There is often no easy way out of a ransomware attack, but how you respond can make a big difference in how much damage is done. This guide will show you some of the best practices for a ransomware response, and how to minimize damage and get your system back online as quickly and safely as possible.
Signs of a Ransomware Attack
If you notice files on your computer with strange names and extensions that will not open with any program, there is a good chance a ransomware attack is underway. Usually, the first sure sign of a ransomware attack is a screen announcing that your files have been encrypted. Your screen might look something like this:
“All your files have been encrypted!”
This is a terrible and increasingly common experience; ransomware attacks increased by over 700% in 2020. If you see a message like this and find that you can’t access your files, there is a high probability that your entire network is compromised. Ransomware is often programmed to infect as much of the network as it can before making itself known.
For most organizations, every minute of downtime translates to lost money. A survey showed that the average ransomware attack costs $133,000 USD including downtime, ransom payments, network costs, manpower, device costs, and lost opportunities. For 5% of respondents, the cost was in the range of $1.3 million to $6.6 million. Most ransomware victims were hit an average of two time, which points to the importance of an effective response. A good response can significantly lower your chances of getting hit again.
Many ransomware attacks have demands with short time limits, so you need to act fast to save your data. At the same time, it’s important to stay calm.
This guide will give you a general idea of what steps need to be taken in the event of a ransomware attack. The following steps are some best practices that our team has developed after helping numerous clients restore their operations after ransomware attacks.
1. Don’t panic.
It’s easy to get upset about business suddenly stopping, but it won’t help anything. Remember that many organizations have been hit by ransomware attacks and made it through okay. Staying in a calm frame of mind will make it easier to do what needs to be done. Taking all the appropriate steps rather than rushing a badly organized response can actually lower the overall cost of recovery and protect you from more attacks in the future.
2. Disconnect the infected devices.
Usually, a ransom demand will not appear until the ransomware has infected every device that it can possibly access. It’s still a good practice to disconnect infected computers, because the ransomware can potentially still spread based on network activity. If you notice the ransomware before the demand is made, it is even more important to act quickly to prevent it from spreading.
The moment you notice the malware, immediately:
- Disconnect all your drives from the network.
- Power off Wi-Fi, Bluetooth and disconnect ethernet cables.
- If possible, power off the entire network.
- Inform remote workers connected to the infected network, and ask them to disconnect and shut down their systems.
3. Notify your IT service provider and/or IT department.
Ransomware takes time to spread through a system, so if you detect an attack, you should act immediately to prevent the infection from getting worse. This step needs to be taken even before notifying your IT department, because every second counts.
You also need to notify your IT service provider as quickly as possible. If you have cloud backups, for example, the infection may have already spread to your backups. It will be up to the service provider to stop the attack. Acting fast may make the difference between being forced to pay a ransom or not.
If your organization has an IT department, it is best to let them handle the ransomware response as described in the following steps. They will need to access the system in a way that prevents the ransomware from spreading. If your organization does not have an IT department, it may be best to hire outside help. BeforeCrypt specializes in ransomware, many of our clients are small and medium companies without a dedicated IT department.
4. Document the attack.
Take a screenshot or photograph of any ransom message. Also, take a screenshot of the appearance of the encrypted files. Make sure to note the exact time the attack was discovered. If you can, download copies of your system logs and server logs.
There are several reasons you need to carefully document the attack. Firstly, it can help determine what type of ransomware has hit you. With some older ransomware versions, decryption tools are available which can help recover your data. In the vast majority of cases, however, there is no easy way out, but knowing the type of ransomware can help police to catch attackers later on. If your organization has a cyber attack insurance policy, complete documentation may be necessary to file a claim.
5. Notify the authorities.
You may or may not be legally required to report the attack. Depending on your country and the type of the data breach, you may be required to file reports with more than one governmental agency. For example, in the European Union, you may be required to file a report under the General Data Protection Regulations (GDPR). In the United States, the Health Insurance and Portability Accountability Act (HIPAA) requires companies in the health care sector to report all data breaches.
If the nature of the data is of private or personal, such as usernames and passwords, you are legally obliged under the GDPR for Europe and potentially US laws, to communicate the data breach in the form of a press release/email to your colleagues and customers, including, but not limited to:
- The type of breach which occurred
- A date and time of breach
- A thorough damage assessment
- Any actions you have taken (such as paying the ransom, restoring from backups, reporting to the law enforcement authorities, etc.)
- Providing suggested actions to your clients (such as changing username/password, etc.)
Being transparent is important. While it is natural that your company will suffer due to the news of a data breach, the more proactive approach you take, the better it will be for your organization.
For a more complete discussion of this topic, along with the contact details of relevant offices, check out our Ransomware Compliance Guide.
6. Find out the type of ransomware.
Have you heard of WannaCry? It was one of the most dangerous ransomware attacks to date. By the time it was resolved, over 25% of the UK’s National Health Services (NHS) systems were compromised, from servers to ventilators!
Every variant of ransomware is programmed differently, and hence treated differently. While there are myriads of strains for any ransomware, the two most common types are:
- Screen locking ransomware
- File encrypting ransomware
The screen locking malware is marginally easier to resolve and recover from as compared to the latter.
Depending on the type of ransomware, you may have different options.
7. Check your backups.
The best possible scenario is restoring your system to a backup from before the infection occurred. To do this, you need to know when the infection happened so you don’t get infected again. This is where your system logs can come in handy. System Restore is generally not a good solution to ransomware, because you may restore to a disk image which has elements of the malware hidden deep in your file system.
In some cases, ransomware may also infect your backups. In this case, there is very little you can do besides give in to the attackers demands, or wipe your system and accept the loss of your data.
8. Find the root cause of the ransomware attack.
In either case, you need to know how the infection occurred. Whether you pay the ransom or restore your data with a backup, if you do not find the cause of the attack you are at risk of another infection.
Most ransomware attacks begin through either phishing or exploits.
Phishing attacks usually happen in the form of an email or website. Hackers may impersonate reputable businesses or government agencies by imitating the appearance of their emails or websites, and then trick employees into clicking a link or downloading an attachment containing the malware. There’s a good resource on phishing prevention here.
If the ransomware infection happened due to a vulnerability in your system, you will need to patch that vulnerability before restoring your data. Many vulnerabilities occur from using older versions of software, so you need to keep up to date with exploits and patches to minimize your risk.
Step 9-14 is explained in detail in the full guide.