Twenty seconds passed as my computer screen showed a steady stream of system files being locked, one by one. An employee had called and requested help because he couldn’t seem to access a file he needed. I discovered, unfortunately, our company was being attacked by ransomware.
Two questions immediately ran through my mind: If we pay, won’t this increase the incentive to attack us again? How can our company financially survive attacks on our system if we have to pay these ransoms?
Despite the fact that the FBI at that time recommended we pay the ransom for the key to unlock the encrypted files and move on, my team and I resolved not to pay and planned our defense strategy.
As it turned out, we needed to defend ourselves against ransomware twice in the last 17 months. External warnings and internal experience have taught us this: Ransomware is a force to be reckoned with in manufacturing.
The first incident began when a user in our company clicked an e-mail link that launched the infection and attacked approximately 3500 network files. This was an aggressive approach that infected all of the files the computer could access. We quickly identified and disconnected the infected machine to stop further attacks on the network files. Then we restored the locked files from our local backup system. This incident took place in about one hour, and most of our users were unaware of the issue.
About four months later, a second variation of ransomware came calling. Again, we resolved not to pay.
This time, the malware slowly locked network files as the infected user accessed them. This attack was not as easy to detect. It progressed more slowly and had a much larger impact on the company once the incident was discovered—days after it was perpetrated. Over 80,000 network files were locked, which hindered local backup efforts to restore the system.
To address this incident, we turned to our second- and third-level backup systems to restore the controlled files. Once it was discovered, several members of our IT team had to drop everything and work on this issue for about 12 hours.
Even though we didn’t pay the ransom, the incident did carry significant internal costs. Still, we know we chose correctly by not paying. We are better prepared than ever to defend ourselves and help our customers protect their own systems.
The most effective security strategies include several layers of defense. This approach is also one of the key steps to protect your company against ransomware attacks.
What we recommend to help prevent ransomware attacks and minimize damage when they occur:
1. Train your users how to recognize a possible attack. They need to know when not to click on attachments, hyperlinks or unexpected e-mails that appear valid.
2. If a machine is infected, disconnect it from the network immediately.
3. Install advanced e-mail threat-detection software that conducts in-depth scanning into attachments and hyperlinks of e-mails.
4. Have systems in place that will spot and alert you to mass file changes to your network files.
5. Implement a company policy that all of your corporate files are stored in network-shared drives, not on local machines. If maintaining local-drive data is important to you, be sure to have a backup system in place to protect the files.
6. Maintain multiple backup systems that provide version/revision control and permit restores from multiple points in time. We utilize multiple backup systems with different schedules and also use a mix of onsite vs. cloud-based backups.
7. Restrict users’ access to hardware and the network. The users and the company are both protected when they only have access to the files they need.
The best time to stop a ransomware attack is before it happens. Acting now could help protect your company from data loss and financial damage.