team if they want to maintain security. Cybersecurity teams are composed of software and hardware experts who know how to create defenses against data breaches. They also ensure there is a standard practice for all employees within a company to minimize the odds of a virus spreading through the network. 

Part of the tactics a cybersecurity team will use is creating a response team dedicated to countering cyber-attacks. The response team will use a pre-determined plan to counter specific attack types, including ransomware. 

Alerting a Cybersecurity Response Team

Alerting the response team is always the first step, regardless of the year, since they will be best equipped to launch a defense. This response team is meant to be alert and ready to act immediately to implement the proper response for the situation. Without a team like this, the odds of repelling ransomware and recovering from the damage are almost non-existent. Unfortunately, a response team means nothing without proper planning.

Step #2: Contain the Virus

The most important part of defeating a ransomware attack is ensuring it does not spread to the network’s heart. Once ransomware progresses too far, recovery becomes extremely difficult or even impossible in some cases. Fortunately, ransomware does not engulf a network outright; it must progress through the data to encrypt. 

Containing a Ransomware Virus

As a result, it is possible to identify the virus before it affects the entire system, allowing a cybersecurity team to launch a counterattack. This means one of the first things your cybersecurity team should do is try to “contain the blast,” so to speak. This means sealing off the part of the network currently being attacked and shielding the rest of it from the malware. This response stage is one of the most critical and requires the response team to be prepared to act quickly. As illustrated earlier, response teams are commonly retained to monitor the system.

Once the infected part of the network is disconnected from the main server, you can launch the next stage of your counterattack. Unfortunately, things only get more complicated from this stage, especially if your response is delayed.

Step #3: Assess the Damage

Once the infected files are separated from the rest of the network, recovery assessment is the next stage of handling the attack. If your team caught the malware quickly enough, the attack should have encrypted very few files. Conversely, if the attack went unnoticed for a long time, most files might be encrypted and inaccessible. 

The circumstances you find yourself in directly affect your ability to recover from the attack and return to business as normal. Therefore, you should immediately assess what was lost and determine the scope of the attack to see what needs to be recovered and how much data was lost. This also doubles as a way of finding out what resources you need to restore lost information.

Assessing Ransomware Damage

Ultimately, assessing the damage is crucial since it also affects the final stages of dealing with the attack. We will focus on that later, but once you have a general idea of the damage, the next step is a little more serious.

Step #4: Contact the Authorities

The creation and deployment of ransomware is a federal crime viewed rather harshly, with perpetrators facing serious consequences. Being the victim of a ransomware attack makes you the victim of a crime and therefore authorizes you to contact the authorities. Depending on the scale, you might only need the resources of your local police department to assess the virus and apprehend the culprit. 

Unfortunately, it is more common for companies to contact the Federal Bureau of Investigation (FBI), Canadian Security Intelligence Service (CSIS), or whatever federal law enforcement applies to you. Few cybercriminals launch attacks on small businesses or groups with little valuable information. Instead, they focus on major companies that handle hundreds of thousands of dollars daily. As a result, the scale of a ransomware attack is usually large unless the cybercriminal only attempts to blackmail one person. 

Contacting the Authorities

Regardless of the victim, contacting the authorities is essential since they will be responsible for trying to apprehend the cybercriminal responsible for the attack. Law enforcement officers are not only the ones leading the investigation but can contribute to your defense. If a repeat offender launched the attack on your network and law enforcement has encountered them before, they might have valuable insight for your cybersecurity team.

Step #5: The Big Decision

Every major law enforcement organization tells companies not to pay the ransom a cybercriminal imposes. The main concern is that a successful attack emboldens the cybercriminal and inspires others to launch similar attacks on other companies. Refusing to buckle to their demands can discourage future attempts, especially since the offender has to lie low in the aftermath of the attack. 

Team Making a Big Decision

While refusing to pay the ransom is ideal, it requires the situation to favor the victim regarding what was lost, how easily that data can be recovered, and how long recovery will take. Some companies deal with fast-paced environments and businesses that require immediate access to sensitive and irreplaceable data. When that data is lost, the whole company grinds to a halt, and its clients are victimized.

Therefore, you will always be faced with the dilemma of whether you want to fight through the attack or pay the ransom. It is worth mentioning that paying the ransom is not advisable and has no guarantees. While paying a ransom is not illegal in the United States or Canada, law enforcement and government agencies frown on it. Ideally, your cybersecurity protocols will catch the ransomware before critical data is lost. Even if data is lost, an alternative might exist, so you do not have to pay the ransom.

Step #6: Restore From Backup

The risk of compromised data has made it important for companies to espouse the “don’t put all your eggs in one basket” mentality. This means ensuring your network has a reliable backup from which the compromised data can be recovered. The best backups are offsite servers or cloud databases kept separate from the main network. This way, an encrypted network can be seamlessly restored by transferring copies from the backup to the main server once it has been secured. 

Restoring Data From a Backup

This backup system eliminates most of the guesswork and heavy lifting of recovering from a ransomware attack. While keeping the backup off the cloud is considerably safer, it can make restoration time-consuming.

Nevertheless, you will find that maintaining a backup server is the best method for ensuring your company data is not permanently lost. That said, depending on when you upload data to the backup server can still lead to a devastating loss. If you wait to upload your information to the backup until the end of the month, you risk losing a month’s worth of information in a ransomware attack. Conversely, uploading data at the end of the day reduces the losses to 24 hours, which has a higher chance of being restored from memory.

Technically Speaking…

Ransomware is a blackmail virus that can devastate a company if the proper precautions are not taken. Responding to a ransomware attack is a complicated process requiring resources and skill. As of 2023, the steps needed to counter ransomware have not changed much, but the particulars of these steps require more advanced tools than were needed even 10 years ago. Unfortunately, knowing how to counter ransomware is insufficient if you want to ensure maximum protection for your network. 

Protecting company data requires proactive action and creating a cybersecurity team that constantly monitors and enhances your network’s security. Unfortunately, staffing and financing a cybersecurity team can be expensive when you must create their workspace and produce their tools.

A Cybersecurity Professional

We at U.S. Cybersecurity know that maintaining a reliable cybersecurity team is crucial to your company’s safety and that of your customers. That is why we offer 3rd-party cybersecurity services that provide the tools and tactics needed to protect against any digital threat, including ransomware. We encourage you to visit our website and see what we can offer concerning cybersecurity services. As always, we are standing by to assist you.

Herman McCargo

Herman is a Microsoft Certified Security Engineer and Cybersecurity Specialist. He’s been in the technology field for over 20 years and has expertise working with the most critical technology infrastructures. He has a deep understanding of cyber risks, threat mitigation and prevention, and overseeing infrastructure.