Ransomware: How to react correctly in seven steps

What is ransomware?

It is a type of cyberattack in which the systems of those affected are compromised and their stored data is encrypted. The system can also be completely blocked. The attackers then extort the decryption of the data by demanding a corresponding ransom. This is why other names, such as 'blackmail' or 'crypto Trojans', are also used.

Such attacks can severely restrict a company's ability to operate. In addition, internal company data is usually extracted from the affected systems (for example, from available backups), which threatens not only to encrypt the data, but also to publish it.

The potential consequences for companies are dramatic, with business interruptions, data loss, financial losses and high recovery costs often resulting in reputational damage.

What types of ransomware are there?

There are two main types of ransomware:

• Crypto-ransomware: With this type of ransomware, the affected person largely retains access to and use of the system. However, the ransomware encrypts access to data. The attackers then demand a ransom from the victim in exchange for the decryption key.
• Locker ransomware: Unlike crypto-ransomware, locker ransomware does not encrypt individual data; it locks all access to the operating system. Only the ransom demand is displayed on the screen. It is no longer possible to use the system in this case.

These categories are subdivided into further subcategories depending on the consequences of not paying the ransom, among other things. For example, leakware or doxware threatens to publish the data, while destructive ransomware threatens to destroy it.

The following ransomware variants have become particularly notorious in recent years:

• WannaCry, which infected more than 200,000 computers in over 150 countries in just a few days in 2017. It exploited a vulnerability in the Windows operating system, enabling it to spread rapidly. Microsoft released an update that fixed the vulnerability before the attack began. However, users who did not install this update, or who did not install it in time, fell victim to the ransomware. As a form of crypto-ransomware, it encrypted victims' data. While the threat from WannaCry remains, it is not as significant as before.
• The Emotet Trojan first appeared in 2014 and remains one of the most well-known and dangerous types of malware. Like much ransomware, Emotet originally spread via phishing. However, its functionality has constantly adapted and developed over the years. Emotet can modify its code to evade detection. Once a system is infected, Emotet downloads additional malware that further infects and attacks it. In this respect, Emotet acts as a 'door opener' for other malware programmes.

The concept of 'ransomware-as-a-service' (RaaS) is becoming increasingly widespread, with ready-made ransomware products being offered via the dark web. This enables criminals without in-depth technical expertise to carry out ransomware attacks by purchasing the software solution from malware developers.

This makes the threat of ransomware even more unpredictable for companies and greatly increases the number of potential attackers.

How does a ransomware attack work?

Regardless of the specific type of malware, a ransomware attack comprises several phases.

Before the attack begins, the attackers gather information about potential targets. The attackers can use publicly available information, such as the company website or information from social networks. This could be the company website or information from social networks. Based on this information, they may be able to obtain email addresses, telephone numbers and names. They also use network scans to identify vulnerable networks or weak points.

The selection criteria used by attackers usually include the simplicity of the attack, the value of the company's data, and the company's financial potential.

1. Initial infiltration

Attacks typically begin with an infection, often via phishing emails, manipulated attachments or malicious links. Infected software or the exploitation of security vulnerabilities in outdated systems can also enable entry. The infiltration phase also typically involves the attackers taking precautions to maintain access to the systems, a process known as 'persistence'.

Ransomware attacks are rarely planned and carried out single-handedly by one person from start to finish. As technology has advanced, so has cybercrime. Many ransomware attackers utilise so-called initial access brokers, who carry out large-scale malware campaigns.

These attacks are widely distributed ('spray and pray') and involve sending a large number of malicious messages. This increases the success rate.

2. Spread in the network

Once the ransomware has penetrated the system, it attempts to spread further throughout the company's network. This is often achieved by exploiting security vulnerabilities or weak passwords. The malware can quickly spread to multiple devices and servers in order to infect as many systems as possible.

This process is known as lateral movement. This involves the attackers moving around the network and infecting other connected devices, thereby extending the attack's reach.

As it spreads through the network, the malware also expands its authorisations (known as privilege escalation). Attackers attempt to expand their scope of action within the network and gain additional system authorisations. Once again, the aim is to maximise the attack's reach and cause as much damage as possible.

These steps are often repeated. The ransomware spreads and expands authorisations to spread further, thus infecting an even greater number of devices, and then starts all over again.

3. Data extraction

Attackers often move around the network undetected for a long time. During this time, they identify valuable data (e.g. data that can be sold or held to ransom). Data is often extracted gradually in small quantities to avoid triggering security alerts when large amounts of data are extracted.

Data extraction is often used to emphasise a blackmail demand by threatening to publish the data.

4. Encryption of the data

Only then does the ransomware begin to encrypt data or entire systems. Without the decryption key, the data is unusable and normal business operations are severely impaired. Depending on the type and spread of the ransomware, system recovery functions and backups may also be affected.

