This blog post is part of a series of cyber incident top tips, you can view them all here.
Ransomware continues to be one of the biggest threats to all organisations and shows no signs of going away anytime soon. With most hackers looking for any opportunity to gain access, organisations are actively working to guard against ransomware, but despite this, it seems many aren’t taking essential precautions. A shocking 97% of UK businesses have paid ransoms following ransomware attacks in the past two years, in spite of having policies against such actions1.
The typical scenario goes like this: a hacker gains administrative access to your critical IT systems, encrypts them, and demands a ransom for decryption. Your operations come to a grinding halt, your organisation faces a financial catastrophe, and you’re left scrambling to update your CV.
In this moment of crisis, the hope is that you can recover your systems or data from backups, thereby avoiding the need to pay the ransom. However, even organisations with a strict policy against paying ransoms may find themselves reconsidering when recovery efforts fall short.
The Hidden Secret of Ransomware
So, what’s the secret to effectively handling a ransomware attack? When faced with encrypted systems, your first instinct might be to wipe them clean and start anew. However, this can be a big mistake! Contrary to popular belief, your systems may not be fully encrypted. Often, hackers partially encrypt files which under certain circumstances can be recovered or reconstructed.
Why is this possible? Encrypting entire systems is a time-consuming process, and it isn’t necessary for the hacker to convince you that you’ve lost everything. So, lots of ransomware only partially encrypts data, such as just the file headers. This deceptive tactic can make it seem as though all is lost when, in fact, significant portions of your data may remain accessible.
The Crucial Role of Forensic Experts
The critical lesson here is not to wipe your systems before specialist forensic experts have examined them to assess the encryption level and extent. Forensic experts can quickly determine whether your data is genuinely encrypted or if it can be recovered. This examination process is swift since encrypted data is easily distinguishable from non-encrypted data. By conducting this forensic analysis, you might discover that your data can be salvaged without paying the ransom.
The Power of an Incident Response Retainer
This is where an incident response retainer comes into play. An incident response retainer ensures that forensic experts are immediately available to assess your systems before any drastic actions are taken. With a retainer in place, you have guaranteed access to professionals who can quickly evaluate the situation and provide you with the best course of action.
Preventative Measures
To further protect your organisation, we strongly recommend a preventative activity such as an immutable backup solution. Ensuring that your backups are secure and resilient is crucial for recovery in the face of a ransomware attack. In partnership with Veeam, we offer robust solutions that include air-gapped backups and immutability features to protect your data.
Need Help Now?
If you have been, or suspect you have been, a victim of a security breach, our 24/7 Incident Response service can provide instant on-site support. Whether you are new to Daisy, an existing customer, or have a guaranteed response retainer in place, you can call us now and speak to one of our experienced security specialists.
This blog post is part of a series of cyber incident top tips, you can view them all below:
- Tip 01: Taking advantage of ransomware’s biggest secret!
- Tip 02: Securing your backups from vulnerabilities
- Tip 03: Beware of automated response dangers!
- Tip 04: The importance of disconnecting yourself during a breach
- Tip 05: How to integrate your anti-virus protection with SIEM
- Tip 06: Ensure that your insurance covers cyber incidents
- Tip 07: Preparing for the worst – rebuilding after a major ransomware attack
- Tip 08: Who you should call first during a cyber breach
- Tip 09: Hold onto the evidence – why securing system logs is essential for cyber incident response
- Tip 10: What you need to know to make sure your penetration testing is effective
- Tip 11: Why tabletop exercises are crucial for incident response
- Tip 12: Famous last words – misconceptions before a major cyber breach