A ransomware is a specific malware cybercriminals install on an organisation’s device through various possible means, such as downloading a virus or through a phishing attack where the victim clicks on a malicious link or opens an infected attachment. After successfully installing the ransomware, they encrypt information and/or information systems to block all the organisation’s accesses and then demand a certain amount of money to give those accesses back. The organisation thus loses all power over its computers and can’t execute any operations. In addition to making the information unavailable, cybercriminals can also threaten the organisation to make all the data they accessed publicly available. This causes a serious problem, especially for company dealing with sensitive information.

The goal for cybercriminals when launching a ransomware on a device is to gain something in exchange, usually money. In that sense, they will make it obvious that they have taken control and want something in exchange, often by displaying a clear message on the screen of the infected device.

Cybercriminals usually evaluate the efforts it will take them to be able to install the ransomware against the benefits they can earn. It is thus important to ensure that the defence in place makes it as hard as possible for them to get access to the organisation’s environment. There are several controls that can be implemented:

1. Update your devices and software as soon as possible

Since it could only takes one vulnerability in a system, application or device for cybercriminals to compromise in order to cause damages and get access to information, installing updates as soon as they are available is crucial. It ensures a strong cyber defence and makes sure that the system version being used is still supported by the vendor.

2. Secure the access to your accounts

Accounts are an entrance door to an organisation’s whole environment. They thus need to be protected by using strong passwords that are different for each account. A strong password is one of at least 12 characters and has a combination of upper and lower cases, numbers and symbols. In combination with a strong password, Multi-Factor Authentication should also be

enabled wherever possible. Multi Factor Authentication requires a user to provide at least two different methods (e.g., passwords and PIN code, PIN code and a code received via text) to verify their identity and grant them access to the resource they are trying to reach.

3. Enforce antivirus and local firewalls on devices

There are several ways a device can be infected by a virus: opening an attachment, clicking on a link, plugging a USB drive or simply surfing through a website. A virus is a malicious software that aims at damaging resources, deleting files, slowing down performances or stealing confidential information. Once a virus is on the computer, it will take time, effort and financial means to remove it. This is why it is better to protect all devices allowed to connect to the organisation’s network with an antivirus software upfront.

In addition, a firewall should be used to monitor and filter the access requests to the corporate network based on predefined security rules. The firewall acts as a wall between the corporate network and an untrusted network (e.g., home network, Internet). It will allow the organisation to limit external access only to authorised people.

4. Raise collaborators’ awareness on scams that aim to steal confidential information

An organisation’s collaborators are its first line of defence. Your collaborators need to be made aware on how to identify scams and fake message in order to adopt the right reflexes. There are several ways cybercriminals try to steal collaborators’ credentials in order to get access to an organisation’s resources. A very common way is to use a phishing email, through which cybercriminals try to convince their victim to share passwords or confidential information. It is thus important to have regular informative sessions to train the collaborators about not sharing too much on social media and not clicking on a link or opening a file without analysing where it comes from first

5. Only use official websites and platforms to download applications and software

Pirated applications and software are usually infected with malware so only look for installation and download of official ones, through vendors’ official platforms and websites.

6. Limit the actions that can be executed with an admin account

Limit the number of administrator or privileged accounts to the bare minimum. No one should have administrator privileges for day-to-day tasks. Giving the privileges that admin accounts have, it will make it easier for cybercriminals to take over the device or install a ransomware.

7. Regularly backup your critical resources

Backup all systems, applications, servers and data to make sure that even if an incident occurs, all important information can still be recovered. It is important to regularly test those backups to confirm that they can actually be used if needed, after an incident.

8. Control software installation on corporate devices by establishing a list of allowed software

A collaborator looking for a specific software and with little to no knowledge about cybersecurity is less likely to second guess the offers found on the internet. It is thus important to make sure that all downloaded software is approved by the IT Responsible from a security and performance point of view. In addition, the IT Responsible can establish a whitelisting: a list of software that collaborators are allowed to install on their corporate devices.

