February 20, 2019updated 21 Feb 2019 10:31am

Victims of a ransomware attack should “never pay off the ransom”

By Priya Kantaria

In spite of reports that ransomware attacks are fewer and that companies should instead be on the lookout for cryptomining hacks, Todd Matters, co-founder and chief architect at hybrid cloud services and disaster recovery provider RackWare says they are still something businesses should be wary of.

“Ransomware attacks continue to become more sophisticated, early on it was this broad brush approach where they had this ransomware and they just shotgun out and saw where it stuck, but now they’re getting much more specific in terms of who they’re going after,” he says.

One of the new ways into an IT system is by using social media and phishing emails that are “scarily realistic”.

Matters says he’s seen two that have been particularly threatening because of their realism: an email that looked like it was from Rackspace, where some of RackWare’s servers are, and another from Office 365 that said it had received a request to terminate his account.

He warns never to click on a URL where the company name doesn’t feature but says the problem is that attackers are getting cleverer by including the company name in the virus URL.

Ominously, he says, “Ransomware people are upping their game.”

What should we do in a ransomware attack?

Matters explains that a multi-pronged strategy is important and awareness among employees is necessary to avoid an attack.

But he says: “By the same token companies need things in place to detect these things and just as important is having a viable backup and disaster recovery plan so they can rewind to a recovery point and restore from there as well.”

Crucially, Matters warns: “Never pay off the ransom. There are incidents where people paid the ransom and the data was deleted anyway and there’s evidence that even if you pay the ransom they may give you access to the files but they keep them encrypted, so that means they have access to them. So the idea is to never pay the ransom even if it sounds like not a lot of money.”

The steps that follow after an attack are then to take steps to recover as much data as possible.

“Having a plan in place to recover, shutting down systems, terminating network links so that things can’t spread, and jumping into your recovery protocols for disaster recovery or backup,” he says.

“Jumping into that recovery once you understand what this looks like, you can go back to a recovery point that you are certain is safe and you can start your recovery from there.”