Responding to a Ransomware Attack: The crucial initial steps businesses must take
Ransomware continues to plague organizations around the world, causing many to fortify their digital defenses. As ransomware becomes increasingly sophisticated, the risk of becoming a victim to ransomware increases. So, how should a business respond to a ransomware attack? And more crucially, what are the steps firms must immediately take in such an event?
Falling victim to a ransomware assault is awful enough, but if you handle the aftermath poorly, the reputational impact can be disastrous, causing you to lose much more than just your critical business data.
Here we explain the steps organizations must follow to respond quickly and recover from a ransomware attack.
On this page:
What is Ransomware?
Ransomware is a form of malware that utilizes encryption to hold a victim’s data at ransom.
Since its inception, ransomware’s sole objective has been to generate income from its unsuspecting victims, becoming one of the most widespread types of cyberattacks globally.
Ransomware is classified into two types:
- Crypto Ransomware – Crypto-Ransomware encrypts all files, folders, and hard drives on the infected device, offering to restore them once a ransom is paid to the attacker.
- Locker Ransomware – This type of ransomware locks victims out of their systems, requiring the payment of the ransom to regain access.
Unfortunately, ransomware criminals aren’t picky about who they target. As a result, cybercriminals who launch this type of attack usually take a scattergun approach. Even if a small number of the victims pay, ransomware is so cheap to deploy that the attackers are guaranteed a profit.
Prevention, Preparedness, Response, Recover (PPRR)
The prevention, preparedness, response and recovery (PPRR) model is a comprehensive approach to risk management:
- Prevention – Reduce or eliminate the likelihood or effects of an incident
- Preparedness – Take steps before an incident to ensure adequate response and recovery
- Response – Minimize, control or the impact of an incident
- Recovery – Take proper measures to minimize disruption and recovery times
The Prevention and Preparedness steps of the strategy have a slew of recommendations for data storage and backup, as well as priority, protection, and other measures.
However, it is in the Response and Recover portions that things become a little more tricky.
The initial assessment of the threat must establish whether it is accurate. If true, it leads to additional decisions about the scope of the breach, such as:
- Which systems are impacted?
- What data is at risk?
- Can, and to what extent, can the infected systems be recovered?
Finally, you may have to decide whether it should just pay the ransom – considering the long-term consequences, such as the possibility of subsequent assaults – or rely on insurance firms to cover the damage.
How to Respond to a Ransomware Attack
Fortunately, there is no shortage of guidance on what to do once a ransomware attack has begun, and for the most part, most of these instructions are consistent.
The following recommendations offer a thorough approach to limiting harm and managing risk within your network.
1. Isolate and Identify
At this point, the ransomware may have only infected a single device, or it could be infecting multiple endpoints.
The first thing you should do if one or more of your computers on your network has been compromised is to disconnect all other devices linked to your network to stop the spread of the ransomware and put your entire network in danger.
The next step is to identify the ransomware strain. To do this, use trusted a service such as Emsisoft’s online ransomware identification tool or ID Ransomware.
2. Contact the Authorities
After you have stopped the spread of the ransomware, you must notify the authorities. They have been trained to deal with ransom scenarios and can advise you on your next moves.
They can also use their resources to assist you in fighting the ransomware and meticulously documenting the situation for legal grounds.
3. Contact your Cyber Insurance Company
If you have cybersecurity insurance coverage, you should contact the company to learn about the next steps in assessing any damages and filing a claim.
Cyber insurance providers should be called before you begin assessing damages and resolving the problem, as they offer forensic investigation capabilities that can assist you in answering critical questions about the attack.
Furthermore, if consumers sue your company due to a data breach or if you violate any data regulations such as HIPAA, your provider can advise you on the best subsequent actions in risk management.
4. Evaluate the damage
If you have any legal, financial, or medical data that you suspect were stolen during the ransomware attack, you may be liable for any subsequent data breach lawsuits filed by clients or customers.
Take inventory of the files you believe have been stolen. Even if you recover your files, they are now tainted because a hacker gained access to them.
It would help if you created a risk management plan to ensure that any personally identifiable information that has been accessed is safeguarded in the future.
Mistakes to avoid when responding to a Ransomware Attack
While we always recommend having a plan in place before becoming a victim of a ransomware attack, if the worst comes and you don’t have a strategy, you mustn’t panic.
Incorrectly handling a ransomware situation can hamper recovery attempts, risk data, and force victims to pay needlessly high ransoms. Following a ransomware attack, businesses should avoid the following mistakes:
Don’t pay the ransom immediately
During a ransomware assault, you have two choices: pay the ransom or refuse to pay and attempt to recover your files on your own.
For a variety of reasons, many experts advise against paying the ransom. For example, paying the ransom does not guarantee that you will receive your files and be left alone indefinitely.
To begin with, just because you paid the ransom does not guarantee that you will receive an encryption key to access your data. Second, it may inspire hackers to demand more significant sums of money from future victims.
Finally, only you can decide whether your data is worth the investment.