1. Report the incident immediately to your IT responsible
2. Isolate the infected resources from the network to prevent the ransomware from spreading even more
3. Do not pay the ransom
4. Set up a separated communication channel
5. Set up a crisis management team
6. Immediately report the incident to the local police.
7. Gather all the necessary information: the type of support for the data, the operating system, the infection mode, the name of the ransomware, the mean of payment, and if possible, screenshots of the infected systems.
8. Change all the passwords that were given (if any) on all the accounts they are being used.
9. Scan your devices with an antivirus
10. Identify all the vulnerabilities that were used to get access and remediate them as soon as possible.
11. Try to decrypt the encrypted files if a solution exists (the website Accueil | The No More Ransom Project gives decrypting solutions that can be helpful)
12. If needed, contact official (external) security specialists that can help you get your resources back through decryption.

Cybercriminals use fake emails or phone calls in order to collect company information, personal data, or login credentials to be used for gaining unauthorized access to computers or applications. Once they are in, they try to obtain confidential information, sell the login credentials and/or sensitive information, or gain profit – for example via ransomware.

To extract information or to convince the victim to do something in their favour, cybercriminals will play on something the victim believes into or impersonate a trusted person by playing on authority, a sense of urgency, or by leveraging on human instinct to help each other out.

Email phishing

The classic type of phishing is through email. Cybercriminals send an email which appears legitimate asking the victim to open an attached file or to click on a link. The attachment usually downloads a malware and installs it on the victim’s computer or mobile phone. The link redirects to a website, which at first time seems unharmful but in reality is trying to steal sensitive information, like credentials and password in order to gain access to an organisation’s accounts or its collaborators’, social, personal and/or banking accounts. Clicking on a link could also trigger an automatic download of a malicious software (a malware) into the device.

Phone phishing (and smishing)

Another type of phishing also used nowadays is the phishing through phone. Either by sending an SMS (which is called smishing) or through a phone call, the ultimate goal remains the same: cybercriminals will try to get access to an organisation’s information and/or to its collaborators’ personal accounts and misuse them. Through text, they can send a link and lure the victim into clicking on it to enter credentials and password. Through call, they can try to manipulate the victim in order to get personal information and use them later to access their professional, social media and bank accounts or other personal information.

Several techniques are used by cybercriminals to make sure their victim opens the wrong attachment or click on the wrong link. A few tips are gathered in this article to help avoid getting scammed by a phishing attempt. The main questions collaborators should ask themselves are the following:

• Is it unexpected?

You received a message for no reason: you did not buy anything, have not had contact with them for a long time, etc. Investigate further.

• Is it urgent?

Stay calm: did you really get a first reminder to pay? Do you know that 'friend in need'?

• Do you know the person who sent the e-mail?

Check the e-mail address, and also check for spelling errors. However, beware: a legitimate e-mail address is no guarantee.

• Do you find the request strange?

An official body will never ask you for your password, bank details or personal details via e-mail, SMS or over the telephone.

• Where does the link you need to click on lead to?

Hover over the link with your mouse. Is the domain name, the word before “.be”, “.com”, “.eu”, “.org”, etc. and before the very first slash "/", really the organization’s name?

An example:

• For the link www.safeonweb.be/tips, the domain is safeonweb.
• For the link www.safeonweb.tips.be/safeonweb, 'tips' is the domain and you are redirected to another website.
• Is there a QR code in the message?

If a QR code is shown, check carefully which website it refers to. When you scan the code, you will see the url. Check the domain as described above.

• Are you being personally addressed?

Be wary of messages using general and vague titles, or your e-mail address to address you.

• Does the message contain many linguistic errors?

Although seasoned cybercriminals tend to use language correctly, language errors or a foreign language can indicate a suspicious message.

• Is the message in your Spam / Junk folder?

