On this page:
- Ransomware attacks
- How a ransomware attack happens
- How to help prevent a ransomware attack
- If you’re affected by a ransomware attack
Ransomware attacks are typically financially motivated and can happen to any size or type of business. Attackers can target anyone working online from individuals and small businesses to large companies and government organisations.
Attacks can cause huge disruptions to businesses including loss of income, assets, productivity or customer trust and goodwill. Digital resources like customer orders, databases and payment schedules can be blocked, lost, or stolen. Businesses are also likely to suffer extra costs to get back up and running normally.
The first sign of a ransomware attack is often a text file pop up or a background appearing on your screen telling you that you need to pay a ransom before you can access your desktop, your apps, or any of your files.
Attackers target systems that have open avenues for attack. This could be through a user clicking on a link or an attachment contained within an email (phishing attack), or an attacker could exploit a weakness in a network or software.
Attackers try to block access to systems and files that are critical to running a business. A successful attack can paralyse a business that is dependent on online resources.
Attackers will often ask for payment in a cryptocurrency, such as Bitcoin, which is unregulated and difficult for authorities to trace.
CERT NZ strongly recommends people don’t pay ransoms, even if the amount seems quite small. There is no guarantee that you’ll get your data back, and paying a ransom could put you at risk of further attacks because if an attacker sees that you're willing to pay them they could simply target you again. It also a financial incentive for cyber criminals to continue this type of activity and it may even breach sanctions regimes.
The Government has also released guidance on cyber ransom payments.
If you do pay a ransom and receive your files back, it’s important you have the computer professionally inspected by an IT expert to determine if the attacker has planted any other malware on the computer, or created another way to access the computer and your data.
You should try and identify how the ransomware got onto the computer in the first place to prevent it from happening again.
There are steps you can take to recover from a ransomware attack but the best thing you can do is understand how to prevent an attack in the first place.
Make sure you have hard copies of all important documentation in case you’re unable to access your system and have a good response/recovery plan so your business can get back up and running. You should also take the following steps:
- Make sure you and your staff know how to spot the danger signs of phishing campaigns.
- Regularly install updates on software and devices to prevent attackers from exploiting vulnerabilities which they could use to get into your systems.
- Implement two-factor authentication (2FA), which is usually a code that’s sent to your phone or an authentication app to verify your identity, in addition to using a password.
Using two-factor authentication to secure your business
- Back up business and customer data so if it’s lost or stolen you can recover it quickly. Backing up your data on an external hard drive or cloud service will enable you to access stolen data quickly.
- Set up logs to record when particular actions are taken on your website and systems, and who’s done them. You will then be notified if any unusual or unexpected activity occurs.
- Install antivirus and anti-ransomware software on your computer and update it regularly.
- If you have support contracts with antivirus/firewall providers, make sure these are up to date too.
- Don’t enable macros in Microsoft Office.
Read the full guide on protecting your business from ransomware.
There are a few steps to take to limit the damage of an attack and help recover from one. Depending on what resources you have available these could be done by yourself, an in-house IT resource or a local computer services company:
- Get your network offline immediately. The faster you do this, the more you can contain the spread of the malicious software. You can do this by simply taking out network cables from your workstation and unplugging your wireless router.
- Restore your system from your most recent backup or restore your computer to its factory settings and reinstall your operating system if you don’t have a backup – but note that this will likely erase all your files.
- Check to see if you have 'real' ransomware on your computer. Scammers sometimes only claim to have installed ransomware as a tactic to get you to pay them.
- Identify and install any additional security protection measures necessary.
Here is an in-depth guide on Ransomware for IT specialists.
Help and advice is available from CERT NZ through our online reporting tool, or our contact centre.