Ransomware_Steps_Sarah B-1

The Clock is Ticking: What to do immediately after a ransomware attack

Reading time: 13 min
Share this Share on email Share on twitter Share on linkedin Share on facebook

Ransomware is a fast-growing threat impacting organizations of all sizes, across all industries. Earlier this month, national security authorities in the United States, the United Kingdom and Australia issued advisories warning that the threat of ransomware has become increasingly globalized and that cybercrime groups are diversifying the types of businesses they’re targeting. The FBI’s Internet Crime Complaint Center (IC3) received 2,084 reports of ransomware attacks in the first half of 2021 alone – a 62% increase over the previous year, and representing more than $16.8 million in losses. Some experts predict that ransomware damages will grow to $265 billion by 2031.

A major driver for the growth in ransomware attacks has been the rise of ransomware-as-a-service (RaaS). These pre-packaged ransomware toolkits available for sale on the Dark Web make it relatively easy for hackers to execute complex attacks. This, in turn, has made it much more cost-effective for hackers to carry out these attacks far and wide. They are no longer targeting only large corporates for big payouts. From municipal governments to local school districts, critical infrastructure and hospitals, global corporations to mom-and-pop shops, everyone is potentially at risk.

Amid this threat landscape, organizations must assume that it’s no longer a matter of if, but when they will be targeted. For that reason, every organization needs a detailed plan in place for what to do in the immediate aftermath of a ransomware attack. Preventative measures are, of course, preferred. These should include performing regular risk assessments, ensuring systems are kept up-to-date and continuously patched, conducting regular backups, and storing copies offline. But even with best security practices in place, attackers may still find a way in.

Ransomware attack action items

In the event of a ransomware attack, here are the steps you should take.

1. Remain Calm

You may feel panicked when you first discover you’re the victim of a ransomware attack, but don’t let emotion guide you. The difference between a haphazard reaction and strategic response is having a plan. Begin developing your incident response plan today so it is ready before an attack happens. Consider who would be most likely to attack your organization or industry, what their motives would be, and what type of data they would most likely target (company financial data, intellectual property, customers’ personally identifiable information, or something else). Determining the most likely scenarios will help you develop a detailed blueprint to follow so you take sensible measures during the high-pressure moments after an attack, rather than reacting based on emotion.

2. Stop the Spread

Quickly isolate and take offline any infected devices to prevent the ransomware from spreading further throughout your network. To do this, IT administrators must have up-to-date knowledge of all assets in the organization and the tools to easily manage them. Afterall, you can’t detect an attack on an asset you don’t know exists. Any updates to IT architecture such as migrations to new environments or the installation of new applications should be stopped immediately. Likewise, any backups in progress should be paused to prevent newly-infected devices from communicating with the network. Ransomware attackers have learned to identify and encrypt online backups, so it’s critically important to conduct regular backups and store copies offline so you can easily revert to them in the event of an attack. Securely save anything that has been encrypted.

3. Investigate

Once you’ve stopped the ransomware from spreading further, you can investigate the threat. Determine the attack vector, including how the attacker infiltrated your organization and what strain of ransomware was used. Pinpointing the origin and nature of the attack will not only help you determine appropriate next steps but will also help you harden your systems to prevent future attacks.

Depending on the situation, you may want to enlist the help of a trusted third-party, such as a managed detection and response (MDR) provider or the FBI. These experts may have greater insights into the strain of ransomware or the attackers themselves, particularly if it’s a known cybercriminal group. The website stopransomware.gov has information on how to get in contact with federal authorities.

This is also a good time to begin looking for possible decryptor tools that may enable you to retrieve data that has been stolen or encrypted. Check Bitdefender’s list of free decryptors or the website nomoreransom.org for a current index of freely available tools. Even if a decryptor is not available today for the strain of ransomware you’ve been hit with, continue to check back. Security researchers are constantly developing new decryptors, and a tool to help you may be available soon.

4. To Pay or Not to Pay

One of the most important considerations is to determine if you will pay the ransom or not. It can be a difficult decision, but it’s essential to look at the bigger picture. Ransomware is ultimately an issue of supply and demand. If all organizations can agree that we will not give into the demands of these criminal gangs, we can cut off the supply and ransomware attacks will no longer be profitable.

Moreover, companies that do pay the ransom identify themselves as fruitful targets and may make themselves more likely to be attacked again. Some studies have shown that 50% - 80% of companies that paid ransom suffered repeat attacks by the same or other actors. Additionally, victims often don’t regain full access to their information after paying the initial ransom demand, and attackers are increasingly engaging in double extortion. Unfortunately, it seems that paying criminals simply incentivizes them to raise their demands.

5. Learn from the Experience

Identifying lessons learned, documenting procedures and updating your plan is perhaps the most important aspect of incident response. Analyze where your vulnerabilities were, what you could have done differently, and what best practices you learned in the process. Incorporate those learnings into training sessions and use them to harden your systems against future attacks. Testing, practicing and updating the incident response plan is critical for ensuring continuous improvement and greater cyber resiliency. After all, it may only be a matter of time before you’re targeted again.

Anti-ransomware security solutions

There is no one-size-fits-all response plan for a ransomware attack. Every organization’s situation will be unique. However, there are best practices that every organization should follow and in the face of increasing attacks, it pays to be as prepared as possible. Focus on prevention. Use multiple layers of proactive protection against ransomware, keep your systems patched and up-to-date, and store frequent backups offline. Have a thorough incident response plan ready to go, and don’t be afraid to enlist the help of experts if needed. With the right security solutions and plan in place, you are less likely to react in panic and more likely to respond with a sound strategy that gets your data back.

Learn more about how to prevent advanced ransomware attacks and data breaches.

 

CONTACT AN EXPERT