If so, be extra careful. You can also mark suspicious messages as Spam or Junk to warn others.

• Is someone trying to make you curious?

Everyone would be curious about messages with a link reading "Look what I read about you ..." or "Are you in this picture?", but do not be tricked.

• Are you asked to make a payment?

If you are asked to make a payment that you are not expecting, always be careful. Is the account number the same number you usually use to pay that organisation or person? If not, do not make the payment. Often phishing emails use foreign account numbers or ask to make payments through a crypto wallet. This is suspicious.

If you are in doubt about a payment, check with your bank first, or with the organisation claiming the payment. Do not do this through the contact details in the mail, but go directly to the website of the organisation itself.

How to react to a phishing email?

1. Do not reply to it, do not open any attachment and do not click on the links
   The most important thing to do when getting a phishing email or text is to not follow-up on it.
2. Reach out directly to the sender
   If after all the tips given, you still cannot tell if it is a phishing email or not, check directly with the person involved via a different mean. If the email sender seems to be a colleague, a client or a provider, call that person to see if they really need your help on something. If it is from another organisation, check their official website entering their official address yourself in the address bar.
3. Never share bank information requested via text or email
   Keep in mind that no banks will ever provide a direct link to log into a bank account via text or email, and they will never ask for pin or secret codes, whether in writing, or by phone.
4. Report the phishing attempt and delete the email/text
   The phishing email or text should be reported to the IT responsible and to the relevant national authority (suspicious@safeonweb.be (EN); suspect@safeonweb.be (FR); verdacht@safeonweb.be (NL/DE)) and immediately deleted. When a message is already in the Spam folder, it should definitely not be trusted.

What to do if you get scammed?

1. Report the incident immediately to your IT responsible
2. Warn your collaborators, client and providers that they might be getting a message from someone impersonating you but that they should not trust it.  
3. Change all the passwords that were given (if any) on all the accounts they are being used.  
4. If the scam was about bank details and you notice that money was stolen from your account, file a complaint with the police.  
5. Immediately call Card Stop on +32 78 170 170 and make sure to check your account statements. If you identify any suspicious activity, immediately call your bank so they can help you out.

The website defacement attack is a particular cyber-attack, in the sense that cybercriminals are generally not really looking for information to steal. Their initial goal is most of the time to make as much noise as possible. In order to do that, they either share their own ideas or thoughts via the website or simply display a blank or black page and pictures or videos of their own choosing. Either way, the website cannot carry out its initial purpose, whether it is to inform or to provide services.

Usually, a website defacement is carried out by ‘hacktivists’. Through the use of hacking, or any other computer-based attack, the people launching the attack want to promote their political view or initiate a social change. As such, their most common targets are governmental or religious websites. However, regular hackers, who don’t specifically aim at sharing ideological ideas, can also carry out a website defacement and anyone can be a target.

The attacker seeks one or more security vulnerabilities that will allow them to gain access to an organisation’s environment. Once in, their goal will be to gain privileges, in terms of access, in order to reach the administrative level type of account and be able to modify whatever they want to and thus control what is displayed to the website’s visitors. In addition, by reaching the administrative level access, which is one with high privileges, they can have an entrance to other of the organisation’s resources and launch other types of attack or disruption.

As the main goal of cybercriminals for this type of attack is to make as much noise as they can, the changes done to the targeted website will be pretty obvious for anybody. Besides that, there is not much that can be done to identify that an attack will be specifically a website defacement. However, detection means can be set up to identify if an intrusion is happening or already happened. Monitoring all the critical systems ensuring an organisation’s operations is a key element in ensuring a good level of protection against a website defacement attack. If something indeed happens, the IT Responsible and their team can be notified through alerts they set up beforehand. In addition, there are several website monitoring tools that can help detect modifications of the content and other type of change done to a website, such as an attacker trying to link the website to newly setup domains.

