Ransomware is one of the fastest-growing malware threats, targeting every type of user – from home users to businesses, government networks, hospitals, and even city libraries. A ransomware infection is experienced immediately and its impact is often very destructive. That’s why security experts advise companies to plan and focus on the actions taken in the moments following a ransomware attack. These actions can determine how widespread the damage is and how much the attack will cost the company. Read below a short list of dos and don’ts in case you’ve fallen victim to a ransomware attack.
DO: Make a Plan
Your response can be carefully prepared even before the attack itself. Ideally, every business manager or IT director should create a disaster recovery plan for addressing cyberattacks before they happen. A key component of a proper disaster response is isolation, which requires a list of all devices to be kept on hand. Moreover, every team member should follow a step-by-step response to this kind of attack. Also, having regular backups can eliminate the need to pay a ransom to recover the compromised data.
DON’T: Panic
The worst has happened and you have fallen victim to a ransomware infection. In those critical moments after the attack has started, it’s important not to panic, even if you don’t have a plan. In many cases, rushed decisions won’t help the situation, but may in fact push the damage from bad to catastrophic.
DO: Go Offline
If one or more devices are compromised, you should disconnect all devices from the network or even shut them down as soon as possible. Ransomware could rapidly spread via your network and has a high chance of infecting other machines. Notify employees to disconnect devices and don’t forget to reach out to any remote workers your organization might have.
DON’T: Attempt to Recover Data
In case of a ransomware attack, it’s not a good idea to immediately attempt to recover data. If you do so, all information encrypted by the cybercriminals might be gone forever. If the company doesn’t have a plan, an urgent meeting should be held to outline what needs to happen next.
DO: Notify Your IT Security Team or Ransomware Experts
Big companies have an IT security team and even a dedicated Chief Information Security Officer. They should be the ones to execute the plan of action and handle protocol in the aftermath of an attack. Smaller companies lacking security teams should reach out to experts that have handled cases involving the exact ransomware variant affecting their devices. A ransomware specialist can analyze the method used to attack the company and can evaluate the encryption level to determine whether a software solution is possible.
DON’T: Try to Contact the Hackers
Security experts advise against trying to contact the hackers. Depending on the data in question, this can be illegal. Even if the hackers are threatening the mass deletion of your data, you have some time to develop and implement a coordinated strategy.
DO: Contact the Competent Authorities
Once the spread of the ransomware is contained and a plan has been devised, you need to contact the authorities. Reporting the ransomware incident to the authorities for tracking and investigation can help not only other potential victims, but even yourself. The FBI strongly encourages all ransomware victims to report every attack. Moreover, under the new GDPR rules, if the company handles data belonging to citizens inside the European Union, it is mandatory to inform the ICO within 72 hours of a breach having occurred. Failure to do so can result in a potential fine of 4% of the annual global turnover or €20 million.
DON’T: Pay the Ransom
Even if your organization can afford the ransom, the U.S. Government does not encourage paying criminal actors. According to the U.S Government interagency technical guidance document, “after systems have been compromised, whether to pay a ransom is a serious decision, requiring the evaluation of all options to protect shareholders, employees, and customers. Victims will want to evaluate the technical feasibility, timeliness, and cost of restarting systems from backup”. Paying a ransom does not guarantee an organization will regain access to their data. In fact, in many cases, individuals or organizations were never provided with decryption keys after paying the ransom.
DO: Identify the Weaknesses and Update All of Your Security Systems
After the incident is over, you’ll need to trace the attack, identify the weakness that allowed the initial infection (malicious link or email attachment), perform a total security audit, and update all systems.
“As an affected entity recovers from a cybersecurity incident, the entity should initiate measures to prevent similar incidents. Law enforcement agencies and the Department of Homeland Security’s National Cybersecurity and Communications Integration Center can assist organizations in implementing countermeasures and provide information and best practices for avoiding similar incidents in the future. Additionally, the affected organization should conduct a post-incident review of their response to the incident and assess the strengths and weaknesses of its incident response plan”, the U.S Government recommends in the aforementioned document.
Ransomware infections can have devastating consequences for any organization, while recovery may prove to be a painful and difficult process. Protecting your valuable data from ransomware starts before the attack happens and continues long after the incident is over.