How do I recognise a hack?
There are dozens of ways to get hacked. How you spot a hack depends on the type of hack. Here you can read about 2 common hacks at companies, how to recognise them and what you can do if you discover the hack.
1. Ransomware attack
Ransomware is malicious code that locks down the entire computer and/or the files and applications on it in order to extort its owner. Files and folders are encrypted. For a fee, the cybercriminals promise to give the key to restore access to the files.
How do you recognise a ransomware attack?
Files, applications, or entire systems are no longer accessible. In several folders where files are encrypted, you will find text files informing you about the attack. Through notifications, you are asked for something in return to regain access to your systems. This 'ransom' is usually a ransom amount in bitcoins. Names of ransomware variants that encrypt files include: Cerber, CTB-locker, Coinvault, CryptoLocker, LockerGoga, Locky, Petya, Ryuk, SamSam, Teslacrypt, TorrentLocker, WannaCry, and Wildfire. Of course, new variants can be added.
What do you do in the event of a ransomware attack?
With some ransomware variants you may be confronted with a time limit in which you have to decide whether or not to give in to the request. This is to apply extra pressure. After the time limit, the ransom demanded usually increases, the key can no longer be obtained, or stolen data is made public.
- Apply your incident response plan if available.
- Involve an IT service provider at the earliest possible stage.
- Check and secure available backups as soon as possible.
- Isolate infected networks, computers, and devices.
- Engage an external cybersecurity company for professional handling and investigation.
- Determine who can and may communicate or possibly negotiate with the attackers. Also consider an outside professional.
- Check whether backups are useable. They may not be available for full system recovery as they might have already been infected with 'malware'. But backups can still be used for restoring files and databases.
- Check 'No More Ransom' to see if keys are available for the type of ransomware you have.
- Change passwords of accounts that access sensitive data and activate two-factor authentication (in Dutch) where possible.
- Contact the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, in Dutch). When there is a ransomware attack, there is a good chance that there is a data breach. You must report this.
- Report the ransomware attack to the police. Make an appointment for this via 0900 - 8844.
2. DDoS Attack
In a DDoS attack (in Dutch), cybercriminals intentionally send large numbers of requests to a server or a specific part of your website, for example, the login page. This overloads the bandwidth or the website application and makes the website inaccessible ('Denial of Service').
How do you recognise a DDoS attack?
- Your network is inaccessible, unusually slow, or unstable.
- Your network or internet connection is abruptly disconnected.
- The website is a lot slower than usual.
- Certain functionalities – such as logging in – are no longer possible.
- Error messages appear when you visit pages.
- You may see unusual spikes in website traffic in the web statistics or log files.
What do you do in case of a DDoS attack?
Most routers and firewalls that companies use have limited capabilities against a DDoS attack. This is mainly because malicious parties can buy very large DDoS attacks cheaply. Botnets are often used for this, so that the attack comes from different senders. This makes it very difficult to stop this kind of traffic. In many cases, you depend on third-party services to handle these large amounts of web traffic.
- Apply your incident response plan if available.
- Block sender IP addresses in your firewall if possible.
- Contact your web hosting provider, IT service provider, or internet provider depending on where you are being attacked; they usually have the option to block certain traffic on their side.
- For websites or web applications, consider purchasing an external service that can filter the traffic before it reaches your servers. For example, consider a CDN (Content Delivery Network) provider.
- Do you manage your own IP addresses? Then consider a so-called 'car wash'. This is a service through which you can temporarily redirect all your traffic when you are hit by an attack. NaWas is an example of such a service.
- Try to keep network traffic log files. This may be necessary for forensic investigation.
- A DDoS attack is punishable. You can file a report with the police. Call 0900-4455 for an appointment.
Successfully stopping DDoS attacks is usually very difficult. Taking preventive measures (in Dutch) is necessary. Several of the measures mentioned above cannot always be realised in the short term.
There are countless other ways to get hacked. Here are some more examples.