When thinking of implementing tools to monitor a website, it is important for an organisation to evaluate the costs against the benefits. There are typically three aspects those tools can monitor: availability, speed and content. In the context of website defacement, the focus will be on the content. However, there is no ‘one fits all’ solution. The overall cost will depend on how heavily and regularly an organisation wants the content on their website to be monitored. This is thus specific to each organisation, depending on their needs and requirements: if the website represents a key element to carry out daily operations or provide services to customers, it will be best to invest in website monitoring tools.

1. Raise the collaborators’ awareness on the website defacement risk

People cannot react properly to suspicious events if they are not aware of the dangers they might be facing when using information and communication technologies. Analysing all current cyber risks, deciding how to mitigate them and defining a set of policies that identify the right code of conduct is important for every organisation. However, all these measures are deemed to fail if they are not properly communicated to and understood by the collaborators. It is thus important to make sure everybody is aware of how to identify a website defacement and of the internal processes to notify and remediate an incident.

2. Raise the collaborators’ awareness on scams that aim to steal their credentials

An organisation’s collaborators are its first line of defence. However, when encountering a cyber scam, they cannot adopt the right reflexes if they don’t know what they are.

There are several ways cybercriminals try to steal collaborators’ credentials in order to get access to an organisation’s resources. It is thus important to have regular informative sessions to train the collaborators about not sharing too much on social media and not clicking on a link or opening a file without analysing where it comes from first.

3. Activate and configure a Web Application Firewall

The Web Application Firewall monitors incoming and outgoing network traffic in order to allow or deny communications based on defined security rules. It acts as a controller between the server and the client and by decrypting the traffic, it will analyse the users’ requests to access the network. This way, if it detects something suspicious according to its configurations rules, it can generate alerts and send them to the IT Responsible and their team who will decide on which actions to take next.

4. Update all software, operating systems and internet browsers

Cybercriminals always seek for vulnerabilities to exploit so it is important to keep all systems up-to-date. This makes sure that the latest and more secure version is used.

5. Keep all web server components up-to-date

As for all information and technology systems, updates of website components are also crucial to make sure any known vulnerabilities is remediated, giving hackers no chance to exploit them.

• The typical components for a web server include:
• The BIOS/firmware of the hardware the organisation’s server is running on;
• The operating system of the server;
• The actual web service used (e.g., Apache, nginx, IIS, etc.);
• The content management system (e.g., Drupal, Joomla, WordPress, etc.);
• Optionally, the virtualization layer.

Very few organisations build their website from scratch. They usually use third parties, which come with a great amount of plugins and themes. Make sure to also keep those up to date. The developers from the third parties are constantly looking for new vulnerabilities. Making the updates is thus crucial to have the least vulnerable version of the components used.

6. Secure the access to and update the content management system

As stated previously, one of the important steps to take to make a Content Management System secure is to keep it and its plugins up-to-date. Cybercriminals always look for new vulnerabilities to exploit but security patches are released to fix those vulnerabilities. It is thus important to make the updates as soon as they are available.

In addition, the Content Management System can be protected by not using any default configuration set up for accounts and passwords, but creating one’s own admin account with a strong enough password and in addition implementing Multi-Factor Authentication. Multi

Factor Authentication requires a user to provide at least two different methods (e.g., passwords and PIN code, PIN code and a code received via text) to verify their identity and grant them access to the resource they are trying to reach.

Finally, a regular review of the user list must be integrated in the access management process. This applies not only to users having access to the Content Management System, but also to every other user within the organisation in general. This review allows the organisation to check that no test users are still active, and that no users that shouldn’t be there were added.

7. Implement the HTTPS protocol

The HTTPS protocol is used on the Internet for secure communication and data transfer over a computer network. It is the secured version of HTTP. Just like HTTP, HTTPS is used to send data between a web browser and a web server. The difference is that HTTPS encrypts the data to increase the security of the transfer. Through the encryption of all exchanges happening between a web browser and a web server, HTTPS ensures that no outsider can eavesdrop the ongoing communications. In fact, even if an attacker is able to intercept the data, as it is encrypted, they will not be able to understand it nor use it.

