How Does Ransomware Begin?

As stated in KnowBe4’s The Root Causes of Ransomware whitepaper, social engineering and unpatched software remain the top attack vectors exploited by ransomware groups to gain access to victim devices and networks. But some other attack vectors are also prevalent in ransomware attacks, in particular, as shown in the summary table of other collected ransomware mitigation vendor surveys (as displayed in KnowBe4’s The Root Causes of Ransomware whitepaper): 

 

Report Name	Social Engineering	RDP	Unpatched Software	Password Guessing	Credential Theft	Remote Server Attack	Third Party	USB	Other
Coveware Report	30%	45%	18%	-	-	-	-	-	5%
Statista	54%	20%	-	-	10%	-	-	-	-
Forbes Magazine Article	1st	3rd	2nd	-	-	-	-	-	-
Datto’s Report	54%	20%	-	21%	10%	-	-	-	-
Hiscox Cyber Readiness	65%	-	28%	19%	39%	-	34%	-	-
Sophos Report	45%	9%	-	-	-	21%	9%	7%	9%
Averages	50%	24%	23%	20%	20%	21%	22%	7%	7%

 

Take immediate action

In many cases, it will become apparent pretty quickly that the company has been hit by ransomware. Whether it is the inability to access systems or a company-wide memo regarding the incident, employees will recognise signs that something is amiss. When this happens, workers should take the following immediate actions: 

Stay calm and supportive: First and foremost, remember that ransomware attacks can be stressful for employees and the organisation as a whole. Staying calm, supporting colleagues and collaborating with the IT department ensures a coordinated response. The faster the response, the better the chances of minimising the impact of the attack.

 

Isolate personal devices and disconnect from the network: If using personal devices for work purposes, disconnect them from the company network immediately. This step helps prevent the ransomware from spreading to personal devices and compromising additional information.

Collaborate with IT for guidance: Work closely with the IT department to receive guidance on securing personal information. They may provide specific instructions or resources to help employees safeguard their data in the aftermath of a ransomware attack.

Follow company protocols: Adhere to company protocols and guidelines provided by the IT department for dealing with a ransomware attack. These protocols may include specific steps for reporting incidents, isolating devices or seeking assistance.

 

Intermediate actions

Once immediate actions are ticked off the list, users can move on to these further steps to help protect themselves.

Change passwords across platforms: Employees should change passwords for all accounts, both personal and work-related. Ensure that passwords are strong and unique and consider implementing phishing resistant multi-factor authentication (MFA) to add an extra layer of security. This can help prevent unauthorised access, even if login credentials are compromised.

Monitor personal accounts: Regularly monitor any personal financial accounts, email and social media for any unauthorised or suspicious activities. Be vigilant for signs of identity theft or unauthorised access and report any anomalies to the relevant service providers immediately.

Become educated on dark web risks: Employees may want to familiarise themselves with the risks associated with the dark web to understand the types of information that may be sold, such as usernames, passwords, and personal details. This awareness can help users take appropriate precautions and recognise potential threats. Users can also sign up to a breach detection service or ensure they’re signed up to any additional dark web monitoring services their security providers may offer to alert them when their passwords have potentially been compromised.

Be wary of phishing attempts: Affected employees must also remain vigilant against phishing attempts, as attackers may try to exploit the situation further. Verify the legitimacy of emails, especially those related to the ransomware incident and report any suspicious communications to the IT or security department.

Stay informed about security measures: Cyberattacks, especially ransomware can have long-reaching effects, so employees of impacted companies should keep informed about the security measures being implemented by the company to address the ransomware attack. Understanding the steps being taken can help users assess the level of risk and take appropriate actions to protect personal information.

Longer term actions:

After the initial actions are taken to minimise the spread of the ransomware and contain it, employees should turn their attention to motions they can take to further reduce the risk that they will become the victim of cybercriminals. The steps could include:

Enabling credit monitoring: Employees should consider enrolling in credit monitoring services, which may be offered by the company in the wake of a ransomware attack or data breach. These services can provide alerts for any unusual activities on your credit report, helping detect and address potential identity theft at an early stage.

Check which email address: Users should never sign up to personal services using their work email addresses and vice versa. Where possible, use a different account for high priority accounts like banking and try to separate  work-related activities and personal communications. This segregation can help contain the impact if one email address is compromised, limiting the exposure of personal information.

Backing up personal data: Once employees are back in action with clean devices, they should regularly back up personal data stored on company devices. If the worst happens and the device is affected by ransomware, having a recent backup ensures that people can recover their personal information without paying a further ransom.

 

Attending Security Awareness Training: Participate in any cybersecurity awareness training sessions provided by the company. These sessions can equip employees with the knowledge and skills to recognise and respond to potential threats swiftly and effectively.

 

Defence in depth: Ensure any security updates are applied to devices.

 

Cybersecurity is no doubt a collective effort and therefore internal communications, particularly  with the IT department, are crucial during incidents such as a ransomware attack. By taking proactive steps and staying informed, individual employees can significantly contribute to protecting their personal details from being sold on the dark web, preventing identity fraud or even contributing to further ransomware or extortion attacks. In these stressful events, taking a breath and ensuring these steps are undertaken can go a long way to mitigating further risks from a cyber incident.