5. Demand for ransom

Once encryption is complete, those affected are notified of the attack. This notification often takes the form of a pop-up on the screen. The attackers usually demand payment in cryptocurrency (such as Bitcoin) in exchange for decrypting the data.

6. Threat of additional consequences

In many cases, the attackers also threaten to publish sensitive company or employee data if the ransom is not paid. This is known as 'double extortion' and increases the pressure on the company, as there is not only the threat of data loss, but also of reputational damage.

What should you do if you are hit by a ransomware attack? Follow this 7-step plan:

Firstly, it is important to keep calm and avoid acting hastily. Carefully consider the measures to avoid making mistakes due to panic and stress, which, in the worst case, could even exacerbate the situation.

Under no circumstances should paying the ransom be considered the first option. There is no guarantee that the attackers will provide the decryption key after payment, that they will be able to do so at all, that the ransom demand will not subsequently increase, or that no further attacks will follow.

It is important to assess the situation carefully and discuss it with experts before making a decision. The legal implications of a ransom payment should also be examined.

If a company is hit by a ransomware attack, quick and targeted action is crucial to minimise the damage.

The most important steps to take in the event of an attack are as follows:

Step 1: Isolate the affected systems

As soon as the attack is detected, the affected systems should be disconnected from the network. This will prevent the ransomware from spreading further. All infected devices should then be taken offline and isolated. Employees should be instructed not to log into the systems.

Step 2: Inform the IT and security team

The internal IT and security teams must be informed of the incident immediately. In many cases, it will be necessary to call in external IT security experts who specialise in cyber-attacks and incident response. A rapid response by experts can help contain the attack more effectively.

Step 3: Document the attack

Document every step of the attack in as much detail as possible. This includes the type of ransomware, the ransom demands, and the affected systems. This information is important for subsequent analysis, reporting the incident, and insurance claims.

Step 4: Contact the relevant authorities and supervisory bodies to report the incident

In many cases, it is advisable to inform law enforcement agencies such as the police or the Federal Office for Information Security (BSI). In the event of a data breach, the relevant data protection authority must also be contacted. If necessary, individuals affected by the attack must also be informed.

Step 5: Check backup strategies

Check whether there are any current, uninfected backups of the affected systems and data available. If clean backups exist, the data can be restored from them. This will at least limit the damage caused by the encryption.

Step 6: Strengthen IT security

After dealing with the incident, companies should evaluate and reinforce their IT security measures to prevent future attacks. This includes conducting regular security audits, providing employee training, implementing security software and revising backup strategies.

Having a well-thought-out contingency plan for ransomware attacks can help minimise damage and restore business continuity as quickly as possible.

Step 7: Communicate with business partners, customers, employees and affected individuals

In addition to reporting to supervisory authorities, good internal and external communication is necessary. Employees must be kept informed, and clear language guidelines should be established for any external communication. Business partners should also be informed if necessary.

Immediate notification may be legally required, particularly if the company under attack is a service provider or processor. If people outside the company are affected too, they must be informed as well. Good communication can help fulfil legal obligations, minimise PR damage, and avoid subsequent claims.

Is a ransomware attack a notifiable data protection incident?

Yes, ransomware attacks must generally be reported to the relevant authority as a data protection incident. According to Art. 33 para. 1, sentence 1 of the GDPR, in the event of a personal data breach, the controller must notify the competent supervisory authority without undue delay, and where feasible, within 72 hours of becoming aware of the breach, unless it is unlikely to result in a risk to the rights and freedoms of individuals.

As a rule, the attack also compromises personal data and, overall, there is usually a probable risk to the rights and freedoms of the data subjects. In addition to the data protection supervisory authority, data subjects must be informed if the incident poses a high risk to them, for example if there is a risk of consequences such as identity theft or financial loss.

Therefore, it is crucial to assess the incident quickly and in a structured manner in order to fulfil all legal obligations, avoid possible sanctions, and prevent claims for compensation.

A ransomware attack may also result in a fine and a claim for damages. A fine presupposes that the controller has intentionally or negligently violated the GDPR provisions. Typically, fines are not imposed for data protection incidents involving ransomware attacks if the reporting obligation and other requirements are met.

This is because the trigger for the data protection incident is the criminal behaviour of third parties, which is usually beyond the company's control. According to Section 43(4) BDSG, information from a notification under Art. 33 GDPR may not be used in fine proceedings.
However, a fine can exceptionally be imposed on affected companies if ransomware succeeded due to a lack of security measures. This is what happened to a British company.

The Information Commissioner's Office (ICO) imposed a multi-million fine on the company because a lack of technical and organisational measures was the main reason the ransomware succeeded. Similar considerations apply to any claims for damages.

Firstly, it is important to establish who could potentially make a claim for damages. For instance, if the affected company was unable to fulfil its obligations as a result of the ransomware attack, customers or contractual partners of the affected company could be considered.