8. Encrypt, backup and control the access to the database

Data is one of the most valuable assets an organisation has. This is why it should be protected accordingly. It is important to encrypt the data at rest (i.e., when stored in a database and not used) and strictly control the access to that database.

In addition, those databases must be backed up to make sure that even if an incident occurs, the data can still be recovered. It is important to regularly test those backups to confirm that they can actually be used if needed, after an incident.

9. Disable directory browsing

Directory browsing offers the possibility for people visiting a website to access the repository content, i.e., all the files and folders.

Directory browsing must be disabled so attackers cannot randomly find an organisation’s data by simply using search engines. In addition, files must not be stored in default or publicly accessible locations.

There are several steps to carry out when facing a website defacement attack:

1. Report the incident to the organisation’s IT Responsible

As soon as an unusual change is suspected on the website, it must be reported immediately to the IT Responsible within the organisation so they can take the remediation steps as follows.

2. Isolate the compromised devices from Internet and from the organisation’s network

In order to stop the attack and its damage from expanding to the whole organisation’s network, all the devices infected must be unplugged from Internet. This can be done by removing the ethernet cable or by directly deactivating the Wi-Fi on the devices.

3. Gather all the necessary forensics

A website defacement represents a cybercrime that must be reported to the police. In order to file a complaint, several elements can be gathered to complete the case: screenshots of the attacked website, screenshots of anything unusual displayed on the devices and the log records from the firewall and servers.

4. Report the incident to the police and file a complaint

A website defacement attack is punishable by law and should be reported to the authorities to allow them to investigate the people responsible and prevent them from executing other attacks.

5. Make a copy of all the compromised devices

If possible, all the devices infected need to be copied on a physical support for forensics purposes.

6. Make an inventory of all the sensitive information accessed or stolen

This helps assess the magnitude of the attack to anticipate what the hacker could use in the future to launch other attacks.

7. Identify and remediate all the vulnerabilities that were used to get access

By determining exactly how the attacker got access to a resource, the necessary remediation steps can be taken to make sure this vulnerability cannot be used again for other attacks. This might be for example installing a security patch or changing a compromised password.

8. Inform the website provider

Most organisations don’t develop their website in-house. When an external provider is involved, they should be contacted and informed about the incident so they can also take the necessary steps to remediate it.

9. If needed, contact official external security specialists

Not every organisation has enough resources to remediate efficiently to a cyber incident. There are several security specialists that can be hired to help solve the incident. Those specialists can only come from official organisations, such as known consultancy firms, to avoid hiring a scammer.

When a cybercriminal hacks a website, the main purpose is to gain unauthorized access to its configuration and data. Later on, the hackers will use that same data for malicious purposes, which will allow them to earn profit. By being available 24/7, a website represents an attractive target for cybercriminals. There are several reasons that might push them to get access and take control of a website, such as:

• Using the website as a central point to launch other attacks (e.g., infect the devices of people visiting the website)
• Accessing sensitive data from shopping carts, submission forms, login pages, etc.
• Using the website bandwidth (i.e., the server) for criminal activities (e.g., distribute illegal products)
• Publishing illegal content (e.g., hate speech)
• Changing the order of appearance of a website in a search engine by injecting specific keywords in the website.
• Launching phishing attempts by redirecting the visitors to a phishing site where they can steal their confidential information.

The attacker seeks one or more security vulnerabilities that will allow them to gain access to an organisation’s environment. Once in, their goal will be to gain privileges, in terms of access, in order to reach the administrative level type of account and be able to modify whatever they want to and thus control what is displayed to the website’s visitors. In addition, by reaching the administrative level access, which is one with high privileges, they can have an entrance to other of the organisation’s resources and launch other types of attack or disruption.

