How do I recognise a hack?
There are dozens of ways to get hacked. How you spot a hack depends on the type of hack. Here you can read about 2 common hacks at companies, how to recognise them and what you can do if you discover the hack.
1. Ransomware attack
Ransomware is malicious code that locks down the entire computer and/or the files and applications on it in order to extort its owner. Files and folders are encrypted. For a fee, the cybercriminals promise to give the key to restore access to the files.
How do you recognise a ransomware attack?
Files, applications, or entire systems are no longer accessible. In several folders where files are encrypted, you will find text files informing you about the attack. Through notifications, you are asked for something in return to regain access to your systems. This 'ransom' is usually a ransom amount in bitcoins. Names of ransomware variants that encrypt files include: Cerber, CTB-locker, Coinvault, CryptoLocker, LockerGoga, Locky, Petya, Ryuk, SamSam, Teslacrypt, TorrentLocker, WannaCry, and Wildfire. Of course, new variants can be added.
What do you do in the event of a ransomware attack?
With some ransomware variants you may be confronted with a time limit in which you have to decide whether or not to give in to the request. This is to apply extra pressure. After the time limit, the ransom demanded usually increases, the key can no longer be obtained, or stolen data is made public.
- Apply your incident response plan if available.
- Involve an IT service provider at the earliest possible stage.
- Check and secure available backups as soon as possible.
- Isolate infected networks, computers, and devices.
- Engage an external cybersecurity company for professional handling and investigation.
- Determine who can and may communicate or possibly negotiate with the attackers. Also consider an outside professional.
- Check whether backups are useable. They may not be available for full system recovery as they might have already been infected with 'malware'. But backups can still be used for restoring files and databases.
- Check 'No More Ransom' to see if keys are available for the type of ransomware you have.
- Change passwords of accounts that access sensitive data and activate two-factor authentication (in Dutch) where possible.
- Contact the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, in Dutch). When there is a ransomware attack, there is a good chance that there is a data breach. You must report this.
- Report the ransomware attack to the police. Make an appointment for this via 0900 - 8844.
2. DDoS Attack
In a DDoS attack (in Dutch), cybercriminals intentionally send large numbers of requests to a server or a specific part of your website, for example, the login page. This overloads the bandwidth or the website application and makes the website inaccessible ('Denial of Service').
How do you recognise a DDoS attack?
- Your network is inaccessible, unusually slow, or unstable.
- Your network or internet connection is abruptly disconnected.
- The website is a lot slower than usual.
- Certain functionalities – such as logging in – are no longer possible.
- Error messages appear when you visit pages.
- You may see unusual spikes in website traffic in the web statistics or log files.
What do you do in case of a DDoS attack?
Most routers and firewalls that companies use have limited capabilities against a DDoS attack. This is mainly because malicious parties can buy very large DDoS attacks cheaply. Botnets are often used for this, so that the attack comes from different senders. This makes it very difficult to stop this kind of traffic. In many cases, you depend on third-party services to handle these large amounts of web traffic.
- Apply your incident response plan if available.
- Block sender IP addresses in your firewall if possible.
- Contact your web hosting provider, IT service provider, or internet provider depending on where you are being attacked; they usually have the option to block certain traffic on their side.
- For websites or web applications, consider purchasing an external service that can filter the traffic before it reaches your servers. For example, consider a CDN (Content Delivery Network) provider.
- Do you manage your own IP addresses? Then consider a so-called 'car wash'. This is a service through which you can temporarily redirect all your traffic when you are hit by an attack. NaWas is an example of such a service.
- Try to keep network traffic log files. This may be necessary for forensic investigation.
- A DDoS attack is punishable. You can file a report with the police. Call 0900-4455 for an appointment.
Successfully stopping DDoS attacks is usually very difficult. Taking preventive measures (in Dutch) is necessary. Several of the measures mentioned above cannot always be realised in the short term.
Other Hacks
There are countless other ways to get hacked. Here are some more examples.
If the financial department receives an email from criminals pretending to be the CEO with the urgent and confidential order to make a payment to a certain bank account. Read more about CEO fraud (in Dutch).
In this attack, a cybercriminal will ask you to transfer a small amount via a payment app during an online purchase. Supposedly to check whether your bank details are correct. The cybercriminal will send you a link to a fake website, which resembles that of a payment app. If you enter your details here, the cybercriminal will have enough information to withdraw money from your account. Read more about payment app fraud (in Dutch).
Many websites contain input fields where users can enter their login details, personal information, or payment details. These input fields or forms can be misused by cybercriminals to steal personal information, such as credit card details. Read more about formjacking (in Dutch).
You get a phone call from someone pretending to be an employee of a software company. They inform you about a problem with your computer and will ask you to install software so that they can 'fix' the problem. If you do, that software gives the cybercriminal access to your system. They will ask for payment for their service. This can be a one-time payment or a longer 'support contract'. Read more about helpdesk fraud (in Dutch).
Or telephone fraud. This can come in many forms. For example, the missed call from an unknown, foreign number. You call back, paying high costs that you are not aware of. 'Social engineering' can be done in all kinds of ways and through different communication channels. Criminals contact you pretending to be someone else and use psychological manipulation to get information from you. Read more about fake phone calls (in Dutch).
Cybercriminals use phishing to steal personal information or passwords. You can become a victim of phishing if you click on a bad link, open a bad attachment, or reply to a phishing email. Read more about phishing.
By creating and distributing a malicious QR code, the cybercriminal redirects victims to dubious websites or applications. They will then try to get you to make payments or obtain (sensitive) data. When the fake QR code is pasted over an existing and legitimate QR code it is known as 'attagging'. Read more about QR fraud (in Dutch).
A cybercriminal attempts to get personal information by sending you a deceptive SMS text message. Read more about smishing (in Dutch).
Social engineering is a broad concept. It is when cybercriminals use techniques to tempt entrepreneurs, among other things, to reveal personal or company-sensitive data by means of psychological manipulation. Read more about social engineering (in Dutch).
When someone or something tries to assume a false identity and impersonate someone or something else. Well-known examples of spoofing are sending an email from an email address that is not actually the sender’s or building a website that looks exactly like the official website. Read more about spoofing (in Dutch).
Phantom invoices are fake invoices, or quotes that are made to trick you into paying. Read more about phantom invoices (in Dutch).