Protect your business
Kia pare i tō pakihi ki te pūmanawa kino tono utu

Protect your business against ransomware

There are things you can do to recover from a ransomware attack, but it's best to take steps to prevent an attack in the first place.

What it is

Ransomware is a type of malicious software that denies you access to your files or computer system unless you pay a ransom. Attacks can cause huge disruptions to businesses.

The most common ways attackers get in are:

  • getting usernames and passwords to log in to your computer
  • exploiting weaknesses in systems that are exposed to the internet, like email or remote access systems, and
  • sending malware via malicious email attachments.

Learn more about ransomware

Lifecycle of a ransomware incident diagram

View long description

This diagram shows how ransomware attacks happen.

The diagram is split into three phases showing the entry points of an attack and following the pathway across until the point where a ransom can be demanded.

The first phase shows how the attacker looks for ways into the network. The most common ways the attackers get in are:

- getting usernames and passwords to log in to your computer, often by tricking you into into providing them via phishing or by guessing passwords
- exploiting weaknesses in systems that are exposed to the internet such as email or remote access systems and
- sending malware via malicious email attachments.

The second phase shows how the attacker will look to move from the initial computer they compromised, and gain administrative access to all the computers and devices in your business.

The third phase shows when the attacker has gained access to the different systems in your business and is now ready to carry out the most damaging part of the attack.

Attackers will often steal your business’ sensitive data and demand payment in order to not release or sell that information. They also delete backup copies of your data and finally, encrypt your data and systems to disrupt your operations.

The individual elements in each phase are contained in yellow bordered circles while the relationship of the elements to each other and across the three phases are shown by connecting blue lines.

How to protect your business

No single tool or control can be relied on stop all attacks, but in combination these controls put you in a good position to protect against any attack you might face (not just ransomware).

Lifecycle of a ransomware incident: With controls

View long description

How ransomware works (with controls)
This diagram shows how ransomware attacks happen and is split into three phases showing the entry points of an attack and following the pathway across until the point where a ransom can be demanded. 

A defence-in-depth application of CERT NZ’s Critical Controls provides a strong defensive net to detect, prevent and respond to any potential ransomware attack before your data is encrypted.

The diagram references these Controls at the relevant intervention point.

The first phase shows how the attacker looks for ways into the network.

  • Internet-exposed services
  • Patching
  • Multi-factor authentication
  • Disable macros
  • Application allowlisting
  • Logging and alerting
  • Password manager.

The second phase shows how the attacker will look to move from the initial computer they compromised, and gain administrative access to all the computers and devices in your business.

The Critical Controls referenced are:

  • Application allowlisting
  • Network segmentation
  • Principle of least privilege
  • Logging and alerting.

The third phase shows when the attacker has gained access to the different systems in your business and is now ready to carry out the most damaging part of the attack.

The third phase shows the impact on target which include data exfiltration, destroy back-ups and encrypt data. The Critical Controls referenced are:

  • Backups
  • Application allowlisting
  • Logging and alerting

Each of the relevant controls is marked by a coloured hexagon:

  • Salmon for Internet-exposed services,
  • Yellow for Patching
  • Purple for Multi-factor authentication
  • Green for Disable macros
  • Navy for Application allowlisting
  • Light blue for Logging and alerting
  • Black for Password manager
  • Grey for Principle of least privilege
  • Pink for network segmentation
  • Gold for back-ups.

Keep backups of all important data

To get your business back up and running quickly it’s important to have robust and tested backups. These should be kept offline or disconnected from your computers so that an attacker can’t delete them.

Make sure you have hard copies of all any documentation that is important to your business in case you’re unable to access your system. 

Backups for your business

Run updates regularly

Regularly install updates on software and devices to prevent attackers from exploiting vulnerabilities which they could use to get into your systems.

By keeping all your operating systems and software up-to-date you limit the number of weaknesses an attacker could exploit to gain access to your computers. 

Patching advice for IT staff – CERT NZ

Set up 2FA and strong passwords

To protect against an attacker logging in to your system remotely, use long, strong, unique passwords and turn on two-factor authentication (2FA). 

Protect your business with two-factor authentication (2FA)

Create a password policy for your business

Set up logs and alerts

Set up logs and alerts to help you detect any unusual or unexpected activity on your systems.

Set up logs and monitoring for your website

Centralised logging for IT staff – CERT NZ

Install antivirus software

Install antivirus and anti-ransomware software on your computer and update it regularly. If you have support contracts with antivirus providers, make sure these are up to date too.

The other common thing attackers might try is sending a document or spreadsheet that, if opened, will try to load malware onto your computer without you knowing. This risk can be mitigated by using modern endpoint protection software. Ask your IT provider about Endpoint Detection and Response (EDR) tools they support. 

Network security and firewalls

Locking down use of administrative accounts as well as using network controls like firewalls can help you stop an attacker from being able to move from one device to another. 

Identify any systems that might be exposed to the internet and lock these down – you might need some help from an IT provider to do this. 

Secure your small business network

Educate your staff

Make sure you and your staff know how to spot the danger signs of phishing campaigns, as well as other online security risks.

Phishing scams

Educating your staff about online security

Create an incident response plan

The best way to prepare to deal with a ransomware incident is having an incident response plan, to detail what to do when things have gone wrong and your computers aren’t working. Keep a printed copy of this along with key contacts so you have it to refer to if you can't access your saved files.

Creating an incident response plan

Get help

If you're affected by a ransomware attack:

  • contact your IT provider immediately, if you have one
  • do not pay the ransom, even if the amount seems small. There is no guarantee that you’ll get your data back, and paying a ransom could put you at risk of further attacks – if an attacker sees that you're willing to pay them, they might try to target you again. It's also a financial incentive for online criminals to continue this type of activity and it may even breach sanctions regimes
  • get your network offline immediately. The faster you do this, the more you can contain the spread of the malicious software. You can do this by taking out network cables from your workstation, disabling WiFi and unplugging your router
  • restore your system from your most recent backup or restore your computer to its factory settings and reinstall your operating system if you don’t have a backup – but note that this will likely erase all your files. Before restoring, you could take a backup of the encrypted files to try to decrypt them later
  • check to see if you have 'real' ransomware on your computer. Scammers sometimes only claim to have installed ransomware as a tactic to get you to pay them. If you can still access your files, there may not actually be ransomware there. Get help from an IT professional if you're not sure
  • identify and install any additional security protection measures necessary
  • try to identify how the ransomware got onto the computer in the first place to prevent it from happening again.

If you do pay a ransom and receive your files back, have the computer professionally inspected by an IT expert to check if the attacker has planted any other malware on the computer, or created another way to access the computer and your data.

The Government has also released guidance on cyber ransom payments.

Cyber ransom advice – Department of the Prime Minister and Cabinet

Report it to CERT NZ

If you think your business has been impacted by ransomware, report it to CERT NZ.

Get help now

Resources

Lifecycle of a ransomware incident (PDF, 28 KB)

Lifecycle of a ransomware incident: With controls (PDF, 30 KB)