Malware (shorthand for “malicious software”) is any intrusive software that can infiltrate your computer systems to damage or destroy them or to steal data from them. The most common types of malware attacks include viruses, worms, Trojans, and ransomware.
Malware attacks are pervasive, and can be devastating to an unprepared business. Preparing for such attacks also means accepting the reality that eventually you will fall victim to one – and that you can then recover from it swiftly. This article will explore how to do that.
We can begin with ransomware. Ransomware is a form of malware that encrypts its victim’s files, allowing the attacker to demand monetary payment in exchange for a decryption key. Simply put, cybercriminals use ransomware attacks to hold your data hostage and practice extortion. Typically the ransom is paid using cryptocurrency such as bitcoin to hide the identity of the attackers.
Most malware attacks are file-based, meaning that threat actors use executable (.doc, .zip, or .pdf) files that are embedded with malicious code. The goal of a malware attack is to fool users into opening those files, which will introduce the malicious script into your organization’s network to steal passwords, delete files, lock computers, pilfer data, and so forth.
Unlike traditional malware attacks, fileless malware attacks involve no files that cybersecurity software can scan, and are therefore harder to detect by conventional endpoint protection tools. In fileless malware attacks, attackers can achieve their goals even if the victim does nothing more than click on a malicious link or unknowingly visit a compromised website, usually followed by a phishing attack or social engineering attempt.
Over the years, malware and ransomware attacks have increased significantly. 2021 alone saw ransomware attacks perpetrated against Colonial Pipeline, the Steamship Authority of Massachusetts, JBS, and the Washington DC Metropolitan Police Department.
In many of these cases, the inability to access encrypted files from the ransomware infection resulted in the shutdown of critical infrastructure. This led to shortages, increased costs of goods and services, financial loss due to shutdown of operations, and loss of money due to payment owed to ransomware attackers.
Research also suggests that healthcare organizations are particularly vulnerable to ransomware attacks. A study by Comparitech shows that ransomware attacks had a huge financial impact on the healthcare industry, with more than $20 billion in lost revenue, lawsuits, and ransom paid in 2020.
Ransomware and malware affects all industries. Malware is clearly a major threat to businesses in all sectors, and the first step to protecting your organization from malware attacks is to understand how malware and ransomware work.
Ultimately, how you respond to a security incident such as a malware attack should be documented in a business continuity plan (BCP), and more specifically as part of your disaster recovery (DR) strategy.
Your disaster recovery plan (DRP) should consist of a set of policies, tools and procedures that will help your organization to resume the operation of vital technology systems following a natural or human-induced disaster.
In this article, we’ll take a closer look at the signs of a malware attack, the steps you can take after a malware attack, as well as some methods for prevention including how to develop a robust data protection strategy that’s right for your business.
Signs of a Malware Attack
Before we introduce the steps to recover from a malware attack, we first need to describe some of the signs you should look for when trying to identify a malware attack. It isn’t always obvious when you’ve been the target of a malware infection.
Here are some things you should look out for if you think you may have experienced a malware attack:
Slow Devices
For some devices, running slowly is just a sign of old age. That said, a slow operating system (or one that freezes or crashes often) can also be an indication of a malware infection. Malware viruses usually run in the background on your system and interfere with other programs, eating up your processing power. If you notice that your devices are running slower than usual (and especially if it’s a newer device), you should have the device inspected by your IT team or an information security specialist.
Login Lock Out
Many malware programs, and especially ransomware, will lock you out of your own system or deny access to certain files until you pay a sum of money. Ransomware attacks will typically identify themselves when they demand a ransom in exchange for a decryption key, but even if you don’t see a ransom note, the sudden inability to log in to your computer is a red flag for a possible malware attack.
Unusual Error Messages
Some malware viruses will send error messages to prompt users to grant even further systems permissions or to authorize more downloads. These messages will often attempt to mimic your computer’s error messages – but look for something off stylistically or grammatically. If you get a message you don’t recognize, or one that seems strange, you should first try Googling for the exact wording of the message to see if it’s associated with any malware. Even if you can’t find anything online, a mysterious and recurring error message is a good reason to have your device inspected for malware.
Pop-up Interruptions
Annoying pop-ups that interrupt your work with alarming messages or advertisements aren’t just irritating; they’re an indication of a malware virus on your device. If you suddenly start getting inundated with pop-up messages, it’s likely that you’ve fallen victim to a malware attack.
