In this final article in our four-part series, we share what to do if you are targeted by a ransomware attack, now that you know what ransomware is, how to prepare for it, and what to do to mitigate and preventing it.
As we discussed in a previous post, having and practicing a plan of response is an important step in knowing what to do if you are a victim of ransomware. The Cybersecurity & Infrastructure Security Agency (CISA) has written a lot on this topic, including this release called Technical Approaches to Uncovering and Remediating Malicious Activity. Their advice on addressing potential incidents and applying best practice incident responses includes:
- Collect and remove relevant artifacts, logs and data for further analysis.
- Implement mitigation steps that avoid tipping off the adversary that their presence in the network has been discovered.
- Consider soliciting incident response support from a third-party IT security organization to provide subject matter expertise and technical support to the incident response, ensure that the actor is eradicated from the network, and avoid residual issues that could result in follow-up compromises once the incident is closed.
Adding to that advice, we want to stress don’t panic since we never make our best decisions in that state. Instead call your IT company, if you work with one, and your cybersecurity insurance provider to report the breach. Notify all employees immediately too. Additionally, you should:
- Disconnect all infected devices from your network and Wi-Fi and physically turn them off. Most ransomware can spread through a network connection, so the sooner you disconnect infected devices from your network, the higher your chances of limiting the reach of the ransomware. All shared drives should be taken offline too until you have fully identified how far the infection has reached.
- Uncover the source of the breach. Often ransomware is initially launched when an employee unsuspectedly clicks a link in an email. The last thing you need is for that person to hide their mistake out of fear of punishment. From a company culture perspective, make sure to stress the importance of remaining aware, but also communicating anything awry immediately.
- Restore from a backup to a clean environment. Once you have contained the damage, you should be able to restore your files from a backup executed at a time prior to the attack. If HIPAA applies to your company, DO NOT restore from backup. Instead, shut down your systems to prevent further damage and contact your insurance carrier to get guidance on next steps.
We can hear you asking, “Isn’t it easier to pay the ransom?” While there is a lot of data and differing advice about how to respond to a ransomware attack, nearly universally the advice is to NOT pay the ransom. On average, approximately 40% of victims decide to pay their ransom in any given year, yet only 20% (or half of those that pay) actually recover their data once payment has been made. On top of those statistics, paying the ransom encourages repeat attacks on your organization (you paid once, after all) and other businesses.
Finally, you should report the attack to the authorities, including the FBI and CISA. You may also be required by law to report the breach publicly and to clients, depending on the type of information that was accessed and your company’s industry. This resource from the Federal Trade Commission goes into more detail on requirements.
With the rates of ransomware attacks increasing every year, your chances of becoming a victim are also rising. It is everyone’s job to understand how these types of attacks work, to apply mitigation and prevention tactics, and educate employees on how to recognize and avoid potential attacks. If we can help your business in any way, don’t hesitate to reach out.
