The COVID-19 situation has inspired a new normal: working from home. We’ve traded corner offices for a spot at the dining room table, business workstations have been replaced with personal laptops, and email has become the primary method of communication amongst coworkers. According to an article in MSSP Alert, 61% of WFH employees are using their personal devices to access networks, but only 7% of employers have provided an antivirus solution to their employees.
Unfortunately, hackers are opportunists who are taking advantage of the more relaxed environment the WFH movement has inspired, and are launching more cyber attacks than ever before.
We’re here to help level the playing field by offering some tips on how to respond and recover if you fall victim to malware, ransomware, or have provided sensitive information due to a phishing attack.
How to Respond and Recover from a Cyber Attack
If you fall victim to a hacker, understand that you can have the ability to limit the damage by following these best practices for responding to common cyber attacks.
Immediately disconnect the affected device from the Internet. If the virus can’t communicate with another machine, it can’t infect it. Physically pulling the plug from your machine is the best option. If you’re connected wirelessly, disable the wireless adapter – Here are some instructions on how to do that on Windows 10 or Mac.
Run a virus scan. Most popular anti-virus/anti-malware programs not only detect, but can remove many forms of malware from your PC. In the rare case that your anti-malware program finds malware but is unable to get rid of it, perform an online search of the infection name on another device. It’s likely that there is a removal tool available somewhere online. Some forms of malware are difficult to detect. If you know something’s wrong, but your antivirus isn’t detecting anything on a scan, reboot your PC or Mac in Safe Mode.
Backup your personal / work files. During the recovery process, it may be necessary to perform a full operating system re-install to cure the infection. Make sure you save everything you can’t afford to lose on an external hard drive, USB, or a writeable CD/DVD.
Don’t log into anything. There are many types of malware whose sole purpose is to capture what you type into your computer. Don’t enter any of your credentials (for anything) until you have safely removed the malware.
If all else fails, reinstall your OS from scratch. Some malware can embed itself in the computer’s registry, making it particularly difficult to deal with using conventional means. When this happens, your only option may be to do a complete wipe and reinstall of your PC or Mac operating system. Make sure to create a backup of your important files prior to the reinstall because everything on your PC will be deleted during this process.
Take a photo of the ransom message. This will clear up any confusion that can come from verbally explaining what is going on to an incident responder. Time is money with ransomware infections: a visual will help the responder quickly identify the ransomware strain, helping lead to a speedy resolution.
Turn off your PC and physically remove it from the network. Even though you can’t access your system, the ransomware could be operating in the background, looking for more devices on your network to infect and encrypt. After you’ve taken a picture of the ransom message, immediately turn off your PC, pull the plug out of the wall, and disconnect any wired internet connection. Leave the PC in this state until it has been deemed safe for use by an IT security professional.
Do not pay the ransom. As it goes, the hackers said they would give back your data once you give them the money they’re requesting, but there really is no guarantee the hackers will give your data back after you’ve paid them. Plus, if you’ve been infected once, there is nothing stopping them from doing it again. Paying a ransom should only be done as an absolute last resort, and only when it is absolutely necessary to save critical data. Seek expert advice before you transfer any money, you may be able to negotiate a better price with some help from a Managed Service Provider (MSP) with incident response experience.
Make some phone calls. You shouldn’t remain silent if you fall victim to a ransomware attack; the list of people you should contact is pretty lengthy:
- Call your IT department or MSP to make them aware of what is happening so they can get to work on a fix. Choosing the right IT partner is integral when things are going well, but even more so in the event of a security breach as it could mean the difference between staying afloat and going out of business.
- Reach out to your cyber insurance carrier to verify coverage.
- Contact a legal representative with experience dealing with cyber crimes. They can offer advice on how to proceed and meet the regulatory requirements in your industry on reporting the ransomware attack.
Restore files from a known reliable backup. You can wipe your PC of its current state, and reload it from a recent backup that was created before your machine was infected. Being proactive and creating backups is the best way to deal with ransomware, and gets your business back to normal operations with the shortest turn around. There’s no need to worry about your data being encrypted on your machine if you have a recent backup of the same data readily available.
Report it. Cybercrime Support Network is a non-profit that was created to help individuals and businesses who are affected by cybercrime. Their new program – FraudSupport.org – partners with law enforcement, cybercrime support organizations, and corporations across the United States to help guide victims of cybercrime through reporting efforts. They also provide information on resources on how to prevent future incidents.
PHISHING ATTACK / LEAKED CREDENTIALS ON THE DARK WEB
Change your passwords. If you provided any credentials over email, immediately change those passwords, as well as any other accounts you may have that use that same password. Hackers know that many people reuse their passwords, and will try to access your other accounts once they get your credentials.
Notify your financial institutions. If you provided any type of financial information, like bank account or credit card numbers, immediately notify the fraud department of those financial institutions. Place a credit freeze on your account to prevent any new accounts from being opened in your name.
Contact the person who was spoofed. If you receive a phishing email from an email address you recognize, let that person know they may have been compromised, and urge them to change their passwords as well.
Disconnect, scan, and update. If you click a link on a phishing email, or downloaded an attachment, there is a good chance that there is malware on your computer. Disconnect from the internet to prevent the infection from spreading, then run a virus scan to locate and remove the infected file. Once you’ve cleared the infection, make sure your computer is running the most updated software. Viruses and malware target security flaws in outdated software, so keeping your computer up-to-date will prevent some infections from reoccurring.
Use two-factor authentication (2FA) when available. Requiring a 2nd form of authentication on your account will make it much more difficult for anyone to access it without authorization. It’s unlikely that a hacker will be able to get past a 2nd form of authentication, especially if it’s something unique, like a fingerprint or a one-time code sent to your mobile device.
BONUS TIP: BUSINESS EMAIL COMPROMISE (BEC)
A BEC occurs when a hacker gains access to a company, then poses as a person in authority to get employees to either transfer funds or reveal personal information that could be used for identity theft. According to a study done by SentinelOne, BEC accounted for over $1.7 Billion (with a “B”) in losses in 2019, so it’s only right to give some tips on how to prevent it from happening in your organization.
Enable 2FA/MFA. A BEC is a sophisticated combination of social engineering (hackers attempting to gain your trust) and phishing to try to get access to your account. Using 2FA is widely considered to give the best ROI in keeping your accounts safe by requiring the attacker to pass additional authentication challenges.
Don’t download attachments/click links. Attachments can be obfuscated, and links can direct you to websites where malware resides. Follow best practices in not clicking on any suspicious links or downloading any email attachments until you can verify the contents of the email with the sender.
Confirm before you send any money. Verify the request by contacting the sender directly. A simple, 1-minute phone call to a co-worker or manager can make all the difference in the world when it comes to BEC scams. Don’t let the sense of urgency trick you into making the wrong decision. It’s always best to gain secondary approval before transferring large sums of money.
While the best course of action against cyber criminals is to prevent a security breach, the reality is hackers are becoming more sophisticated. It is equally important to know what to do if you or your employees click the link, download the attachment, or respond to that email with sensitive information.