With ransomware attacks on the rise, it’s all too easy for individuals and businesses to fall victim to cybercrime. While no one plans to be the victim of a cybercrime, it’s important to know what to do in the immediate aftermath of an attack. A quick, level-headed response can be the difference between a contained data loss and a cyber catastrophe.
In this article, we’ll walk you through five key steps you can take after suffering a ransomware attack.
Protect your employees and network from ransomware attacks with Zero Trust. Enforce least privilege access policies across your organization in minutes based on user identity to safeguard all critical assets. Protect your business with Perimeter 81 - one of TechRadar’s top choices for Zero Trust providers.
1. Isolate the attack
The minutes immediately following a ransomware attack are incredibly important. If you respond quickly and correctly, you may be able to contain the attack to a small group of devices, or limit the amount of data that’s affected.
To minimize the damage from a ransomware attack, you should rapidly isolate the affected part of your network. Alert key networks to the attack as quickly as possible. At large organizations, this means you should contact the IT team immediately, and broadcast a warning using your company’s communications platform.
In addition, power off and unplug as many devices as possible, so the ransomware cannot spread to them. However, don’t turn off computers that have already been infected. Ransomware is capable of preventing an operating system from booting up, and may randomly delete data to discourage you from trying to restart your system.
If you have access to routers or network cables, unplug them to disconnect more devices from the network. IT teams should also disconnect backup servers from the company’s network, to ensure that backups aren’t affected by the attack.
2. Report the attack
Once the ransomware attack has been contained, the next step is to report the attack to outside groups who may be able to help. First, take a screenshot or a photo of the ransomware message, as this can be used to identify the ransomware strain that was used in the attack.
If your company works with an external IT team or cybersecurity firm, alert them to the attack, so they can begin evaluating the extent of the damage. In rare cases involving known ransomware software, cybersecurity professionals may be able to decrypt your files without paying the ransom.
If your company has a ransomware insurance policy, contact your insurance provider to let them know what’s happened. Even if you don’t have all the details of the attack, you can begin to find out what your options are for paying the ransom or for covering the costs of the attack.
Finally, report the attack to the FBI. You can contact your local FBI field office, which may be able to provide support with tracing how the attack occurred in the first place.
3. Decide whether to pay the ransom
Next, you should think carefully about whether to pay the ransom. Keep in mind that there’s no guarantee you will get your data back even if you pay. Some ransomware groups simply take your money and don’t offer a decryption key. Some strains of ransomware even delete your files to make it look like they’re still there, to trick you into paying.
It’s a good idea to research the ransomware group behind the attack, and the ransomware strain used (if possible). You may be able to obtain more information about whether the group has decrypted data as promised during past attacks.
Note that the US government doesn’t support paying ransoms for cyberattacks. However, paying the ransom isn’t illegal.
4. Restore data from your backups
If you have backups of your data, you may be able to recover most of it without paying the ransom. First, check your backups (while disconnected from the infected portion of the network) to make sure they’re intact. Many advanced ransomware attacks specifically target backups to prevent them from being used to restore data.
If your backups are safe, perform a factory reset on all devices affected by the ransomware attack, and completely wipe your hard drives. This is necessary to make sure ransomware isn’t hiding somewhere in the corners of your system.
When restoring your system, use a copy of your backups rather than your primary backups. Otherwise, you risk infecting your backups if malware remains in your network. Your backups may not include all the data that was lost, but they should greatly mitigate the extent of the damage.
5. Perform a full audit of your network
Once the immediate response to a ransomware attack is over, it’s critical that a team of cybersecurity experts performs a full audit of your organization’s network. Sophisticated attackers may still have a foothold in your network that could be used to launch another attack. There may also be lingering malware that wasn’t removed when you reset your devices. Security experts will be able to monitor for suspicious activity and help eliminate any remaining ransomware.
Cybersecurity experts can also use digital forensics to figure out how the attackers got into your network in the first place. This is essential for preventing another attack, and for making your network security more robust.
You should assume that all existing passwords were compromised during the attack, so change them as soon as possible. It’s a good idea to make sure that multifactor authentication is enabled and working properly, since attackers may have modified your authentication systems.
A ransomware attack can happen at any time, so it’s important to know how to respond quickly if your organization’s network is attacked. Alerting other parties to the attack and quickly isolating the affected part of your network is key to minimizing damage. After a ransomware attack, it’s essential to fully audit your network to make sure the attackers have been removed, and that there’s no remaining ransomware.