Cyber Bytes: How to Respond to a Cyber Attack
Sounds Good presents a new recurring series, "Cyber Bytes," featuring the director of Murray State's Cyber Education and Research Center, Dr. Michael Ramage. In the first installment of "Cyber Bytes," Tracy Ross speaks with Ramage about how small businesses should respond to cyber attacks.
Ramage begins by explaining that while many individuals think of cyberattacks happening on a personal level, they're often much broader. "Russia or a cybercriminal don't really care about me or you. If they could take down our electrical grid, mess up Kentucky Dam, mess up TVA or a chemical plant—critical infrastructure is what that's called." Ramage says that cybercriminals are more likely to target this infrastructure with directed attacks.
On an individual level, cyber-attacks are usually limited to ransomware. "[Ransomware] is increasing year over year anyway," Ramage explains, "but it's increased even more since the beginning of the Russia-Ukraine conflict."
Ramage explains that Russia is losing revenue due to international restrictions and sanctions. Cybercriminals are turning to ransomware attacks to make up for lost revenue. Because of the global scale of revenue loss, many ransomware costs are increasing.
"The average price of a ransomware attack has gone up to a few hundred thousand dollars. $400,000 is what one study showed not too long ago. The official guidance from the federal government is don't pay."
"If you are going to pay," Ramage continues, "just like if you go to a car dealership, don't pay sticker price. Don't pay the original ransom, either. This is a business. A car dealer would rather sell you the car for $1,000 less and get the sale. Same way with ransomware. They would rather lower that asking price and you pay than you not pay at all."
"Now, the recommendation is to get a trusted negotiator—an expert that has been dealing with these ransomware attacks to help your business negotiate down that ransom," Ramage says.
Small business owners will know they are victims of a ransomware attack because there will likely be a message on their computer screen that "tells you your information has been encrypted and you need to pay using this website. Usually, it's with Bitcoin or some cryptocurrency," Ramage explains.
"The first thing you should do is isolate the system or networks that have been infected. If you're an average user and you don't have administrative privilege to your network, then you don't have permission to access other things. It's only going to encrypt your computer. If you log on as the administrator and you have the rights to connect to all these other computers and servers, then it may encrypt everything on that network. It's going to encrypt everything it can get permission to encrypt, including your backups."
Ramage says the second piece—"and this is really important"—is looking for potential data breaches. "Nowadays, there are more and more companies that are starting to not pay the ransom that now, the bad guy has started to try to do something else. If they think there's a chance you're not going to pay the ransom, they'll steal some data first and then hit your system with ransomware."
"If you get infected with ransomware, and you just clean up after the incident, you may still have lost confidential information and don't know it. You need to make sure you can find out if any data was exfiltrated. If you're a small business owner, you may not be able to do that on your own. You may need to bring in an expert to do that."
This begs the question, Ramage says, "how did they get in? The most popular way into your network is by clicking a link in an email or opening a file, or going to a website you shouldn't. Phishing is still the way most bad actors are getting into your network. If they got in through you clicking a link and they installed something, if you decrypt or you restore from backups, that installed item may still be there. So, you're not really helping the situation."
"I hope even as a small business, you have an incident response plan," Ramage concludes. "The reason that plan is important is because if you're having a bad day at work and things seem to be spiraling out of control, things are almost in a fog. That's what's going to happen on that day. You're going to be in that fog, and you're going to start doing this and perhaps making a bad decision and making the situation even worse. Having that ahead of time is going to help."
For more information on MSU's Cyber Education and Research Center, visit its website.
Listen to the full interview here: