Responding to a ransomware attack
Rule #1: If at all possible, don't pay the ransom!
What you do is up to you, but here are a few things to consider before you consider paying the ransom.
Even if you do not have a backup system in place, the cost to rebuild your database will be partially offset by the expense of the unpaid demand, especially if the ransom is for hundreds of thousands or millions of dollars.
Remember, you are dealing with unethical criminals here and there is no guarantee that your files will be decrypted/returned even if you pay the ransom. Further, once attacked and the criminals know you are apt to pay the ransom, they’ll be back.
Assuming your organization is able to not yield to the hacker’s demands, follow these steps:
1. Isolate and contain
Immediately disconnect infected computers and servers from the network. Ensure wireless connections are disabled as well. If not sure which front-end assets are infected, or if the ransomware is still actively spreading and encrypting files, disconnect storage devices before they become infected.
Do not attempt to reboot, install updates, or perform maintenance to affected machines as this may result in permanent data loss or damage.
2. Attempt decryption
There are many decryption tools commercially available from anti-virus software manufacturers, some are downloadable for free. Depending upon the type of malware strain used in the attack you may be able to recover your data.
3. Install anti-malware software
These applications search for known ransomware code strings across your entire system so that IT administrators can scrub the network of any traces of the virus. Anti-malware programs do not decrypt infected files, but they alert IT to the presence of ransomware and help prevent infections from spreading.
4. Restore
If you have clean versions of your files and databases safely stored off-line, use data backups to restore your systems to the latest possible state before the attack occurred. Some types of ransomware will require a complete reformat of storage media and a reinstall of the operating system and all applications to be sure all code is removed.
Next, reset all system passwords after the ransomware has been completely removed.
5. Report
Notify affected parties such as supply chain partners, customers, or vendors that may have access to your systems and alert them to your breach so they can take preemptive measures to secure their own networks.
Small businesses should report ransomware attacks to the local FBI field office and the provider of your anti-malware software. Employees in larger organizations should immediately report ransomware incidents to the IT helpdesk or cybersecurity office.
Related content
Article: Protecting against ransomware attack
Rapid response is key, have an incident response team
Every organization should assemble an incident response team (IRT) with defined roles and strategies. Each member must be prepared to manage one facet of the cyberattack response playbook, i.e., containment, restoration, notification, etc.
A quick, coordinated response is critical to containing the infection and limiting the damage.
However, the best way to manage the threat of ransomware is through preparation and prevention. Part of the IRT’s mission is to ensure business continuity through the development of disaster recovery (DR) procedures or engaging with DRaaS providers and other managed security services to recover from any attack or disaster, not just ransomware.
One of the fastest responses to ransomware is an isolation software.
Bullwall Ransomware Containment, for example, provides a last line of defense and an additional layer of protection against ransomware threats through instant detection of attacks that have bypassed perimeter defenses. It automatically isolates infected devices to help minimize the impact of a successful ransomware attack.
Our Ransomware Containment solution works in the background, constantly monitoring your network without impacting performance. For more about Ransomware Containment works visit our Ransomware Containment services page.
No solution provides 100% protection 100% of the time. But there are steps you can take to protect your organization.