I've been hacked...now what?
How Businesses in Midcoast Maine should respond to being hacked
TL;DR This guide is long, you might read the headers for any parts relevant to your situation. We developed this guide because the stress of being breached often leads to many questions and we want to help inform those conversations on how to respond with the next best option. This guide is for general information purposes only with no representations as to the accuracy or completeness of any information on this site. Determining if you have been breached is a legal determination with legal ramifications, for your specific situation, contact a qualified attorney and your insurance provider.
Next Steps
Being hacked means threat actors have gained access to your computer, data, or a service you use. The first priority is to end their access and remove any additional accesses they've created. This requires some detective work:
If Someone Claims You're Hacked
If a company tells you that you've been breached and need to react immediately, your first step should be to pause. If on the phone, hang up and call them at their work number. If in an email, do not trust phone numbers or emails listed in the email, instead contact the company through another known good method of reaching them.
Is an attacker telling you they have access? Threats are often fake, with claims they have videos of you or share partial information like old passwords that are public from old breaches in the hopes you'll be convinced they can get you to react. You can check what old breaches your email was in at: HaveIBeenPwned.com website. It may still be a good idea to check logs or update passwords as a precaution. If the attacker has or uses information that was private, this is greater evidence an account was breached. This could include scam emails being sent to your email contacts from your email or another email that mimics you (which suggests they exported your contacts after they logged into your email), your bank or credit card has fradualant charges, or information that was in your email, cloud, or computer is shared or used.
Email or Web-based Hack
If you think someone gained access to your email or a web-based portal, check your account's login history, check if backup phone numbers, emails, or passkeys have been added, change the password, add multifactor authentication, sign out all logged in users, and revoke connections to shared services. If the same password is used elsewhere, it is best to change this and give each account a unique password to prevent additional breaches. If the account was an administrator account and they changed passwords and MFA, contact your email provider to see if you can use website domain ownership to retake the account.
Computer Software Hacks
If you downloaded free or discounted software from a non-reputable source and now experience malware symptoms, you may want to uninstall that program and any associated sub-programs using care to not uninstall working components of other programs or your operating system. Threat actors may have installed one malicious program or followed what is called the MITRE ATT&CK framework to move from initial access to installing multiple command-and-control methods for persistant access even after the original malware is disabled.
An initial search for malware will likely view Windows Task Manager to identify and investigate programs and processes to determine any obvious malware's location and behavior. The initial checks should also review the start-up apps in Task Manager and the Task Scheduler program for new program additions. If you are not already using EDR, it can be a good first step in triaging some malware, we recommend selecting from Gartner's leaders but there are many good options for Endpoint Protection (formerly called antivirus). One incident response trick if the malware is from a Russian actor, adding the Windows Russian language pack can auto-disable some or parts of malware as many times Russian malware authors will hardcode language or timezone checks to avoid encounters with Russian FSB agents.
Speaking to your cyber insurance provider early on will help you to determine your coverages and costs of forensics experts. Even after we've responded to an initial threat, we recommend using a forensics expert to ensure no malicious artifacts remain and to make any determinations related to the legal requirements related to breaches. A good final step after malware is removed is to change any passwords used on that device and take an additional backup.
Multiple Computers or Servers
If you believe multiple computers or a server are infected, a sense of urgency exists and responding technicians sometimes ask what may be mistaken for a rude question that slows things down: what did you see that brought you to the conclusion this was infected? That question is not to doubt you, it is to gather a list of symptoms so that alternative explanations for why that happened are properly ruled out and all malware is addressed at once.If malware is suspected, the responding technician will attempt to determine both the initial entry and any new accesses the malicious actor has created so that when the doors are locked, the threat actor is not still inside. This may cover a variety of unconnected questions such as: Do the programs and processes on the computer match the expected company-installed programs? Browser extensions are rarely but occasionally resold to malicious actors who push out malware, does anyone use any browser extensions? Could the attacker have guessed a VPN password from a shared or reused password? Could the attacker have broken through an unpatched firewall? Does the network have any unpatched hardware like access control systems, ICS systems (SCADA,PLCs), or IoT devices like smart-TVs or printers? In a multi-device breach, the need to cover a variety of topics is why involving technicians early in the process is helpful to responding to a threat and similarly engaging a forensics expert with the help of your insurance company is important.
Ransomware
Ransomware in Cloud Services
In Google Drive, items placed in the trash have up to 55 days to be restored by an administrator, if they were deleted from the trash, administrators only have 25 days. Microsoft 365's OneDrive has 30 days to perform a Files Restore for the entire account. If deleted, customers have 93 days to restore it from the recycle bin. Microsoft claims if you contact them there are 14 additional days to recover data, but stories relay varied success on that extension. The biggest threat in Microsoft is if a threat actor gains administrator control they can adjust the retention from the default of 500 versions to retention of 1 version and then only has to encrypt the file more times then retention to destroy it (retention can be set from 1 up to 50,000 versions).
If the threat actor has made a credible ransom request or has already encrypted a device and offered to decrypt a sample to demonstrate their control, before making any decisions you will want to learn how ransomware works. Sometimes they will perform double extortion. This is where they ransom your system but will exfiltrate your data to threaten to publish it or sell it on the blackmarket. This can mean one or multiple ransoms requested. They may even use triple extortion where they perform double extortion and then block your network from working (denial-of-service) or use the data to extort customers or vendors. A few years ago, threat actors would take 180 days of "dwell time" while figuring out how to extort you, a typical dwell time is now down to about 10 days. This matters for backups, because if you restore data from a backup, that backup may include copies of the ransomware that will reinfect your system in a few days. In some cases, the attacker will offer to negotiate ransom, and there are "professional" ransomware negotiators. We can't recommend one because paying a ransom does not guarantee a threat actor can or will perform the actions they claim they will and for some strains of ransomware, even attackers don't have decryption tools.
