You’re staying on top of your cybersecurity protocols. Your staff is trained and you have a robust data resiliency strategy in place—so, what can possibly go wrong? Unfortunately, all of these various safeguards and preparations often aren’t enough to stop a targeted ransomware attack.
The importance of responding to ransomware attacks can’t be overstated. From the potential loss of data to industry compliance fines, ignoring a ransomware attack can have a devastating effect on your business.
Steps to Take After a Ransomware Attack
Ransomware attacks can paralyze your business operations. Devices and even networks are frozen and your data is being held hostage.
Since you can’t exactly storm into a hacker’s office and demand the release of your information, you’re response is limited to what you can do in-house. Thankfully, there are some steps you can take to help contain the attack.
Responding to the Cyber Attack
Before you start panicking or consider paying the ransom, disconnect all infected systems and devices from the network.
A quick network scan should identify the infected components. If not, look for some telltale signs like rapid battery drain, altered data files, and weird network traffic patterns. Don’t stop at just disconnecting the ethernet connection, you also want to disable the Wi-Fi. This makes it harder for hackers to move any further into your system and monitor your activity.
You may also want to take things a little further for added protection. Go ahead and turn off any routine and automatic maintenance tasks. Since ransomware has progressed to attacking backup files, disconnecting these logs is a good idea. By keeping your data offline, hackers can’t get into your saved files. When it’s time to restore the files, you can relax knowing the data is unaltered.
Take Pictures
If you’re infected by ransomware there’s going to be a message somewhere on the affected device’s screen. Sometimes, it’s boldly displayed across the screen. Other times, it’s a small message at the bottom.
Grab your smartphone or a digital camera and take a snapshot of the ransom message. You’re going to need the image when you report the incident to the authorities and your insurance company. A photo of the ransom note can also make it easier to identify the type of malware and even the hacker.
Call In Your IT Staff
If you haven’t already grabbed your IT staff to help disconnect the affected devices, now’s the time to bring them up to speed.
Your IT team is familiar with your company’s disaster recovery plan (DRP). After all, they’re the ones who helped create the strategy. Your IT staff is also familiar with all industry-related cybersecurity protocols. They can help put your incident response plan into action so you can respond to the attack more effectively.
Your IT team can also help identify any infected devices your network scan may have missed. If your company doesn’t have an in-house IT department, you may need to contact an outside vendor.
Don’t Use Any Infected Devices
Once you’ve identified an infected device or system, don’t recommend it even for a second. You may have an email that’s screaming for a response. Ignore it and any other tasks you may have on your plate.
Even checking an email can give hackers the opening they need to move deeper into your network. Remember, the goal is to contain the threat and not make it easier for a breach to succeed.
Don’t reboot the system, even if it does give access to the device back. Rebooting often means losing vital information. A better option is to put the devices into hibernation mode. Hackers can’t use the device to get into the network and your saved data stays safe.
Removing the Ransomware
Once you’ve identified the infected devices, it’s time to start recovering your captured data, and this can be a long and frustrating process that may be beyond your IT staff’s capabilities. Don’t worry, you can work with outside help to eradicate the malicious software.
Identify the Type of Ransomware
Before you can start working on removing the ransomware from infected systems, you need to know what type of infection you’re actually dealing with. There are several types of ransomware and each often has a different removal process. Thankfully, hackers typically stick with a couple of types, encryptors and screen lockers.
Encryptors can be a pain to remove since everything in your files is encrypted. Sometimes, paying the ransom is the only way to fully retrieve all of the encrypted data.
Screen lockers are a little easier to deal with since only your screen is locked. Your files are still secure, you just can’t use any of the computer’s functions beyond sending the ransom payment.
Try Decryption Tools
Before you start thinking about paying the ransom, try to use decryption tools. You can even find free ones online. Type in the type of ransomware and see if any decryption tools pop up. Once again, you may need to outsource your ransomware issue if your IT department is feeling overwhelmed.
Recovery
Congratulations! The ransomware is gone and you have your systems back up and running. Devices are reconnected and you’re ready to start recovering your data.
Before you go back to normal operations, update all passwords. This includes user and system passwords. Now, you can start retrieving the data from your backup files.
A security audit should be the next time. After all, you don’t want to go through another ransomware attack. Updating all systems is another vital recovery step. Don’t forget to refine your disaster recovery strategy to reflect any lessons you learned during the cyberattack. This can help make it easier if another incident occurs.
Alert the Authorities
Who you notify about the ransomware attack typically depends on your industry. For example, if your business is in healthcare, you follow HIPPA guidelines. You also want to alert a government agency like the U.S. Secret Service or FBI. Each government entity has departments dedicated to responding to cybersecurity threats.
Staying Ahead of Ransomware Attacks
You might not be able to prevent every ransomware attack, but you can certainly take steps to minimize the damage. It’s important for you to train your employees on how to respond to cyber threats and to include these protocols in your data resiliency strategy.
Most importantly, make sure to continuously update your systems and regularly back up all data to safeguard your operations against potential disruptions.