Browser Changes
When a virus infects your web browser, it inserts itself onto the pages you visit on the internet and can sometimes even change your settings without your approval. If you notice any suspicious behavior on your browser – say, your homepage suddenly being set to a different website, a new extension appearing next to your search bar, or new bookmarks being added to your browser menu – it’s probably a warning sign of a malware attack.
Strange Icons or Programs
Some malware viruses will also install some sort of program on your device that tries to pass itself off as legitimate. While it may have an harmless looking name and icon, any programs or applications that you don’t recognize or don’t remember downloading should be cause for concern.
Spontaneous Restarts or Shut Downs
Most computers will automatically restart after a system update, although they will usually warn you before they do so. If your computer spontaneously shuts down and restarts itself, it’s possible that you have a malware virus. If you notice it happening repeatedly and without warning, you should talk to your system administrator or an IT specialist about the possibility of a malware attack.
Antivirus Alerts
Some of the more clever malware viruses also come with self-defense mechanisms to prevent themselves from being quarantined or removed. One such mechanism is to disable any antivirus programs that run on your devices. Hopefully, your antivirus software will warn you if it’s been disabled. And if you see such an unprompted warning (especially after you’ve recently activated software) it’s a sign that something is probably wrong.
System Tools Disabled
Another common defense mechanism for malware viruses is to lock users out of their control panel to prevent them being able to check the system settings that would alert them to what’s wrong with their device. If you try to check your control panel and get a message saying that only system administrators are allowed access, it’s another possible sign of a malware infection.
Nothing at All
Unfortunately, most malware viruses go out of their way to avoid detection. Some even remove other viruses on your device to assure that they don’t blow their cover. And the longer these malware viruses are on your system, the more information they’re able to glean, and the more dangerous they become.
Even if nothing seems wrong, you should still run regular checks on your computer and invest in antivirus and antimalware protection. You should also keep your computer up to date, especially with security updates. And be wary of any suspicious websites, emails, or advertisements online that might trigger a malware download.
Steps to Recover from a Malware Attack
Let’s say you have been attacked, and you recognize some of the signs that we described above. What’s next?
Here are the steps you should take if you’ve been on the receiving end of a malware attack:
-
Isolate
To prevent the malware infection from spreading, you’ll first need to separate all the infected devices from each other, shared storage, and the network.
The rate and speed of your malware detection is critical to combat attacks before they spread across your network and encrypt your data. If you suspect a device has been infected, first isolate it from other computers and storage devices. This includes disconnecting it from the network (both wired and Wi-Fi) and from any external storage devices.
Keep in mind that it’s likely that there could be more than one patient zero, meaning that the malware may have entered your organization or home via multiple devices. Or it may be dormant on other devices and just hasn’t shown itself on some systems.
Regardless, you should treat all connected and networked devices with suspicion and apply measures to ensure that all your systems are not infected.
-
Identify
It’s important that you do your best to identify which malware strain you’re dealing with by examining any messages, evidence on the computer, and using identification tools.
As mentioned above, ransomware attacks will often identify themselves with a ransom note. There are also a number of sites that can help you identify ransomware, including ID Ransomware, and the No More Ransom! Project.
Identifying which malware strain has infected your devices will help you better understand how it propagates, what types of files it might encrypt, and some of the options for removal and disinfection. You should also try to determine the date of infection from malware file dates, messages, and any other information you can find.
Identifying the type of malware and the date of the malware attack will also help you report it to the proper authorities.
-
Report
Reporting a malware attack to the authorities will help you (and others) support and coordinate measures for counter attack. The FBI urges ransomware victims in particular to report ransomware incidents, regardless of the outcome.
Reporting malware attacks provides law enforcement with a greater understanding of the threat, as well as providing justification for ransomware investigations and contributing relevant information to any ongoing ransomware cases.
-
Consider Your Options
You can deal with a malware attack in several ways. Ultimately, you should determine which approach is best for you and your organization.
If you find yourself the victim of a ransomware attack, these are your options:
- Pay the ransom. Generally it’s considered poor form to pay ransom for a data decryption key for a number of reasons. First, this encourages more ransomware. Second, even if you do pay the ransom, it’s likely you won’t get your data back anyway.
