Ransomware 101 Part 3: How to Respond to a Ransomware Attack
The fight against ransomware is escalating: the U.S. White House’s National Security Council recently convened a summit of more than 30 nations (excluding Russia) to discuss how the countries can work together to combat cyber threats.
If recent trends continue, the annual number of ransomware attacks is only going to rise. And with the average ransomware recovery costing a whopping $1.85 million USD, it’s a risk – and a price – that most companies can’t afford.
With the stakes this high, it’s no wonder that cybersecurity is top of mind for companies of all sizes. It’s also a priority for regulators around the globe, who are now beginning to hold financial services firms liable for the lacking cyber programs that allowed them to be attacked.
Our Ransomware 101 blog series has addressed multiple aspects of the ransomware issue, from what ransomware is and why it’s such a threat, to how to prevent an attack from occurring and detect an attack in progress.
This blog article, the third part in the series, will explore how to respond when your business’ network has been infected by ransomware.
Steps for responding to a ransomware attack
A cyber incident has occurred. You know it’s ransomware because your files have been encrypted or locked and the captors are demanding a ransom to get them back. Now what?
The first step: don’t panic. Your primary objective now is to stop the infection from spreading and mitigate as much damage as possible. Here are the steps to take
- Activate your incident response and business continuity teams.
- Gather your company’s incident response and business continuity teams. Ensure each participant (IT, management, PR, legal, and any others) know what their role is and are standing at the ready.
- Document everything -- any information you collect about the incident can be used as evidence to press charges against the alleged attackers, as well as for lessons learned to improve your incident response process. Documentation should answer the questions Who, What, When, Where, Why, and How.
- Get help from the experts.
Report the attack to the appropriate cyber law enforcement authorities as soon as you know you’ve been hit. You can also contact third-party experts to assist you in your recovery efforts. Both options can provide support, and the information you provide can help with ongoing ransomware investigation and prevention efforts.
- In the U.S.
- Outside the U.S.: reporting options are here.
- Contact internal or external cyber forensics team to investigate the ransomware attack.
- The No More Ransom initiative may be able to help you recover your files, particularly if the attack uses weak encryption.
- Determine the scope of the incident.
- Identify the ransomware variant causing the infection. It will likely identify itself, but you can also use tools like ID Ransomware and Crypto Sheriff to confirm the exact strain.
- Confirm when the infection began.
- Note which networks, devices, applications, and systems have been affected.
- Determine how quickly the malware is spreading.
- Contain the spread.
- Remove the infected devices and systems from the network (both wired and Wi-Fi) and from external storage devices.
- Remove or power-off affected devices that are not yet completely corrupted.
- Take extreme caution with any remaining devices connected to your network and external storage devices.
- Take backup data or systems offline to secure them. Ensure they are free of malware.
- Check if portions of the ransomed data are still available, and collect and secure those that are.
- If possible, change all passwords for accounts and networks after removing the system from the network.
- Delete registry files to stop programs from loading and disable automated maintenance tasks.
- Determine how you will recover from the infection.
- Paying the ransom is not recommended.
- There is no guarantee that decryption keys will be given after paying the ransom.
- You could be asked to pay more to get the decryption key.
- It inadvertently encourages the criminal business model.
- Your other options are to try to remove the malware, or to wipe the infected system(s) and reinstall everything from scratch.
- You can also hire a private company to help with your recovery efforts, including assisting with ransom negotiation if your company chooses to pursue that path.
- Paying the ransom is not recommended.
- Remove the malware and recover your systems.
Simply removing the malware doesn’t guarantee that it is completely gone. A complete system wipe may be your best option for total recovery.
- Assess the viability of backup systems and evaluate whether restoring systems will impair the preservation of evidence. As a precaution, take a forensic image of the affected system(s) as a preservation method and then wipe the system(s).
- Confirm the date of infection. This is extremely important to make sure you do not restore from an infected backup.
- Select a safe backup or backups. It’s best to use a backup that was not connected to your network at the time of the attack. Local backups can be encrypted by ransomware, so it is not a good idea to use these, even if they are your only backup.
- Reinstall your operating system and software applications from their source media or the internet.
- Contact the appropriate regulatory agencies and adhere to breach notification requirements.
- Plan to prevent a future ransomware infection.
Investigate how the attack occurred, then put appropriate measures into place to prevent future infections from occurring:
- Review your incident documentation to see what lessons can be learned. It's a good idea to contact the FBI proactively to understand how, when, and what evidence to collect in the event of another attack.
- Conduct regular staff cybersecurity awareness training, including phishing prevention.
- Configure strong spam filters and utilize authentication email technologies.
- Implement a good backup policy that uses both local and off-site backups.
- Identify and resolve any system vulnerabilities. Conduct regular penetration testing can help you identify and quickly address any potential gaps.
- Enable mandatory multi-factor authentication to reduce the risk of unauthorized access.
- Segregate networks to contain breaches if they occur.
- Keep and maintain a regular patching regimen for operating systems, software, and firmware.
- Implement software restriction policies to prevent software from executing in common ransomware locations.
- Conduct routine credential checks and remove any expired credentials
- Ensure you have strict security in place for things like admin rights, system permissions, file shares, and other shared resources like Microsoft Office 365.
- Utilize cybersecurity insurance to prevent large asset loss in the case of a breach.
Download the ransomware prevention and detection checklist
For a step-by-step framework your organization can take to prevent a ransomware attack, download our checklist.
Read the series
How we help
ACA Aponix® helps firms to stay on top of their cybersecurity programs. Contact us discuss how we can help assess and strengthen your current program to prevent ransomware attacks.