Understanding ransomware

According to the National Cybersecurity Alliance, 60% of small and medium sized enterprises close their doors permanently between six months and two years following a significant cyber-attack, leading to a data breach. We must defend ourselves from this and other cyber-attacks. The IPU wants to ensure that pharmacies are well-informed and prepared to play their part in mitigating the potential risk from ransomware attacks, and ensure that we protect our staff and customers alike.

What is ransomware?

Ransomware is a type of malicious software that encrypts files on a computer or network, rending them inaccessible. The attackers normally demand a ransom in exchange for restoring access to your systems and data, and sometimes threaten to publish often private data to increase the pressure to pay.

 

What are the consequences of a successful ransomware attack?

Disruption of operations: Ransomware can cripple your systems, causing disruption to daily operations and customer service.

Data breach: Customer information is valuable, and a successful ransomware attack could lead to a data breach, compromising the privacy and trust of your customers.

Financial loss: Paying a ransom is never a guarantee of recovering files, and it can lead to significant financial losses for the company.

 

How to spot ransomware

Ransomware is normally delivered via email as a link or a file that may appear harmless. Spotting potential malicious emails that carry ransomware involves being vigilant. Here are some tips to help you identify emails that may carry ransomware:

• Question the source: Check the sender’s email address carefully. Be wary of email addresses that look suspicious or have misspellings;
• Unusual senders: Be cautious if the sender’s name does not match the email address, or if it seems unusual;
• Be sceptical of email attachments: Do not open attachments from unknown, unsolicited or unexpected sources, as ransomware is often spread through malicious attachments; or
• Fake invoices or shipping notices: Cybercriminals often use fake invoices, shipping notices or other seemingly official documents to trick recipients into opening malicious attachments.

If you have any doubts about the legitimacy of an email, follow these steps:

• Contact the supposed sender through a verified method (not the contact details in the email), to confirm the request;
• Report any suspected phishing emails to your IT Service provider; and
• If you notice anything unusual on your computer, or suspect a potential security threat, report it immediately to your IT Service provider.

 

Beware of untrusted portable devices

Ransomware could potentially be delivered via a portable device such as a USB stick. Here are some tips to avoid ransomware that may be on USB devices, or other portable storage devices:

• Unknown devices: If you find a USB device that does not belong to you in your premises, do not plug it into your computer system. This may have been deliberately left there for you to find;
• Unknown sources: If someone presents a USB stick to you and asks you to plug it into your computer, do not do this, even if you know the person. The device may be compromised without the owner knowing about it; and
• Mobile devices: Remember that smartphones and other mobile devices can also connect to a computer using USB connections. Avoid connecting or charging your smartphone with your pharmacy computers.

Recommended response from a ransomware attack

You should contact your IT support vendor to provide technical advice to help you contain the incident and you may need to restore your systems from a backup. The following are some tips that may help in the event of a ransomware attack:

• All devices that are compromised should be disconnected from the network/internet to prevent further spread of the ransomware;
• The IPU will provide advisory support in the event of a ransomware attack, if you need it;
• Ransomware incidents should be reported to relevant law enforcement agencies, such as An Garda Síochana. Take a picture of any messages on your computer screen for evidence;
• Where personal data is involved, a data breach notification may need to be reported to the Data Protection Commissioner’s Office;
• You should contact your cyber insurance company to make them aware of the attack;
• Do not make a rushed decision to pay a ransom demand. There is no guarantee that paying an extortion demand will result in the encrypted data being recovered, or systems being unlocked; and
• If you have recovered from a ransomware attack, seek advice from your IT support vendor to perform a review on your accounts and systems to avoid ransomware reoccurrence. Changing all your passwords may be the first step, as they may have been compromised during the ransomware attack.

 

“ You should contact your IT support vendor to provide technical advice to help you contain the incident and you may need to restore your systems from a backup.”

 

How to prepare to defend against a ransomware attack

The following are some tips that may help to defend against a ransomware attack:

• Ensure that your critical data is backed up and can be restored in a timely manner;
• Do not store your backups on your main computer. They should be kept in a separate location to avoid being compromised;
• Ensure that backups are not connected to the network to avoid them from being compromised as well;
• Make sure that you provide appropriate awareness training to your staff which covers ransomware do’s and don’ts;
• Consider cyber insurance to help with possible associated costs;
• Have a list of up-to-date contact details to assist in the event of a ransomware attack;
• Consider developing a ransomware attack policy/process to follow in the event of a ransomware attack;
• Report any unusual computer behaviour to your IT support vendor as soon as possible;
• Make sure that your anti-virus and programmes are up to date on all devices connected to the network; and
• Make sure you know what to do in the event of a ransomware attack. You should have an incident response plan in place to manage such an event.

See ipu.ie/cybersecurity for more information.