What Happens When You Get Infected with Ransomware? What should companies do?

Among cyber-attacks against businesses, ransomware is causing an increasing number of damages. In the event of infection, an appropriate initial response is required, so it is necessary to know what action to take. This article provides basic knowledge about ransomware, initial responses in the event of infection, and what not to do.

What is ransomware?

Ransomware is a term coined by combining the words "ransom" and "software," and is a type of computer virus that demands a ransom. It is a malicious program that locks an infected computer, encrypts files to make them unusable, and demands a ransom in exchange for their restoration. In recent years, ransomware that threatens to disclose stolen data if the ransom is not paid has also become popular.

Differences from Malware and Viruses

Malware is a coined word combining malicious and software, and is a generic term for malicious software that is created with the intention of operating in an unauthorized and harmful manner. Computer Virus is a malicious program that propagates itself by inserting code into other programs. Both ransomware and viruses are types of malware.

How Ransomware Infection Affects Businesses

This article explains the impact on a company if an employee's computer or other device is infected with ransomware.

Burden of damage response and financial loss

When infected with ransomware, it is necessary to ask a specialized company to recover data and strengthen security measures, which can result in a large financial loss as well as the burden on the company's security staff.

Leakage of personal and other information, affecting customers and business partners

Ransomware infection can cause invasion of privacy and leakage or misuse of personal information. Inadequate response or insufficient provision of information to customers and business partners can damage relationships of trust.

Company operations and services will be suspended.

The shutdown or malfunction of an entire organization's operations or services is another serious consequence of ransomware infection. For a manufacturing company, a production line could come to a halt, and for a hospital, systems related to electronic medical records and reimbursement could be affected, making it impossible to continue medical care.

Damages and other legal risks arise.

In addition to losses due to business stoppages and loss of trust, there are also legal risks depending on the data handled. If a company is held legally liable for the leakage of personal information due to infection, it may be liable to pay a fine.

How is ransomware infected?

The main ransomware infection routes include files and links attached to e-mails and browsing defaced websites. In recent years, more and more ransomware has been introduced by exploiting vulnerabilities in VPN devices that have been exposed to the outside world and using stolen authentication credentials.

Three actions you should never take if you are infected with ransomware

If you suspect that you have been infected with ransomware, here are three actions that you should definitely avoid.

Restart the infected device

If you reboot an infected device or system, you risk resuming the encryption of data that was stopped by the shutdown, making it impossible to view files on the device. Since it is desirable to perform a process called hibernation, which saves the current memory contents before shutting down the device in the first place, we also do not recommend forcefully shutting down the device unnecessarily. It is important to disconnect the terminal from the network as soon as possible without restarting it.

Backup after infection.

Backing up after being infected with ransomware means saving data in that state, and there is a risk of being infected again after recovery. Connecting the backup to another device can also spread the infection. It is important to take backups regularly on a daily basis before infection occurs.

Pay the ransom without consulting a specialist or the police.

Ransomware demands a ransom in exchange for decryption, but even if you pay the ransom, it does not necessarily mean that your data will be recovered. Recently, there have been cases of double threats: in addition to the decryption threat, the exploited data will be disclosed to the public. Even if you agree to the payment, additional demands may come. First, promptly consult a specialist or the police.

What to do if you are infected with ransomware

This section describes the initial response required if you suspect you have been infected with ransomware.

Disconnect from the network

Immediately disconnect the device from the network, as there is a risk of the infection spreading to other devices connected to the same network. This may prevent the encryption from progressing. Promptly disconnect from the network by unplugging the LAN cable in the case of a wired connection, or turning off the LAN cable in the case of a Wi-Fi connection.

Incident reporting and sharing with system personnel

Unless you are a security expert yourself, it is dangerous to solve the problem on your own. Promptly share the incident with the person in charge within your organization.

Consult with a cyber security specialist

Consult not only your own security department, but also an outside specialist. This will enable you to take appropriate action as soon as possible and minimize the damage.

Understand the details of the infection and identify the infection route

It is necessary to identify which systems were affected, how they were accessed, and what data was leaked. We can identify attack methods and intrusion routes by thoroughly scanning the company's terminals, and then investigate each infected and suspicious terminal individually to determine the details of the damage and the cause of infection.

Use of decryption tools

Certain ransomware has decryption tools available on information websites, so there is a possibility that files that have been encrypted can be restored. If there is a backup of the data before infection, it can be restored by initializing the computer, but be aware that all data immediately before will be deleted, making it impossible to investigate the infected situation. In addition, if the computer is actually infected, it is best not to restore the data by amateur judgment, but to ask your own information system staff or a vendor such as a forensic investigation company to do so after disconnecting the computer from the network.

For responses to ransomware infection damage and cyber security investigations, utilize FRONTEO's services.

As described above, the initial response to a ransomware infection requires meticulous care and prompt processing, so it is recommended to use a professional service. FRONTEO's Cyber Security Investigation Package provides high-quality cyber security investigations recommended by several insurance companies.

This is an effective solution for initial response that includes the minimum necessary investigations to respond to a cyber attack, such as EDR investigations and dark web investigations, in a single package. Additional investigations, such as Wi-Fi vulnerability investigations, NDR investigations, and penetration tests, can also be conducted. For companies that do not have personnel with specialized knowledge, concerns remain about the speed and expertise of contingency response. Based on the know-how gained from our overwhelming track record, FRONTEO will support your initial response to cyber attack damage.