It’s a position no company wants to find itself in.
An employee suddenly gets a pop-up saying all their important files have been encrypted and are going to be permanently deleted if a large sum of money isn’t paid by the deadline.
Ransomware attacks are one of the most damaging kinds of cyber attack, harming an organisation financially, operationally and reputationally.
The average company might feel like it sits under the radar of pesky cybercriminals but, like most other cyber attacks, being the victim of ransomware is not so improbable.
It’s therefore in every company’s best interest to have a plan for handling such an attack.
6 Steps to Take in the Aftermath of a Ransomware Attack
1) Scope it Out
Once it’s got its foot in the door, ransomware can spread through networks, so first things first you’ll want to assess how many machines it's affected and ensure these are isolated to prevent further damage.
Infected machines should be disconnected immediately from network connections and you may have to come offline altogether if the spread is bad. Obviously, this will interrupt ‘business-as-usual’ but the priority is minimising the extent of the damage while you still can.
2) Assess and Analyse the Ransomware
You want to find out what you’re dealing with. Often, ransomware attackers will identify themselves in the ransom note which can help, but either way, you want to find out how this particular type of ransomware works and how it infected your network.
Check activity logs to find out where the attack originated and how it happened. You might also outsource this process to some cyber security specialists here if you have the budget.
Once you’ve conducted a bit of an investigation, you can make a plan for removing the malware.
3) Check Your Backups
Hopefully, you’ll have been regularly creating backups of the data that has now been compromised, but you obviously want to check that the ransomware hasn’t found its way there too. That’s why it’s always advised that you keep at least one backup totally separate from your network.
If you have a backup that’s intact, you’ll at least have the peace of mind that can restore the data that’s been lost.
Whatever happens, avoid being swayed and paying the ransom. There’s no guarantee they even intend to return the data to you, in fact, it may not even technically be possible, as with the NotPetya ransomware attack in 2017.
If you don’t have a backup for whatever reason, hold onto your encrypted files as there may be a decryptor available for the type of ransomware you were affected by.
4) Alert Relevant Parties
Make sure your staff know what’s happened so they can be on high alert for any more unusual activity. You’ll want to follow this up with proper cyber awareness training later on too.
Though you may fear the backlash, it’s best to alert your customers and users once you know which data has been compromised. If you delay sharing this information and it comes from a media source or somewhere else, you risk losing even more trust from your customers and you may also be held liable for damages if their data is misused in some way.
Unfortunately, in the case of ransomware, it’s best to assume the stolen data could be made public in which case you won’t be able to hide the breach, so doing everything you can to keep affected parties informed is vital.
Finally, since ransomware is a crime, you should alert relevant authorities to what’s happened. In the UK, it’s required to let the ICO know of a breach within 72 hours. In the US, notifying the FBI and CISA is best practice. Reporting the incident may help authorities discover a pattern of attacks and support their wider mission of defending against the ransomware threat.
5) Restore Operations
Once you’ve removed the ransomware from affected devices and triple-checked this, you can retrieve your backup files and restore the devices to a clean network. Ensure all operating systems and applications are running their latest version.
Reset account credentials, especially those with administrator access, and make sure all new passwords meet minimum security requirements. Human error still takes the lead when it comes to cyber attacks so don’t let your defences be weakened by a poor password like ‘1234password’. Where possible you should also have multi-factor authentication set up for an extra layer of security.
6) Review and Reflect
Incident response doesn't stop after that initial stage of damage control. If you've been hit by attack, you need to consider how it happened and how you can make changes to prevent it from happening again.
Social engineering is a common technique used in ransomware attacks so it may be that you need to deliver more comprehensive cyber awareness training to your workforce - and more frequently - to make sure they are equipped to deal with the warning signs of an attack.
There could also be technical improvements that need to be made within your IT infrastructure or revisions in your security policies. Do you have some software that is out of date? Do you have active firewalls and anti-virus on all devices? Was there a problem with your backup solution?
Even if you have the basics in place, consider whether you need to invest more heavily in your security and implement more advanced solutions. For example, a threat detection tool like a SIEM may help you catch potential threats earlier on, keeping damage to an absolute minimum.
All of these things need to be evaluated in the aftermath of a ransomware attack to ensure you're better protected next time. Many companies hit by an an attack can be targeted again, so take care to update your incident response plan (or create one if you don't have one already!) in order to be fully prepared to deal with future breach attempts.