Ransomware attacks can happen to anyone at any time, but don’t feel helpless if your organization falls prey to a cyberattack.
If you’re the victim of a ransomware attack, there are five steps you can take to respond appropriately.
1. Isolate the threat
Disconnect any infected device from your main network, including all Bluetooth devices and SMB connections. This will help prevent lateral movement from ransomware and keep other devices on your network safe.
2. Assess and Document Damage
When reporting a ransomware attack, be sure to gather as much information about the attack as possible, including email addresses, IP addresses, and triage information. One great way to get a lot of evidence is to provide an image of your server. The following is an additional basic checklist of information to collect for cyber forensic experts:
- Where did the attack originate?
- What time did the attack originate?
- How many devices have been infected?
- How many files have been encrypted (if any)?
- What data has been compromised?
- Do you have any backups of that data?
- How much ransom is being demanded?
- Have any payments been made?
- Transcribe or photograph any messages sent by the cybercriminals, file extension names, and any payment instructions.
3. Report Ransomware Attacks
Reporting ransomware attacks is often required by law, depending on your region and/or industry. Once you’ve gathered all the data you can, it’s time to file your report to the FBI. You may also file a report with the FBI’s Internet Crime Complaint Center (IC3). They will request the following information:
- Date of infection
- Ransomware variant (identified on the ransom page or by the encrypted file extension)
- Victim, company information (industry type, business size, etc.)
- How the infection occurred (link in email, browsing the internet, etc.)
- Requested ransom amount
- Actor’s bitcoin wallet address (may be listed on the ransom page)
- Ransom amount paid (if any)
- Overall losses associated with a ransomware infection (including the ransom amount)
- Victim impact statement
4. Recover Your Data
If you don’t have a backup of your data, there is no guarantee that you will be able to recover it, even if you pay the ransom. The best way to recover your data if backups are not an option is to partner with law enforcement and/or cyber forensic experts to find decryptors which may be able to remove the encryption from your data.
Many “outdated” ransomware threats have decryptor keys available, which can be a solution to some ransomware scenarios. However, it could still leave your business vulnerable to more sophisticated attacks from the same bad actor.
The more victims of ransomware partner with law enforcement and cyber security experts, the more everyone can better understand and assist with ransomware attack recovery. However, the best solution for any organization is to prevent ransomware attacks in the first place.
5. Prevent Another Ransomware Attack
Lighting may not strike twice, but ransomware repeats. Even those who pay ransom may soon face another attack, which is one of many reasons why it is seldom advisable to simply pay a ransom.
The best thing to do is take preventive action against ransomware by partnering with cybersecurity service providers to ensure your organization is well protected. Look for services that offer cloud-based backup solutions as well as security awareness training that can help empower everyone in your organization to avoid falling into traps that ransomware often sets, and how to appropriately respond to ransomware to minimize its impact.