Your Choices After a Ransomware Attack
The choices of recourse you have after a ransomware attack like the one that hit in Fairfax County Public Schools last Friday are limited. There are basically two options, neither is good.
The first option you will have is to refuse to pay the ransom. As stated in the disclosure of the FPCS breach, the Maze group will be released and published online. This can be simply released on an open ‘Leaks’ website and /or be put up for sale on the Dark Web Marketplaces. My bet, because the large percentage of cybercrime is money motivated, a redacted version will be made public to prove they did have the data and then they will put the unredacted files up for sale on the Dark Web where they can get between $8 up to $700 per record depending on content. In this case they look to make upwards of a half million dollars on the single sale, but we must remember that it can be sold more than once resulting in an even higher payday for the bad guys.
Option two is to pay the ransom. By doing that you are hoping that you will be able to decrypt/unlock your systems. Keep in mind though, not all these criminals are honest. They may not have the ability to unlock your files or the process may fail. Sorry but I doubt they offer refunds. You are also hoping they will delete all of their copies of the files they have stolen. Once again you are relying on the person or group to have integrity follow through with the deal. Once again I would not place too much stock in that. you are still likely looking at them publishing and selling the files after you pay the ransom.
While this breach hits close to home for us in the Winchester area, cyber attacks on school systems have been ramping up since the beginning of the COVID Pandemic response. No school system is off limits. In fact the increase of attacks has been growing across the board, regardless of industry.
As an example of the schools being hit, just in the past couple months school systems in East Texas, Athens GA, Michigan and UCSF have all been hit. Some have paid, some have not.
The reality is that once the data leaves a server it can no longer be thought of as private – EVER. As well, even if you are able to get your systems unlocked they cannot be just put back into service. The best you can hope for is they are still operational and can be rebuild from clean images. Don’t just think it is only the student or faculty records either. They are also farming usernames, emails and passwords that will allow them to remotely access the systems again at a later date. That means you cannot just simply rebuild the systems to how it was before. You must change EVERY email address, EVERY username, EVERY computer name and sometimes IP address and more. All of this MUST be done before going live again.Your data must also be scrubbed to make sure there are no traces of the ransomware or malware hidden with that data that could be re-triggered and put you right back to square one.
Knowing your two choices on how you will deal with ransomware is just the beginning of the battle. The rebuilding and scrubbing can run into the hundreds of thousands or even millions of dollars, while ransoms can incur similar costs.
While FCPS announced the attack last week, generally the bad guys are in systems for several months before the ransomware is triggered. During that time they attempt to traverse your systems searching out their valuable targets. On their stroll through your systems they drop little bombs all over the place. They can not only infect file systems and software and endpoints and servers but can also infect routers, switches, WIFI access points and any other item that is ever attached to your systems.
As you can see the damage caused is far beyond what is imagined. And with that you must always hope that the breach was not caused by an unknown remotely connected computer or smart phone. While up to 90% of attacks stem from phishing, it is often impossible to discover the true entry method or machine.
To wrap this up businesses must make cybersecurity a top priority if they are to stand a chance at surviving. All the standard pieces must be in place as well as educating employees to become champions of the cause. Fortunately New AI that we offer for phishing detection and prevention (this ain’t your typical email filtering or anti-malware) as well as employee training and education along with an incentive program that DB Cybersecurity uses to make the training more effective all adds up to a rewarding program that is a quick, painless and positive way to incorporate your valuable employees as an integral part of your overall cybersecurity efforts.Contact Us