A good starting point is browsing your own websites as if you were an external user. If any suspicious changes arise or even a complete modification of the webpage that wasn’t done by your marketing or web development team, this is a first indication that the website is compromised.

In addition, detection means can be set up to identify if an intrusion is happening or already happened. Monitoring all the critical systems ensuring an organisation’s operations is a key element in ensuring a good level of protection against a website hack. If something indeed happens, the IT Responsible and their team can be notified through alerts they set up beforehand. In addition, there are several website monitoring tools that can help detect modifications of the content and other type of change done to a website, such as an attacker trying to link the website to newly setup domains.

When thinking of implementing tools to monitor a website, it is important for an organisation to evaluate the costs against the benefits. There are typically three aspects those tools can monitor: availability, speed and content. However, there is no ‘one fits all’ solution. The overall cost will depend on how heavily and regularly an organisation wants the content on their website to be monitored. This is thus specific to each organisation, depending on their needs and requirements: if the website represents a key element to carry out daily operations or provide services to customers, it will be best to invest in website monitoring tools.

People cannot react properly to suspicious events if they are not aware of the dangers they might be facing when using information and communication technologies. Analysing all current cyber risks, deciding how to mitigate them and defining a set of policies that identify the right code of conduct is important for every organisation. However, all these measures are deemed to fail if they are not properly communicated to and understood by the collaborators. It is thus important to make sure everybody is aware of how to identify a website hacking attack and of the internal processes to notify and remediate an incident.

An organisation’s collaborators are its first line of defence. However, when encountering a cyber scam, they cannot adopt the right reflexes if they don’t know what they are.

There are several ways cybercriminals try to steal collaborators’ credentials in order to get access to an organisation’s resources. It is thus important to have regular informative sessions to train the collaborators about not sharing too much on social media and not clicking on a link or opening a file without analysing where it comes from first.

Using a “defence in depth” approach, the website can be protected by setting up independent methods to secure not only the software and hardware of the server, but also its hosting infrastructure. Those methods can include, for example, a firewall, an application firewall, an antivirus, etc. Combined, they aim at protecting the server against common cyber threats (e.g., malware, DDoS, etc.). If the website hosting is externalised, make sure the provider has sufficient security controls in place to ensure that protection.

A particular protection method to include within the “defence in depth” approach is to set up a Web Application Firewall. This firewall monitors incoming and outgoing network traffic in order to allow or deny communications based on defined security rules. It acts as a controller between the server and the client and by decrypting the traffic, it will analyse the users’ requests to access the network. This way, if it detects something suspicious according to its configurations rules, it can generate alerts and send them to the IT Responsible and their team who will decide on which actions to take next.

Only the necessary services for the server should be configured, everything else should be forbidden to avoid unused and potentially dangerous entry points. Additionally, specific rules can be implemented such as IP addresses filtering or unauthorizing specific file format. Finally, all unused services and features should be disabled or limited in order to reduce the probability of getting hacked.

Cybercriminals always seek for vulnerabilities to exploit so it is important to keep all systems up-to-date. This makes sure that the latest and more secure version is used.

As with all information and technology systems, updates to the web server components are crucial to make sure any known vulnerabilities is remediated, giving cybercriminals no chance to exploit them.

The typical components of a web server include:

• The BIOS/firmware of the hardware the server is running on;
• The operating system of the server;
• The actual web service used (e.g., Apache, nginx, IIS, etc.);
• The content management system (e.g., Drupal, Joomla, WordPress, etc.);
• Optionally, the virtualization layer.

Very few organisations build their website from scratch. They usually use third parties that come with a great amount of plugins and themes. Make sure to also keep those up to date. The developers from the third parties are constantly looking for new vulnerabilities, making the updates is thus crucial to have the least vulnerable version of the components being used.

Data is one of the most valuable assets an organisation has. This is why it should be protected accordingly. It is important to encrypt the data at rest (i.e., when stored in the database) and strictly control the access to the database.

