Handling a ransomware attack is a challenging, resource intensive process. But most businesses fall far short when it comes to ransomware recovery. In this post, we’ll cover 6 steps for how to respond to a ransomware attack and ways to prevent future ones.
Ransomware attacks originate through emails or questionable download links. They then seize control of your computer and data, holding it hostage. If your computer is connected to an internal business network, the ransomware will spread to other devices, taking even more data hostage. Finally, it delivers a message: pay up or lose everything.
Mitigating an attack like the one described above requires an aggressive step-by-step approach. Here’s what to do.
1. Contain the Malware:
The first moments after a ransomware attack are critical. How quickly you respond will define the extent of the damage from an IT and financial perspective.
This is why the first step is to minimize the spread of the ransomware. Malware typically spreads by infecting one computer. They then spread like the plague across wireless networks, interconnected hardware and any connection they can find.
Contain the spread of the ransomware by setting up a quarantine. Identify which devices are infected and isolate these by disconnecting them from the network. Time is not on your side when it comes to this step. The quicker you act, the better your chances of preventing the malware from spreading through the entire network.
How you handle this will vary based on your network and infrastructure design. A company that has eight computers will have to respond differently than a company that has hundreds. Determining the appropriate method of containment is best done by consulting an IT professional.
2. Document the Attack
You are now on the receiving end of a criminal action. Documenting every possible detail will be critical in reporting the incident to authorities, insurance, and the rest of your organization.
First, take a picture of the ransomware message. You could take a screenshot on your computer, but your computer is compromised, so this isn’t always the best idea. External devices often work better, as they maintain a record on an uncompromised device. A camera or cell phone will work.
After photographing the message, continue to gather any other evidence and documentation you can. Here are some key details to look for:
- Time and date of the attack
- What you or someone else did before the attack
- An assessment of what equipment has been infected
- Data that is at risk
- What sensitive or critical information has been lost or compromised
With this information, the next step is to contact law enforcement. Reporting is critical for pursuing legal action, protecting your future insurance claim (more on that later) and providing the FBI with accurate data on ransomware activity.
3. Assess the Threat
With containment and documentation taken care of, it’s time to evaluate which type of ransomware you’re dealing with. There are two.
Screen locking ransomware acts by locking users out from operating controls on their computer. While this malware is the real deal, it is breakable. With a strong IT staff or managed security team, you can probably fight and thwart the malware and recover your device and data. Keep in mind, there is always a risk to doing so, and some data could be lost.
Encryption ransomware, however, is far nastier. This malware seizes control of the computer and encrypts the data and system. Unfortunately, these encryptions are extremely difficult to break. Some are even impossible.
Your organization’s ability to fight this type of attack is going to vary, depending on IT staff and the nature of the attack. This is why you’ll need to review your current protocols on data backups and ransomware recovery. This will help your team determine what type of ransomware is at work – and if they can beat it.
If you have the ability to break the encryption, and are comfortable with the odds, thwarting the ransom is often the best option.
However, if you have no chance of breaking the encryption or don’t have usable backups, you have a very difficult decision to make.
4. Consult Your Legal Team
Because of the complex nature of the situation, and the fact that it’s related to criminal activity, it’s critical that you evaluate options with your legal team.
A key part of the process is weighing the cost and potential losses. Calculate an estimate of what you stand to lose in terms of data, hardware and operational expenses. (This will also be useful for insurance.) Now compare this against the price of the ransom.
In most cases, these numbers are going to be absurdly unbalanced. A $40k ransom against $1 million in damages is common. That’s how malware works. It creates a ratio so unbalanced that resisting looks worse than paying.
Legally, the official stance of the FBI and legal system is that victims of ransomware attacks should never pay. In practice, some companies pay, and some don’t. It’s a complex issue that is best decided on a case-by-case basis with your legal team.
5. File an Insurance Claim
After resolving the attack, the final step is filling an insurance claim based on the damages calculated earlier.
Insurance for ransomware and IT damages is complex and varies depending on plan and coverage. But if you want to ensure full recovery of damages, consulting your insurance agent and financial and legal teams will be critical.
6. Prevent the Next Attack
Once you’ve recovered from the fallout of the attack, it’s time to prepare for the next one. Ransomware is becoming increasingly common and experiencing a second attack can happen.
Here are a few things you can do to prepare.
Back up your data. One of the biggest sources of damages from a ransomware attack is data loss. With a comprehensive backup recovery plan, these losses become negligible.
Create an equipment log. Include all IT assets and devices, with values attached. This will help you quickly assess which gear is corrupted and what your potential losses are.
Review your insurance plan. Double check your coverage and how it addresses ransomware and other IT threats, so you’re not caught unaware.
Set up staff protocols. Having a comprehensive plan for how all employees should respond can drastically improve your IT team’s ability to contain any future threats.
Partner with a managed security provider. Handling all of these complex protocols can be time-consuming and resource intensive. For a lot of organizations, partnering with this type of provider is a great way to improve security with a multi-tiered defense approach while increasing incident response team bandwidth.
Handling a ransomware attack can be complex and stressful. But with a fast response time and comprehensive protocol, recovering and addressing the attack can be manageable.