What is a ransomware attack? How to avoid it and what to do if your data is held hostage

Ransomware is a kind of malicious software - any code or program - that cybercriminals use to gain access to, and control over, victim’s devices and sensitive data. If successful, the criminals will then demand a ransom payment to stop their malicious behaviour, which can include controlling the affected devices, deleting sensitive data, or releasing that sensitive data, among other things.

CDK Global was hit by a ransomware attack on Wednesday, 19 June, which affected thousands of US car dealerships, highlighting the danger and potential impact of such attacks.

Ransomware is one of the most common forms of criminal attacks on computer systems. IBM report that in 2023 around 20% of all cyberattacks were ransomware.

Given that many organisations do not reveal whether they paid a ransom or not, it is hard to get exact figures on the impact of ransomware, but estimates put global payments at over $1 billion in 2023.

According to IBM, the average payment is in the high six-figures to low seven-figures in dollars, though some demands can reach up to $80 million.

How to avoid a ransomware attack?

To prevent ransomware attacks, constant vigilance and the implementation of precautionary measures is key. Organisations and individuals should be constantly aware of the risks and take steps to minimise these.

The steps can include:

Maintaining protected backups. The backups should be made on a constant basis and there should ideally be copies of back ups made on hard drives that can be disconnected from the network to avoid them being infected during a ransomware attack. The best method is to have a number of redundant backups, some of which only connect to the network when backing up, and which are not all connected at the same time.

Applying all patches and software upgrades timeously. This avoids software and operating system vulnerabilities.

Employee training and individual awareness. Organisations should run regular courses to ensure employees and contractors can spot and avoid phishing and other methods criminals use to infect systems with ransomware. Individuals should stay up to date on the latest methods criminals use.

Using cybersecurity tools. There are a raft of tools individuals and organisations can employ to keep themselves safe. These include network security monitoring, encryption, web vulnerabilities scanning, penetration testing of security systems, network intrusion detection, firewalls, among others. There are a number of reputable suppliers in the market who can provide solutions.

Having and maintaining up to date response plans. Organisations should have formal plans to respond to ransomware incidents, which help identify breaches sooner, assist in dealing with the incident and lowers the costs of solving the problem.

What to do if your data is held hostage?

If data and/or devices are held hostage by ransomware it is usually a high-stress situation, with potentially lives and livelihoods at risk.

US law enforcement agencies unanimously agree that victims should not pay ransom demands.

According to the National Cyber Investigative Joint Task Force (NCIJTF), a coalition of 20 partnering US federal agencies charged with investigating cyberthreats:

“The FBI does not encourage paying a ransom to criminal actors. Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered.”

The advice is to report the ransomware attack to the authorities, such as FBI’s Internet Crime Complaint Center (IC3).

You should always consult with law enforcement and cybersecurity professionals before making any decision on payment.

Initial response to an attack

As soon as you become aware of a ransomware attack the most important thing is to isolate the infected machine or system as soon as possible to avoid the attack spreading. Unplug all network cables and turn off WiFi, Bluetooth and all other network connections from any affected or potentially affected device. Turn off all automatic maintenance tasks and also disconnect backups to isolate the backups from the infected machines.

You should take a photo of the ransom note that appeared on screen to help with the recovery process, to file the police report and to assist with the insurance process.

If you have one, notify your IT security team. If you do not you or your organisation should seek professional assistance to eradicate the ransomware and recover and restore the systems.

It is important not to restart any affected devices until the ransomware attack is officially over.

Note that the above is generally accepted guidance on ransomware but is not to be considered to be specific advice applicable to any given situation. If you are experiencing a ransomware attack you should speak to law enforcement and seek professional assistance.