What is the difference between EDR and EPP (antivirus)?Explaining endpoint security measures and EDR investigation
2023/10/11
What happens if I get infected with malware?Explanation of infection routes, countermeasures, and coping methods
2023/10/11
Among the types of cyber-attacks against companies, damage caused by ransomware is increasing.Appropriate initial responses are required in the event of infection, so it is important to know what actions to take.In this article, we will explain the basic knowledge about ransomware, the initial response in case of infection, and what not to do.
What is ransomware?
Ransomware is a word coined from the combination of ransom, which means ransom, and software, and is a type of computer virus that demands a ransom.A malicious program that locks an infected computer or encrypts files, making them unusable and demanding a ransom in exchange for their restoration.In recent years, ransomware that threatens to release stolen data unless a ransom is paid has become popular.
Difference between malware and virus
Malware is a word coined from the word "malicious," which means malicious intent, and "software," and is a general term for malicious software created with the intention of operating in an unauthorized and harmful manner.A computer virus is a malicious program that reproduces itself by injecting code into other programs.Both ransomware and viruses are types of malware.
[Related article] What happens if you are infected with malware?Explanation of infection routes, countermeasures, and coping methods
Impact of ransomware infections on businesses
We will explain the impact on a company if an employee's computer is infected with ransomware.
The burden of damage response and financial damages will occur.
If you are infected with ransomware, you will need to hire a professional to recover your data and strengthen your security measures, placing a burden on your in-house security staff and incurring large financial losses.
Information such as personal information is leaked, affecting customers and business partners.
Ransomware infections can lead to privacy violations and leakage and misuse of personal information.If the response is inappropriate or if information is not provided sufficiently to customers and business partners, there is a risk that the relationship of trust will deteriorate.
Business operations and services stop
One of the serious negative effects of ransomware infection is that the operations and services of the entire organization may be stopped or malfunctioned.In the manufacturing industry, production lines may stop, and in hospitals, systems related to electronic medical records and medical fees may affect the ability to continue providing medical care.
Legal risks such as compensation for damages arise
In addition to losses due to business suspension and loss of trust, legal risks may also occur depending on the data handled.If a company is legally responsible, such as when personal information is leaked due to an infection, they may have to pay a fine.
What is the infection route of ransomware?
The main infection routes for ransomware include files and links attached to emails, and viewing defaced websites.In recent years, there has been an increase in unauthorized intrusions using stolen authentication information by exploiting vulnerabilities in publicly disclosed VPN devices.
3 things you should never do if you are infected with ransomware
Here are three things you should definitely avoid if you suspect you've been infected with ransomware.
Restart the infected device
If you restart an infected device or system, there is a risk that the data encryption that was stopped due to shutdown will resume, making files on the device inaccessible.In the first place, it is desirable to perform a process called hibernation, which saves the current memory contents before shutting down, so it is not recommended to forcefully terminate the terminal.It is important to disconnect the device from the network immediately without restarting it.
Take a backup after infection
If you take a backup after being infected with ransomware, you will be saving the data in that state, so there is a risk that it will become infected again after recovery.Connecting the backup to other devices may also spread the infection.It is important to take regular backups to prevent infection.
Paying the ransom without consulting experts or the police
Ransomware demands a ransom in exchange for decryption, but paying doesn't guarantee your data will be recovered.Recently, in addition to being threatened with decryption, there have also been cases where the attacker has been threatened with the double threat of releasing the exploited data.Even if you accept payment, additional requests may come.First, consult a specialist or the police immediately.
What to do if infected with ransomware
We will explain the initial response you need to take if you suspect that your computer has been infected with ransomware.
disconnect from network
There is a risk that the infection will spread to other devices connected to the same network, so immediately disconnect the device from the network.It may also be possible to prevent encryption from proceeding.If using a wired connection, quickly disconnect the network by unplugging the LAN cable or turning off the Wi-Fi connection.
Incident reporting/sharing with system personnel
Unless you are a security expert yourself, it is risky to try to solve this problem on your own.Please promptly share it with the person in charge within your organization.
Consult with a cybersecurity specialist
In addition to your own security department, consult outside experts.By taking appropriate measures quickly, it is possible to minimize the damage.
Understanding the details of the infection and identifying the infection route
You need to determine which systems were affected, how they were accessed, and what data was compromised.By thoroughly scanning in-house devices, we can identify attack methods and intrusion routes, and by investigating infected and suspected devices individually, we can identify the details of damage and the cause of infection.
Using decryption tools
Decryption tools for certain ransomware are published on information sites, so it may be possible to restore encrypted files.If you have a backup of pre-infection data, you can restore it by initializing your computer, but be careful as all previous data will be deleted and you will no longer be able to investigate the infection situation.In addition, in the case of actual infection, it is best not to restore it at the discretion of an amateur, but to disconnect it from the network and ask your company's information system staff or a vendor such as a forensic investigation company to do it.
Use FRONTEO's services to respond to ransomware infection damage and conduct cybersecurity investigations
In this way, the initial response to ransomware infection requires careful attention and prompt processing, so it is recommended to utilize specialized services. FRONTEO's Cybersecurity Investigation Package, which boasts a track record of conducting over 10,600 fraud investigations, provides high-quality cybersecurity investigations that are recommended by multiple insurance companies.
It is an effective solution for initial response that includes the minimum necessary investigations in the event of a cyberattack, such as EDR investigation and dark web investigation, in one package, and additional services such as Wi-Fi vulnerability investigation, NDR investigation, and penetration testing are included. Surveys can also be conducted.For companies that do not have human resources with specialized knowledge, there are concerns about the speed and professionalism with which they respond to emergencies.Based on the know-how gained from our overwhelming track record, FRONTEO supports the initial response to cyber attack damage.
