Anatomy of a Ransomware Attack

Day 1

8 a.m. – Your computers aren’t working, and your employees are idle. Someone says the “R” word. With a racing heart and pounding head, you swing into action.

1. Unplug all computers from the network.
2. Power down your Internet router, network switches, and wireless access points.
3. Call your IT company (if you have one). If so, you…
4. Hold your breath while they Inspect local drives and network server drives for encrypted files and locate any malware tools and scripts that could have been used to look for and copy data.
5. Watch for a notification from the perpetrator, and…
6. Gulp as you’re told to reckon with this reality: Your company will be down for 3-5 days at a minimum—and possibly weeks.

9 a.m.

1. Wonder if you have cybersecurity coverage.
2. Call your insurance carrier’s Cyber Claims Hotline (if they have one) for next steps.
3. Speak with a “cyber breach coach/extortion negotiator”—they have those? Seriously?
4. Try to absorb the grim news that even if you pay and get encryption keys, it’s rare to fully recover all your encrypted and/or stolen data. (They also tell you to forget the idea that some kid here in the U.S. wants your data—odds are a cybercriminal organization overseas found a vulnerability in your system and just wants money. Lots of it.)
5. Ask the IT expert to perform a data restoration.
6. Try not to obsess over the fact that even though you’re paying your employees, they can’t really do their jobs.

11 a.m.

1. Check to see if your employees saved their data in the right place and if your IT company has been performing back-up restoration tests.
2. Cross your fingers and hope data can be restored from your backups. Or, worst case, that ransomware payments will be minimal and you can resolve the problem quickly.

1 p.m.

1. Reel from the news that the data restorations didn’t work because your IT people haven’t been performing regular disaster recovery tests.
2. Hop back on the phone with your breach coach/negotiator.

Day 1, 2 p.m. through days 2, 3, 4, 5…days 6, 7, 8…and beyond

1. Begin negotiations to reduce the $100,000 ransom
2. Try to smile as the negotiator tells you your ransom has been reduced to “only” $50,000.
3. Establish a relationship with a bitcoin exchange
4. Watch your team’s morale sink further.
5. Keep paying your restless employees—not to do actual work, but to deal with unhappy customers.
6. Start sweating as sales slip and revenue dips.
7. Struggle to sleep.
8. Wire enough money to purchase $50K worth of bitcoin.
9. Get the first decryption key and learn that some files do decrypt.
10. Fork over more bitcoin and gets a few more keys.
11. Yell “Those lying, #&^%@ criminals!” when IT techs run decryption keys on all systems and only half work.
12. Agonize over your hurting business.

The aftermath

1. File an insurance claim for the $50,000 ransom…
2. And $250,000 more for business interruption…
3. Add IT services remediation, and data recovery.
4. Make it an even $325,000 to pay off your maxed out credit line.
5. Wait to see what your insurance carrier says.
6. Get a notice—“Claim denied.” (See why carriers deny most claims in this blogpost.)
7. Call to appeal, plead, beg…then rant and yell.
8. Wrestle with questions like: Are we going to make it? Will I ever sleep again?