If you do choose to pay a ransom, you will want to confirm that you are not paying a sanctioned entity on the Office of Foreign Assets Controls (OFAC) US Sanctions list. Beyond OFAC, paying ransom is usually not prohibited. If you have an encrypted drive or files and can afford to hold onto it, keep it for as long as the information it contains is valuable because occassionally cybercriminals release free decrypters at the end of their careers to reduce the likelihood that law enforcement will hunt them. Less commonly, forensics experts and reverse malware engineers ocassionally build decryption tools for specific strains by reverse engineering the malware.
Contacting Law Enforcement
If you plan to contact law enforcement about a computer crime, the FBI contact is here and the relevant Maine statute starts at Title 17-A 18 §431. The federal law covering computer crimes starts at 18 U.S.C. § 1030 which makes unauthorized access or elevated access illegal and has been amended to apply to every computer in America. This may change your response goals from attempting to resolve the issue so that you can return to regular operations and instead your computers would be treated as a crime scene. In this new goal, evidence is gathered and preserved, and chain of custody of relevant files is maintained with file hashes documenting the details of what happened and who was involved for potential criminal charges. To do this investigators will typically use specialty software each with different purposes like EnCase, FTK Forensic Toolkit, CyberTriage, or Autopsy.
Maine's Notice of Risk to Personal Data Act
Maine Law requires anyone who maintains computerized data with personal information (name and one of social security number, driver's license or state ID, account, credit, debit number, password, pin or access code) and becomes aware of a breach, to investigate and notify state residents. If more than 1000 people are impacted the licensee must notify consumer reporting agencies too. All incidents need to be reported to the company's state regulator in the Department of Professional and Financial Regulation or the Attorney General. The organization has 30 days from breach discovery to notify, unless law enforcement delay it for an investigation, in which case it is 7 days from law enforcement concluding that it will not impact the investigation.
Businesses That Process Credit Cards:
Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS is made by payment networks (Visa, Mastercard, AMEX, Discover, JCB) who have grouped together to form a set of required rules for those that process credit and debit cards. Key first steps will be to follow your incident response plan, isolate systems (unplug network cable or turn off wifi), document times and actions taken while preserving evidence. The next step will be to identify and analyze what (if any) payment card data was impacted. At this point, the next step is to contact a PCI Forensic Investigator who will conduct an investigation on the incident and note your compliance with PCI DSS. Sending notifications to impacted cardholders is required and the section above on Notice of Risk to Personal Data Act may be helpful. The investigation may reveal additional security controls and may require future Level 1 Compliance which your business may be required to follow to continue processing payments.
Healthcare and Business Associates:
HIPAA Compliance
HIPAA's Breach Notification Rule assumes that a breach is presumed unless the covered entity or business associate can demonstrate a low probability that protected health information (PHI) has been compromised. From discovery of breach, a covered entity has 60 days to notify each individual by mail whose unsecured PHI has been or believed to have been accessed, acquired, used, or disclosed. If ten or more individuals don't have up to date contact information, than a "conspicuous" posting has to be put on the home page of the covered entities website for 90 days or in major print or broadcast media with a phone number for individuals to learn whether their information is impacted. For less than ten individuals, alternative written notice or telephone call can be used. If more than 500 people are impacted, there is an obligation to notify "prominent media outlets" and to notify the Secretary of Health and Human Services Office of Civil Rights within 60 days. For less than 500 individuals, maintain a log of breaches and notify the Secretary before 60 days after the end of the calendar year. In all notifications, documentation is required to be kept proving notifications were made or proof that the event did not meet the defined qualifications as a breach. Business associates are required to notify covered entities of breaches of PHI within 60 days and to include any information required for the covered entity to notify individuals.
Breaches with customer's personal health
For any non-HIPAA entity that has personal health information.
The text of the Federal Trade Commision's rule requires a notification be sent to the FTC and to people whose information was breached. For more than 500 people, there are 60 days to notify everyone and to notify prominant media serving the state. For less than 500 people, the notification to the FTC is due 60 days after the end of the calendar year.
Financial Institutions and those incidental to customer financial information, car dealers, finders, tax firms
FTC Safeguards Rule
The Federal Trade Commission requires that financial institutions notify the FTC within 30 days of a breach of unencrypted (or encrypted if the key was accessed too) consumer data involving at least 500 consumers. The reporting form is here.
Not Small Businesses and those in 16 Designated Critical Industries:
CIRCIA of 2022
This law was created in 2022, and in spring 2026 the notice of public rule making has been delayed due to funding. It requires covered entities to report any covered cyber incident within 72 hours and ransomware payments within 24 hours. The last Notice of Public Rule Making sets the expectation that it will cover both (1) all non-small businesses and (2) all organizations in the 16 critical sectors in CISA's domain which includes businesses in the chemical, commercial facilities, communications, critical manufacturing, dams, defense industrial base, emergency services, energy, financial services, food and agriculture, government facilities, healthcare, information technology, nuclear reactors, materials and waste transportation systems, and waste and wastewater systems. The current CISA reporting form can be used to submit these events on a voluntary basis until the rule is finalized and reporting becomes mandatory..
Insurance Industry:
Maine's Insurance Data Security Law
This law requires insurance licensees to determine if a cybersecurity event occured (including cybersecurity events impacting customers at third party providers), it's nature and scope, any nonpublic information lost, and to take reasonable measures to restore the security of the compromised system to prevent further unauthorized access and to maintain records of the cybersecurity incident for five years. If the licensee is Maine resident license, this event must be reported to the superintendent within three business days. Samples of the notification letters sent to consumers must also be sent to the superintendent.
If Massif MSP can help you in anyway reach out using the form to the top left of this column.
