No company wants to hear that you’ve been ransomware-attacked and don’t know what to do.
Remembering you’re not alone should come first. Ransomware locks a victim’s data or device until they pay the hacker. Over 17% of cyberattacks are ransomware. A study of 1,350 organizations found that 78% had been ransomware-attacked.
Ransomware attacks employ a variety of techniques, or vectors, to compromise networks or devices. These include utilizing phishing emails to deceive recipients into clicking on malicious links and taking advantage of operating system and software flaws like remote access. Usually, cybercriminals demand payments in Bitcoin and other cryptocurrency that is difficult to track down. They give victims device decryption keys in exchange.
Any organization can take simple steps to contain a ransomware attack, protect confidential data, and minimize downtime to maintain business continuity.
Initial response
Separate impacted systems
It is essential that compromised systems are isolated as soon as possible because the most prevalent ransomware variants search networks for weaknesses that could allow them to spread laterally. For any device that is infected or could become infected, disconnect the Ethernet and turn off Wi-Fi, Bluetooth, and all other network functions.
Two more actions to think about are:
- Stopping up maintenance work. Disable any automated processes that are affecting the systems right away, such as deleting temporary files or rotating logs. These tasks may cause file interference and impede the investigation and recovery process for ransomware.
- Cutting off backups. Maintain offline data backups because a lot of the latest ransomware strains specifically target backups to make recovery more difficult. Till the infection is eradicated, restrict access to backup systems.
Snap a picture of the ransom note
Ideally, you should use a different device, such as a smartphone or camera, to take a picture of the ransom note on the affected device’s screen before proceeding further. The picture will facilitate the speedier healing process and be useful in the event that you need to file an insurance claim or a police report.
Inform the security personnel
After disconnecting the compromised systems, report the attack to your IT security team. The majority of the time, IT security experts can offer guidance on what to do next and initiate your company’s incident response plan- that is, the procedures and tools your company uses to identify and counteract cyberattacks.
Avoid restarting impacted devices
Restarting infected devices is not advised when handling ransomware. Hackers are aware that you might automatically do this. As a result, some ransomware variants detect attempts at restarts and carry out further damage, such as corrupting Windows or erasing encrypted data. Because crucial hints are kept in the computer’s memory and erased upon restarting, investigating ransomware attacks may become more difficult after a reboot.
As an alternative, hibernate the impacted systems. In order to preserve the data for later analysis, this will save all of the data in memory to a reference file on the hard drive of the device.
Removal of Errors
You probably can’t wait to unlock your devices and get your data back now that you’ve isolated the impacted ones. The following steps can get you started on the road to recovery even though eliminating ransomware infections can be difficult, especially the more sophisticated strains.
Find the variant of the attack
The kind of ransomware infecting your devices can be determined with the aid of a number of free tools. Understanding the particular strain will help you deal with various important aspects, such as how it spreads, what files it locks, and how to remove it. You only need to upload an example of the encrypted file, along with any ransom notes and the attacker’s contact details, if you have any.
Screen lockers and encryptors are the two most prevalent kinds of ransomware. Screen lockers lock your computer and protect your files until you pay a ransom; encryptors, on the other hand, are more difficult to deal with because they locate and encrypt all of your sensitive data, which they only unlock once you pay the ransom.
Look for decryption software
Consider searching for decryption tools after you’ve determined which strain of ransomware it is. Additionally, websites like No More Ransom offer free resources to assist with this step. To find the corresponding decryption, just type in the name of the ransomware strain.
Recuperation
The recovery process should now begin if you were fortunate enough to eradicate the ransomware infection.
Update system credentials first, then use backups to recover data. Three data copies in two formats and one offsite copy are always a good idea. The 3-2-1 rule recovers data quickly without a ransom.
Consider updating all systems and performing a security audit after the attack. Updating software prevents hackers from exploiting bugs in older versions, and patching computers regularly keeps them stable, up-to-date, and malware-free. You should also inform all relevant stakeholders about the incident and update your incident response plan based on lessons learned.
Alerting the authorities
You should always report ransomware attacks to the FBI or law enforcement since they are illegal and constitute extortion.
If your recovery attempts are unsuccessful, the authorities may be able to assist in decrypting your files. Even so, it’s imperative that they record cybercrime activity in order to hopefully save others from suffering the same fates.
Legal requirements to report ransomware infections may also apply to some victims of ransomware attacks. For instance, healthcare organizations must typically notify the Department of Health and Human Services of any data breach, including ransomware attacks, in order to comply with HIPAA regulations.
Selecting whether to make a payment
Choosing to pay the ransom can be difficult. Most experts recommend paying only after you’ve exhausted all other options and data loss would be worse.
When making a decision, consult cybersecurity experts and law enforcement.
Many ransomware victims never receive the decryption key, so paying the ransom does not guarantee data access or that the attackers will honor their threats. Ransoms can also fund and encourage cybercrime.
Future ransomware attacks prevention
Email security, antivirus, and anti-malware programs are the best ransomware defenses.
To prevent data breaches, organizations use advanced endpoint security tools like firewalls, VPNs, and multi-factor authentication.
No cybersecurity system is complete without cutting-edge threat detection and incident response to catch cybercriminals instantly and mitigate cyberattacks.
Beyond logs, IBM Security QRadar SIEM analyzes network traffic using machine learning and user behavior analytics (UBA) for smarter threat detection and faster remediation. QRadar SIEM saved security analysts over 14,000 hours over three years by detecting false positives, reducing incident investigation time by 90%, and lowering the likelihood of a major security breach by 60%, according to a Forrester study. QRadar SIEM gives resource-constrained security teams visibility and analytics to quickly identify threats and make informed decisions to minimize attack impact.