- Remove the malware. There are a number of internet sites and software packages that claim to be able to remove malware from systems; whether this is actually possible is up for debate. There isn’t any guarantee that decryption tools will work for every known variant, and the more sophisticated the malware, the less likely it is that a decryption tool will help.
- Wipe the system and start from scratch. This is the surest way to remove malware or ransomware for good. Completely wiping all of your storage devices and reinstalling everything from scratch will include formatting your hard disks to assure that no remnants of malware remain. Ideally before this step happens, you should have enforced a strict backup policy, so you should already have copies of all your critical data up to the time of infection.
-
Restore and Refresh
No matter what you decide to do after a malware attack, you’ll need to rely on safe backups and program software sources to restore your computer or outfit a new platform.
If you are the victim of a malware attack and you don’t have a consistent backup system, it’s time to develop one. Starting from scratch after a disruption can lead to delays in business continuity and even harm your business operations entirely.
Your backup procedures and processes should be thoroughly documented in your disaster recovery and business continuity plans so you know exactly what to do should an incident occur.
-
Plan for Prevention
The most effective way to protect your systems against malware is to prevent it from being installed in the first place. Unfortunately this isn’t always possible, and it’s likely that your organization will experience a malware attack at least once in its lifetime.
After an attack, you should make an assessment of how the infection occurred and consider what you can do to put measures into place that will prevent it from happening again.
You’ll need to develop a robust data protection strategy that includes the following:
- Data inventory. Inventory your data to determine how it should be categorized and where it should be stored. Some categories might include: critical, valuable, regulated, or proprietary. Once you have a clear understanding of your data, you can begin to determine how to best protect it and how to initiate a consistent data backup solution.
- Endpoint identification. To identify where malware infections might be coming from, it’s critical to know where your endpoints are. Just like with your data, you should categorize your endpoints to determine their priority and to assure that your high-value endpoints are appropriately protected.
- A Data recovery plan. As part of your disaster recovery plan, you should create a data recovery plan for all assets and data, and prioritize those that are mission-critical. Ideally, you should be able to restore or rebuild all of your assets and data from a master backup to prevent any data loss.
- Backup protection. Your backup plan is only helpful if it’s both secure and accessible. This means you should make sure that your backups are protected in addition to your critical systems and data, to assure that you are able to restore data from backups, and that the data you are restoring is reliable.
- Duplicated offsite data. To keep your data safe, you should store at least one copy either offline, offsite, or both. Even if your on-site backups end up encrypted or stolen, you can still restore your data and your most important files.
- Tools to help. A number of cybersecurity solutions are designed to help you recover your systems and your data after a malware attack. Consider the options that make the most sense for your organization and determine how you can leverage these tools to make your cybersecurity efforts as streamlined as possible.
Mitigate Cyber Risks with Reciprocity ZenRisk
The key to a successful cybersecurity program is knowing when to ask for help. Cybersecurity is a complicated practice that requires in-depth knowledge and understanding of cyber risks and how to mitigate them. You need a solution that can help take the guesswork out of cyber risk management. So how do you know which software is right for your organization?
Reciprocity ZenRisk is an integrated cybersecurity risk management solution designed to provide you with actionable insights to gain the visibility you need to stay ahead of threats and communicate the impact of risk on high-priority business initiatives. Turn the unknown into quantifiable and actionable risk insights with built-in expertise that identifies and maps risks, threats and controls for you, so you can spend less time setting up the application and more time using it.
A single, real-time view of risk and business context allows you to communicate to the board and key stakeholders in a way that’s framed around their priorities, keeping your risk posture in sync with the direction your business is moving.
Reciprocity ZenRisk will even notify you automatically of any changes or required actions, so you can be on top of your risk posture like never before. Eliminate time-consuming, manual work and streamline collaboration by automating workflows and integrating with your most critical systems.
Plus, Reciprocity ZenRisk is seamlessly integrated with Reciprocity ZenComply so you can leverage your compliance activities to improve your risk posture with the use of AI. Built on the ZenGRC, the Reciprocity product suite gives you the ability to see, understand and take action on your IT and cyber risks.
Now, through a more proactive approach, you can give time back to your team with Reciprocity ZenRisk. Talk to an expert today to learn more about how the Reciprocity Product Suite can help your organization mitigate cybersecurity risk and stay ahead of threats.