Imagine turning on your computer one morning to discover you and your employees are locked out of your system. A threatening message appears on the screen demanding a ransom if you ever want to see your data again. You check your backups and they’ve been destroyed. Your business is at a standstill, losing money with every passing minute. It may sound like a nightmare, but for many companies, a ransomware attack is all too real. And even more disturbing is that reported ransomware attacks have increased dramatically since the beginning of the COVID-19 pandemic.
Ransomware: The basics
Ransomware isn’t new. It’s a form of malware that can lock up networks and deny access to business-critical data unless the victim pays a ransom – often in bitcoin – to the attackers. What is different is that industry sources report a major surge in the number of ransomware attacks in 2020. Why now? Because cyber attackers are looking to prey on the rapid transition to remote work and the uncertainty companies have experienced in the tumultuous recent months.
As ransomware has grown into a serious “business,” attackers have become increasingly sophisticated. They specialize in penetrating corporate networks, and sometimes specifically target a business’ backup systems, making it difficult – or impossible – to remediate the harm of an attack. They typically target financial and other sensitive personal information, and in some cases, use ransomware to turn victims’ computers into zombie machines for mining cryptocurrency.
Think ransomware attacks only large corporations? Think again. Every company is a potential target. While some attackers go after high-profile, big-name businesses with the resources to pay large ransoms, industry sources report that the average ransomware payment last year was in the tens of thousands of dollars. Indeed, recent attacks have targeted manufacturers with no consumer-facing presence and some entities in the nonprofit sector – school systems, state and local governments, universities, healthcare centers, etc.
How attackers are exploiting the pandemic
Phishing and other forms of social engineering remain the most common way that attackers infect networks with ransomware. Phishing emails may ask recipients to click on a malicious link, open an attachment containing malware, or “confirm” system credentials. Targeted attacks – sometimes called spear phishing – may use techniques like email spoofing, where a malicious message appears to come from a colleague, like a manager or the CEO.
The COVID-19 pandemic has proven to be an especially useful hook for ransomware attackers. Taking advantage of people’s fears about the coronavirus, attackers may send malicious emails that appear to come from legitimate sources like the World Health Organization or the Centers for Disease Control and Prevention. Attackers also have hidden malware in pandemic-themed PDFs, Word documents, or audio files.
How you can help protect your business
Prevention remains the defense against ransomware, and the pandemic has made it more important than ever for companies to guard against this threat. Experts suggest some commonsense steps to reduce the risk that your business could become the next victim of a ransomware attack:
- Keep your network patched and make sure all your software is up to date.
- Back up your systems regularly and keep those backups separate from your network. Use separate credentials for your backups so that even if your network is compromised, your storage remains secure.
- Practice good cyber hygiene. For instance, know what devices are attached to your network so you can identify your exposure to malware. Implement technical measures that can mitigate risk, like endpoint security, email authentication, and intrusion prevention software.
- Be prepared. Make sure you have an incident response and business continuity plan. Test it in advance so you’re ready if an attack occurs.
- Train your employees on how to recognize phishing attacks and other forms of social engineering.
Should a company pay a ransom?
If targeted by a ransomware attack, a company that has taken defensive measures to protect its backups has increased its chances of getting back to business with minimal damage and disruption. But what if a company doesn’t have reliable backups?
If you’ve been the victim of a ransomware attack, Step #1 should always be to contact law enforcement – for example, your local FBI field office.
The next question companies ask is if they should pay the ransom. If you have any other alternative, most law enforcement agencies don’t recommend paying. For one thing, paying the ransom doesn’t guarantee you’ll get your data back. On top of that, ransoms reward attackers and may further fund criminal enterprises in violation of the law. For instance, the U.S. Treasury’s Office of Foreign Asset Control recently issued a warning to all businesses that paying a ransom may violate OFAC regulations that prohibit financial support of sanctioned countries or regions. That means you could be fined for paying the ransom.
The best defense against ransomware is an alert staff trained to spot the preliminary signs of a ransomware attack. Teach new employees not to click on links in emails or respond to calls or messages asking for personal information or network credentials. Taking a “CSI” approach – explaining how cyber attackers try to lure in their prey – may send the message more persuasively than a simple list of don’ts. Require periodic refreshers for experienced staff, reinforcing the basics and educating them about new tricks and schemes used by cyber attackers. (If you haven’t convened a staff meeting to address COVID-specific scams targeting business, now might be the time.)
The FTC has data security resources for businesses of all sizes and in any sector, including cybersecurity training materials for small businesses with a module on ransomware. Looking for more information? Watch this FTC video.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
- We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
- We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
- We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
- We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to ReportFraud.ftc.gov.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.