Affected individuals can also claim damages if they have suffered specific losses as a result of the data protection incident, such as identity theft, financial losses, or reputational damage.

Whether the affected company is liable for damages also depends on whether it is responsible for the attack, i.e. whether the attack was successful only due to a lack of measures.

The far-reaching consequences of a ransomware attack demonstrate the importance of taking preventive security measures and acting quickly and correctly in the event of an attack.

Can ransomware be removed?

Currently, there is no universal solution for removing or deleting ransomware. Whether or not it can be removed successfully depends heavily on when the attack was detected, what type of ransomware it is, and how intensive the attack is or was.

Whether and how the malware can be removed simply depends on the specific type of attack.

The procedure for removing ransomware differs depending on whether it is crypto- or locker ransomware. As mentioned above, in either case, the system must be isolated and the IT and security teams must be involved before attempting to delete the ransomware.

• Crypto-ransomware: Firstly, a network or system scan should be carried out to identify any threats. In some cases, the malware can be deleted at this stage. A decryption tool can then be used to attempt to decrypt the encrypted data. If it is not possible to restore the affected data using the tool, or if it is not possible to restore all of the data, it can be restored using backups or backup copies (as described above).
• Locker ransomware: The distinguishing feature of this type of ransomware is that users cannot use the infected system at all. Consequently, tools for removing the ransomware or backups usually cannot be executed. However, to attempt to remove the ransomware, the computer can be started in Safe Mode. This may prevent the screen-locking action from loading, allowing programmes and tools to combat the malware to be used.

Can data be recovered after a ransomware attack?

In principle, it is possible to restore affected data. However, for a successful recovery, it is essential that backups are available, up to date and undamaged. Recovery can only be carried out from backups that have not been affected or infected by the ransomware.

To prevent the ransomware from accessing the system again or spreading further, the restored systems should be started up gradually and under strict monitoring. This enables any security gaps to be identified and allows for immediate intervention in the event of a renewed threat.

Before systems are fully restored to normal operation, a thorough check must be carried out to ensure that no malware remains. This includes using antivirus programs and specialised ransomware detection tools. Network logs should also be analysed to ensure that no ransomware residue remains.

Companies should prioritise which data and systems to restore first to enable them to resume business operations as quickly as possible. Therefore, critical data and applications should be restored and tested first.

Once the data has been restored, it is important to check that it is intact and complete. Ensure that no data has been damaged and that all necessary files are available. If possible, missing or damaged data should be restored from other backups.

What measures are in place to protect against ransomware?

There is no all-encompassing protection against ransomware attacks. The types of ransomware and the ways in which such attacks can be carried out are now so diverse and constantly evolving that it is impossible to achieve one hundred per cent protection.

Therefore, the aim is to minimise the risk and potential impact of a ransomware attack. The best way to do this is to prevent ransomware attacks. Preventive measures can, at best, prevent attacks or, at least, minimise their severity.

Processes can also be established and tested to enable a quick response in an emergency. These measures should be introduced as quickly as possible and reviewed regularly. The following measures are included, among others:

• Implement robust firewalls and intrusion detection/prevention systems (IDS/IPS);
• Updating and patch management for operating systems and applications;
• Use of antivirus and anti-malware software on all end devices;
• Sensible compartmentalisation and isolation of different system and network areas;
• Meaningful logging;
• Regular security audits and penetration tests to identify vulnerabilities.

Alongside these technical measures, organisational measures must be implemented to raise awareness of the dangers of ransomware attacks. After all, one of the biggest vulnerabilities to ransomware attacks is human error.

Employees must therefore undergo regular security training and awareness measures to make them aware of ransomware attacks. Widespread use of multi-factor authentication is also an effective preventative measure.

ISiCO's services in the area of ransomware and cyberattacks

Our ISiCO experts can provide comprehensive advice on dealing with ransomware and other cyberattacks in any situation. Our services are designed to protect you, your company, your networks and your systems against ransomware attacks.

Preventive measures are the most effective way to combat ransomware attacks. These measures should be implemented as soon as possible and reviewed regularly.

These include, among other things:

• implementing robust firewalls and intrusion detection/prevention systems;
• conducting regular security training and awareness measures for employees to make them aware of phishing attacks;
• conducting regular security audits and penetration tests to uncover vulnerabilities.

We also support you by taking immediate action in the event of a ransomware attack. This can minimise the impact of the attack and enable your data to be recovered quickly. We are available to initiate suitable measures immediately in the event of an attack.

We provide you with the necessary information for the initial steps to contain the attack and support you in selecting a forensics team and implementing data protection and IT security measures, if necessary.

Following an attack, we will support you in the structured follow-up and implementation of lessons learned. This enables us to help you continuously improve your security and compliance levels as part of regular assessments and improvements within plan-do-check-act cycles.