In addition, those databases should be backed up to make sure that even if an incident occurs, all important data can still be recovered. It is important to regularly test those backups to confirm that they can actually be used if needed, after an incident.

The HTTPS protocol is used on the Internet for secure communication and data transfer over a computer network. It is the secured version of HTTP. Just like HTTP, HTTPS is used to send data between a web browser and a web server. The difference is that HTTPS encrypts the data to increase the security of the transfer. Through the encryption of all exchanges happening between a web browser and a web server, HTTPS ensures that no outsider can eavesdrop the ongoing communications. In fact, even if an attacker is able to intercept the data, as it is encrypted, they will not be able to understand it nor use it.

As stated previously, one of the important steps to take to make a Content Management System secure is to keep it and its plugins up-to-date. Cybercriminals always look for new

vulnerabilities to exploit but security patches are released to fix those vulnerabilities. It is thus important to make the updates as soon as they are available.

In addition, the Content Management System can be protected by not using any default configuration set up for accounts and passwords, but creating one’s own admin account with a strong enough password and in addition implementing Multi-Factor Authentication. Multi Factor Authentication requires a user to provide at least two different methods (e.g., passwords and PIN code, PIN code and a code received via text) to verify their identity and grant them access to the resource they are trying to reach.

Finally, a regular review of the user list must be integrated in the access management process. This applies not only to users having access to the Content Management System, but also to every other user within the organisation in general. This review allows the organisation to check that no test users are still active, and that no users that shouldn’t be there were added.

Directory browsing offers the possibility for people visiting a website to access its repository content, i.e., all the files and folders. Directory browsing should be disabled so attackers cannot randomly find the data by simply using search engines. In addition, files shouldn’t use default or publicly accessible locations.

13. Audit the website to look for most common vulnerabilities

Testing a website for well-known vulnerabilities is a great way to establish whether it is ready to go live or not, from a security point of view. Identifying the existing vulnerabilities allows more time to fix them, without any damage, before a cybercriminal uses them and actually causes important damages. Security experts can provide assistance, by doing penetration tests and audits for example, to assess a website security.

14. Use strong passwords and implement Multi Factor Authentication

People tend to use weak passwords as they are easier to remember. However, a password easy to remember is also easy to hack. It is thus important to only allow the use of strong passwords, which combines upper and lower cases, numbers and symbols. In addition, implementing Multi Factor Authentication adds an additional layer to protect the accounts.

There are several steps to carry out when facing website hacking:

As soon as an unusual change is suspected on the website, it must be reported immediately to the IT Responsible within the organisation so they can take the remediation steps as follows.

In order to stop the attack and its damage from expanding to the whole organisation’s network, all the devices infected must be unplugged from Internet. This can be done by removing the ethernet cable or by directly deactivating the Wi-Fi on the devices.

A website hack represents a cybercrime that must be reported to the police. In order to file a complaint, several elements can be gathered to complete the case: screenshots of the attacked website, screenshots of anything unusual displayed on the devices and the log records from the firewall and servers.

A website hack is punishable by law and should be reported to the authorities to allow them to investigate the people responsible and prevent them from executing other attacks.

If possible, all the devices infected need to be copied on a physical support for forensics purposes.

This helps assess the magnitude of the attack to anticipate what the hacker could use in the future to launch other attacks.

By determining exactly how the attacker got access to a resource, the necessary remediation steps can be taken to make sure this vulnerability cannot be used again for other attacks. This might be for example installing a security patch or changing a compromised password.

Most organisations don’t develop their website in-house. When an external provider is involved, they should be contacted and informed about the incident so they can also take the necessary steps to remediate it.

Not every organisation has enough resources to remediate efficiently to a cyber incident. There are several security specialists that can be hired to help solve the incident. Those specialists can only come from official organisations, such as known consultancy firms, to avoid hiring a scammer.