Imagine this: An employee at your company logs in early to get a head start on the month-end finance reporting. They access the company’s file storage to view invoices for the past month, when suddenly an old-fashioned-looking popup window, written in ominous font breaks the news: ‘your files are all encrypted and locked by a new strain of ransomware’!
Before the severity sinks in, they receive a message on Slack from a coworker. They received the same foreboding popup message. The entire company has fallen victim to a ransomware attack.
Today, this is an all-too-common occurrence with 47% of organizations experiencing ransomware in the past year. Ransomware is generally introduced through social engineering tactics such as phishing scams, tricking employees into downloading malware. While we generally understand what ransomware is and how it gets in, it is crucial for everyone in an organization to understand the typical recovery process post a ransomware attack.
Step #1: Containment
Once you have detected ransomware, you will want to make sure it doesn’t spread any further. This is accomplished by essentially shutting down your network and terminating any VPN connections. You should also disconnect any external storage devices such as backup drives.
One commonly overlooked ransomware containment strategy is disabling any automated maintenance tasks, such as keeping old files, emptying recycling bins, archiving emails, or system patching.
This will certainly bring work to a halt, but the faster you shut things down and contain it from spreading, the faster you can fix everything and resume operations.
Step #2: Record and Report
Remember, ransomware is a criminal act. Depending on your business and any regulatory requirements you may have, you may be required by law to report the incident to authorities. A best practice is to start a log of detailed actions taken by your IT team, during and after the ransomware attack, take pictures of the ransomware message, and maintain an impact inventory with details of all impacted systems. You can always start with your local police, but again, depending on your industry, you might need to contact federal authorities.
Step #3: More Containment
If you are hit with ransomware, it’s highly probable that this isn’t the only issue. Criminals often initiate a ransomware attack as part of a multi-pronged attack that begins with unauthorized access to your systems. To prevent additional damage, change all (and we mean all) admin passwords and disable any VPN accounts with network access.
Step #4: Decision Time…to Pay or Not to Pay
Now comes the challenging and difficult decision…do you pay the ransom? Conventional wisdom says no. These individuals who have committed this malicious act are certainly not deserving of any reward. However, your business is currently bleeding. Depending on the impact of the attack, you are likely to lose thousands or even millions of dollars. Moreover, the impact on your reputation cannot be overlooked. The urge to pay and get on with your lives is hard to fight.
Before succumbing to the urge, consider a few factors. Firstly, paying the ransom does not guarantee immediate access to your locked files. Post payment, the cyber criminals will provide you with a decryption key. Decrypting locked ransomware files is a notoriously slow process. In the case of Colonial Pipeline, for instance, they paid the ransom only to discover that decrypting the files was so painfully slow, that it made more sense to rely on their business continuity and disaster recovery plans.
Secondly, when you pay a cyber ransom, you instantly put a giant bullseye across your organization that says Encrypt me, I pay. In a recent study conducted by Barracuda Networks, 38% of responders reported being repeat victims of a ransomware attack. Paying a ransom is a surefire way to be a repeat target for ransomware gangs.
Step #5 Restore Files From Backup
Assuming you choose not to pay, it’s time to segregate and archive the impacted files and restore them all from a backup. This is successful, assuming that your backups were not impacted during the initial attack as cybercriminals will often attempt to disable them.
If your backups are functioning with a recent and intact copy, this is your best chance at resuming operations. A word of caution is to be sure to check your backups carefully first as it’s possible for your recent copies or even all of them to be encrypted as well.
Step #6 Future Prevention
After experiencing a ransomware attack and successfully recovering your systems and data, it’s crucial to prioritize future prevention measures. Take proactive steps to strengthen or implement the following in your organization:
- Phishing Simulation Testing
- Dark Web Scanning
- Security Information and Event Monitoring (SIEM)
- Endpoint Detection and Response (EDR)
- Advanced Antivirus Solutions
- Threat Detection
- Secure, Cloud-based Backups
- Advanced archiving solutions