Ransomware Attack? What You Should Do Next.
In the event of a ransomware attack, an effective response plan can mean the difference between a contained incident or a company-wide infection, which can lead to permanent business closure.
How to respond to a ransomware attack
While there are several steps that you should take immediately after identifying a ransomware infection, here are four of the most critical:
- Isolate affected systems
Isolation is top priority. Most ransomware will scan the target network, encrypt files stored on network shares and try to infiltrate other systems. Contain the infection and prevent the ransomware from spreading by removing infected systems from the network immediately.
- Secure backups
While backups play a critical role in remediation, they are not immune to ransomware. In the event of a ransomware incident, you should secure all backups by disconnecting backup storage from the network until the infection is resolved.
- Quarantine the malware
Do not remove, delete, reformat, or reimage infected systems unless instructed to by a ransomware recovery specialist. Instead, quarantine the malware. This allows investigators to analyze the infection and identify the exact strain of ransomware responsible. Removing the entire infection makes it difficult for recovery teams to find the specific ransomware sample involved in the attack.
- Decide whether to pay the ransom
If backups are damaged and there is no free decryption tool available, you may be tempted to pay the ransom to recover their files. While paying the ransom can help reduce disruption and may be cheaper than the cost of downtime, it is not always the best decision. Only pay a ransom should if all other options have been exhausted and the breach will likely result in your company going out of business.
Do NOT pay the ransom immediately. Although the prospect of downtime and potential financial loss can be frightening, you should never immediately pay the ransom before exploring all options. Contact law enforcement first! These agencies not only have resources and information they can share with you on how to recover, but by reporting your ransomware attack right away, you can avoid being penalized if forced to pay. Certain ransomware attackers are sanctioned for posing a national security risk, and victims will be punished for paying ransom demands to these entities. Full reporting and cooperation with law enforcement should always be a part of your ransomware response plan.
The following factors should be considered when deciding whether to pay:
- There is a 1 in 20 chance that the ransomware authors will take the money and not provide a decryptor.
- The attacker-provided decryptor may not work properly.
- Ransom payments may be used to fund serious criminal activity, including human trafficking and terrorism.
- Paying the ransom supports the ransomware business model and perpetuates further attacks.
Also, never delete ransom notes. Some ransomware groups create a ransom note for every file they encrypt, which contains the encoded and encrypted decryption key. If you delete the ransom note, its corresponding file cannot be decrypted.
Most importantly, your response procedures should be put in place
before an attack. The worst time for a company to try and create a strategy to mitigate a ransomware attack is during a real ransomware attack. See this
FBI Alert for more information on detecting and remediating malicious activity.
Conclusion
Protect your business from a ransomware attack with a proactive approach. An effective response procedure can help prevent data loss and safely initiate the recovery process. Click-Pro can show you how to protect your systems.
Contact us today.