TECH4GOOD
The high-profile ransomware attack on a government agency continues to hug the news headlines. After the deadline set by the attackers passed, they apparently publicly released samples of the data which is what most of us are most worried about.
Although no payments were evidently made, the real damage lies in the potential harm once sensitive data like medical records get into the wrong hands. One report says that, in 2022 alone, almost 60 percent of enterprises in the Asia/Pacific (including Japan) region experienced ransomware attacks leading to ransom payments reaching up to US$1,000,000. The escalation in ransomware payments within the region underscores a growing concern.
What should you do if you believe you have been infected by malware like ransomware?
Our friends from Kaspersky, a leading global cybersecurity and digital privacy company, have tips for individuals and organizations while the incident is still under investigation. Quick and decisive actions are vital. At this point, engaging the services of a certified cybersecurity professional is highly recommended.
Start by informing everyone in your network of what happened so they can avoid possible scams using your identity. Then check if your email account has been exposed at https://haveibeenpwned.com or https://monitor.firefox.com/ by typing in the email address associated with you and see if that address was included in any of the leaked databases that these services are aware of.
Change all the passwords on all your accounts including the security questions/answers and PINS associated with them. Stop thinking of strong passwords as words that are difficult to remember. Phrases or short sentences are much easier to remember. At the same time, secure your computer and other devices with antivirus and anti-malware software. If your device is installed with Kaspersky Premium, you can use its Data Leak Checker feature that monitors the internet and the dark web to let you know if your personal data is compromised.
To protect your financial data, you may store them in safe and encrypted storage. Modern security solutions like Kaspersky Premium have such storage as Secret Vault. It converts users’ sensitive data into an unreadable format and protects it with a password. Don't respond directly to requests from a company to give them personal data after a data breach. It could be a social engineering attack. Read the news, check the company's website, or even phone them to check if the requests are legitimate.
Signing up for two-factor authentication (2FA) wherever it is available provides an extra level of security for your online accounts that requires you to enter an additional piece of identity information. Finally, monitor your accounts for signs of any new activity. If you see unfamiliar transactions, address them immediately.
How do you recover from a successful ransomware attack?
Kaspersky experts recommend that for any cybersecurity breach or attack, you need to perform an incident investigation and response to determine the root cause of an incident and ensure a similar incident will not happen again. To contain the intrusion, the first step is to determine its extent. Start by identifying infected computers and network segments, and promptly isolate them from the rest of the network to prevent further contamination. Examine your anti-virus, endpoint detection and response, and firewall logs. If you have a large network, analyze the events and logs in the security information and event management (SIEM) system. In case of a massive attack, physically check each machine, isolate the infected ones, create disk images of them, and leave them untouched until the investigation is complete.
After securing the rest of the network, proceed with the threat-hunting process. Note that ransomware is not self-executing; it is installed by a dropper, Remote Access Trojan (RAT), Trojan loader, or similar malicious software.
Clean up and restore. Turn your attention to the computers that are out of commission. Format the drives and restore data from the most recent clean backup from those that are no longer needed for investigation. If you have no backup copy, decrypt whatever's on the drives. In any event, don't delete the encrypted files. New decryptors appear from time to time and there might be one tomorrow.
Regardless of the particulars, don't pay up. You will just be encouraging those criminals to ask for more. Document all of your actions as you go through the recovery process for transparency.
Finally, you will have to live with the fact that your stolen data will soon become public knowledge and be prepared to deal with the leak. Sooner or later, you will have to talk about the incident with employees, shareholders, regulatory and enforcement agencies, and the media. Openness and honesty are important and will be appreciated. If you do not understand what the problem really is, just shut up and stop coming up with flimsy reasons why the hitch happened. ([email protected])
(The author is an executive member of the National Innovation Council, lead convenor of the Alliance for Technology Innovators for the Nation (ATIN), vice president of the Analytics and AI Association of the Philippines, and Vice President, UP System Information Technology Foundation.)