9 Easy Steps For Responding To A Ransomware Attack
In the event of a ransomware attack, time is of the essence. The faster you can identify and contain the threat, the less damage it will cause. But knowing what to do in the aftermath of an attack can be difficult, especially for businesses new to the world of cybersecurity.
We asked a panel of IT experts to share their best advice for responding to a ransomware attack.
Their recommendations ranged from technical tips for remediating an infection to advise on dealing with an attack’s aftermath.
However, one theme was consistent throughout the importance of having a plan before an attack occurs. By developing and practicing a ransomware response plan, you can ensure that your business is prepared to minimize the damage if an attack does occur.
Have You Been Hit With A Ransomware Attack?
If you suspect that you’ve been hit with a ransomware attack, it’s essential to act quickly. Whether your company is large or small, a ransomware attack can have devastating consequences, including the loss of data and disruption to business operations. You can take several steps to minimize damage and get back on track as quickly as possible.
Isolated The Infected Computer Or Device
Ashu Singhal with Orion Networks in DC Metro & Virginia
Ransomware is a serious problem for businesses of all sizes. While the ransom itself may only be a moderate inconvenience, the potential for widespread infection is a major catastrophe. The difference between the two often comes down to reaction time. To ensure the safety of your network, you must disconnect the affected device from the network, internet, and other devices as quickly as possible. The sooner you do so, the less likely that other devices will be infected. By taking quick and decisive action, you can minimize the damage caused by ransomware and protect your business from further harm.
Stop The Spread
Christopher Chance with DataEcon in Dallas
When dealing with ransomware, speed is of the essence. Because this malicious software typically moves quickly and takes hold of a device before it can be identified and quarantined, it’s crucial to take rapid action to limit its scope. This means that isolating a compromised device as soon as possible is not always sufficient to eliminate the threat. To effectively contain the ransomware virus, you must also cut off all suspicious devices from your network, regardless of where they are located. This includes devices operating off-premises if they are connected to the network. Additionally, shutting down all wireless connectivity (including Wi-Fi and Bluetooth) at this stage can help create further barriers against future ransomware attacks. With these measures in place, you can help prevent ransomware from spreading throughout your entire network and causing maximum damage.
Assess The Damage
Michael Anderson with 365 Technologies in Winnipeg
When a ransomware attack occurs, it can be challenging to know which devices have been infected. However, a few tell-tale signs can help you identify affected devices. First, check for recently encrypted files with strange file extension names. Second, look for reports of odd file names or users having trouble opening files. If you discover any devices that haven’t been completely encrypted, they should be isolated and turned off to help contain the attack and prevent further damage and data loss. Your goal is to create a comprehensive list of all affected systems, including network storage devices, cloud storage, external hard drive storage (including USB thumb drives), laptops, smartphones, and other possible vectors. By taking these steps, you can help contain the damage of a ransomware attack and minimize data loss.
Locate Patient Zero
Cameron Call With NSA In Las Vegas
Once you’ve been hit with ransomware, it’s essential to act fast to contain the infection. The first step is to identify the source of the attack. This can be done by checking for any alerts from your antivirus/antimalware software and any activity monitoring platforms you may have in place. Because most ransomware enters networks through malicious email links and attachments (which require an end-user action), asking people about their activities and what they’ve noticed can be very helpful in this process. Finally, taking a look at the properties of the infected files themselves can sometimes provide a clue as to the entry point of the attack. For example, the person listed as the file owner is likely the one who opened it and triggered the ransomware. Once you’ve identified the source, it will be much easier to track the infection and take steps to contain it.
What Type Of Ransomware Was It?
Bryan Badger With Integral Networks In Sacramento & Reno
Before you go any further, it’s vital to discover which variant of ransomware you’re dealing with. One way is to visit No More Ransom, a worldwide initiative Trellix is a part of. The site has a suite of tools to help you free your data, including the Crypto Sheriff tool: Upload one of your encrypted files, and it will scan to find a match. You can also use the information included in the ransom note: If it doesn’t spell out the ransomware variant directly, using a search engine to query the email address or the note itself can help. Once you’ve identified the ransomware and done some research on removal methods, you can decide if you want to try to remove it yourself or seek professional help. In some cases, paying the ransom maybe your best option; however, we recommend exhausting all other options first, as there’s no guarantee that you’ll get your data back even if you do pay. Either way, remember that taking preventive measures is always the best way to protect your data from ransomware attacks.
Report The Ransomware To Authorities
Brandon Christensen With V&C Solutions in San Jose
Any business that falls victim to ransomware should immediately contact law enforcement. There are several reasons for this. Ransomware is a crime, and like any other crime, it should be reported to the authorities. Secondly, the FBI has stated that they may have legal authorities and tools unavailable to most organizations. Thirdly, partnerships with international law enforcement can help find the stolen or encrypted data and bring the perpetrators to justice. Finally, the attack may have compliance implications that require law enforcement involvement. By reporting the crime and working with law enforcement, businesses can increase their chances of getting their data back and preventing future attacks.
Evaluate Your Data Backups
Jorge Rojas with Tektonic in Toronto
Restoring your systems from a backup is the quickest and easiest way to respond to a ransomware attack. Ideally, you’ll have an uninfected and complete backup created recently enough to be beneficial. If so, the next step is to employ an antivirus/antimalware solution to ensure all infected systems and devices are wiped free of ransomware. Otherwise, it will continue to lock your system and encrypt your files, potentially corrupting your backup. Once all traces of malware have been eliminated, you’ll be able to restore your systems from this backup and confirm that all of your data has been restored successfully. This process may take some time, but it’s the best way to ensure that your systems are recovered from a ransomware attack.
Research Decryption Options
Jason Simons, ICS in Houston
If you ever find yourself dealing with a ransomware attack, it can be tempting to assume that your data is lost forever. In some cases, this may be true—after all, the goal of most ransomware variants is to lock users out of their data and hold it hostage until a ransom payment can be made. However, if you’re lucky enough to find that a free decryption key is available for your specific ransomware variant, there is still hope. No More Ransom is a website that provides several tools and resources for victims of ransomware attacks, including lists of known decryption keys for various variants. So even in the worst possible scenario, where your important files have been completely locked up by vicious malware, you still have a chance to get your data back by taking advantage of the free resources available on No More Ransom. But even if you can use one of those decryption keys successfully, you shouldn’t relax yet. There will still likely be hours or days of downtime ahead as you work on remediation and recovery after your ordeal with ransomware. Nevertheless, having access to free decryptors through No More Ransom can give you at least some comfort in knowing that all hope is not lost if your files are ever encrypted by ransomware.
Jon Fausz with 4BIS in Cincinnati
Losing important data can be devastating, especially if you’ve spent months or years amassing it. If you find yourself in this situation, it’s important to take a deep breath and assess your options.
Unfortunately, if you have no viable backups and cannot locate a decryption key, your only option may be to cut your losses and start from scratch. Rebuilding won’t be a quick or inexpensive process, but it’s the best you can do once you’ve exhausted your other options.