Avoid restarting impacted devices
Many ransomware strains detect reboot attempts and punish victims by damaging the device’s Windows installation such that the machine will never boot up again, while others may start deleting encrypted files at random.
Restarting the machine might also stymie forensic investigations. Rebooting clears the machine’s memory, which, as previously stated, may provide clues relevant to investigators.
Instead, afflicted systems should be put into hibernation, which will allow them to be analyzed in the future.
Don’t connect external storage devices to infected systems
Many ransomware strains intentionally target storage devices and backup systems.
Consequently, it is sensible to avoid linking external storage and backup systems to infected systems (physically or via network access) until businesses are satisfied that the infection has been eradicated.
It is not always clear that ransomware is active. Unfortunately, many businesses have begun the recovery process without understanding that ransomware is still present on their system, encrypting their backup systems and storage devices.
Don’t communicate on the affected network
During the recovery process, victims should presume that attackers still have access to the infiltrated network and may intercept any messages sent or received over it.
Organizations should implement secure out-of-band communication channels and prohibit users from communicating on the compromised network until the remediation process is completed and the network is restored.
Avoid deleting files
Files should not be removed from encrypted systems unless advised to do so by a ransomware recovery specialist.
Not only are encrypted files useful for forensic purposes, but some ransomware strains retain encryption keys within the encrypted files — if the files are erased, the decryptor will fail.
Ransom notes, on the other hand, should never be deleted.
Some ransomware, such as DoppelPaymer and BitPaymer, encrypt each file with a ransom letter that provides the encoded and encrypted key required for decryption. The related file cannot be decrypted if a ransom note is destroyed.
Recovering from a Ransomware Attack
You’ve responded to the ransomware incident, and the time has come to take action to restore your network and your business or organization’s normal operations.
Unfortunately, the options available to you here will be determined by several factors. Here’s what you can do:
Restore from backup
Ideally, you understand the necessity of data backup and have a clean, recent copy of all your critical files ready to go.
Nonetheless, before restoring, you should check the integrity of your backups and that the data you require is correct.
Before restoring your files from backups, you should thoroughly cleanse your infected systems. After restoring the backups, ensure that all of your essential apps and data are restored and operational.
Decrypt your data
Perhaps you don’t have a backup, or your backup system has also been compromised. In that instance, you’ll need to find a decryption program that can be utilized to recover your data.
First, correctly identify the ransomware. Unfortunately, a tool may not be accessible for the most recent variants of ransomware. Decrypt your files and check their integrity if you can find one.
Accept the loss
As unpleasant as it may sound, you may have little choice except to accept the loss of your data.
If you decide to accept the loss, you should wipe the system clean to eliminate the malware, then restart.
However, it would be sensible to back up your encrypted files first since it is likely a decryption tool for your strain of ransomware may become available at a later date, allowing you to unlock that material in the future.
Pay the ransom
There are several strong reasons not to pay the ransom, the most important of which is that there is no assurance you will receive your files back even if you do.
Paying ransoms also encourage attackers to keep distributing ransomware since it is effective.
It’s also worth noting that your money could be used against you in another form of cybercrime.
How to Protect against Ransomware
Follow these steps to avoid ransomware and limit the harm if you are attacked:
- Back up your data – The most straightforward approach to avoid being locked out of your vital files is to keep backup copies of them on hand, preferably in the cloud and on an external hard drive.
If your systems do become infected with ransomware, you can wipe your computer or device clean and reinstall your contents from backup.
This safeguards your data and prevents you from being persuaded to pay a ransom to the malware creators. Backups will not prevent ransomware, but they will help to lessen the dangers.
- Secure your backups – Ensure that your backup data can neither be modified nor deleted from the systems where it is stored.
Several types of ransomware intentionally encrypt or erase data backups, rendering them unrecoverable. Consequently, employing backup methods that do not enable direct access to backup files would be sensible.
- Use antimalware and antivirus software – Ensure all of your user devices are protected by the security software and kept up to date. In addition, you must ensure to update the software on your devices regularly. Most security software vendors maintain a database of the latest ransomware threats.
- Only use secure networks – Avoid utilizing public Wi-Fi networks because many of them are insecure. Instead, consider installing a VPN, giving you a secure internet connection no matter where you go.
- Implement a security awareness program – Every member of your organization should receive regular cybersecurity awareness training to help them avoid phishing and other social engineering attacks. Regular drills and testing should be conducted to ensure that training is being followed.
Defending against attempted ransomware attacks will remain a significant priority for the company in the future.
As part of a solid Prevention and Preparedness phase, organizations should aim to have an infrastructure developed with security at its core.
This infrastructure should encompass a tiered defense that either prevents ransomware from encrypting data or restricts the damage to which its reach can extend — in other words, reducing the harm potential and isolating its impact.
However, victory over this and other forms of cybercrime will increasingly depend on how well you act and recover rather than how strong your digital castle is built.
As with any other type of crime, the best method to combat ransomware is to remove the ability to profit from it.