Ransomware attacks are becoming increasingly more common. It’s no longer a question of if but rather when will a business/organization suffer a ransomware attack. For businesses and organizations, correctly responding to a ransomware attack can mean the difference between a quick recovery and permanent closure. It’s essential that all businesses have detailed cyberattack response plans in addition to investing major resources into preventing an attack in the first place.
Below are just general guidelines and certainly not a complete guide on how to deal with a ransomware attack. The entire process is highly complicated and it’s best to contact professionals to minimize damage.
What to do if you are hit with a ransomware attack
1. Do not panic and isolate affected systems
When prevention methods fail and ransomware is able to get in, it’s essential to not panic and take the correct steps to minimize damage. Isolating affected systems immediately after a ransomware attack is critical. In order to contain the infection and prevent it from spreading, you must remove the affected system from the network immediately. If you fail to do that, the ransomware may spread to other systems, doing even more damage.
Throughout the whole ransomware attack and recovery process, it’s essential that you keep a clear head. You should also not rush to make decisions but rather focus on minimizing damage.
2. Disconnect backup
Once you have isolated the affected systems, you need to focus on securing your backups. Whatever strain of ransomware it is that you are dealing with, it will most certainly target your backup in order to encrypt or delete files. To prevent this from happening, immediately disconnect your backup from the network and do not reconnect until the infection has been dealt with.
3. Disable maintenance tasks
When you have confirmed a ransomware attack, it’s essential to disable any automated maintenance tasks (e.g. temporary file removal, log rotation, etc.). This is mostly done to prevent any contaminations that could hinder an investigation.
4. Back up infected systems
It’s recommended to make backups of infected systems once they’re isolated. This could prevent the loss of data during the decryption process. If, for example, you make the decision to pay the ransom and receive a decryptor but the decryptor does not work correctly. The decryptor may not work as intended and could damage files during decryption. To avoid corrupting or damaging your only copies, it’s a good idea to back up encrypted systems just in case something goes wrong.
Backing up infected systems is also a good idea for those who do not intend to pay the ransom. If the files are not critical and do not need to be recovered immediately, you can back them up in case a free decryptor becomes available sometime in the future. Law enforcement agencies are actively pursuing cybercrime gangs and are sometimes successful in apprehending them. If this were to happen with the cybercrime gang responsible for the ransomware that’s affecting you, a decryptor may be provided for you.
5. Quarantine the ransomware
Rather than outright removing ransomware, victims should quarantine it until an investigator has given the okay. When victims completely purge an infection from their systems before investigators can analyze it, it makes it that much more difficult for specialists to perform an investigation. During an investigation, specialists need to carefully analyze samples and other data in order to identify which ransomware is responsible, what specifically was affected during the attack, and whether it’s possible to somehow recover encrypted files. And removing the ransomware infection hinders these investigations.
6. Investigate how the ransomware got in
Determining how a ransomware infection got in is an essential step. Not only would it help prevent future infections, but also provide curial information about what other systems may have been affected, or what was done exactly. If the ransomware got in due to a vulnerability, identifying the source of the infection would certainly prevent future incidents. If the infection is the result of an employee error, an investigation would help identify which areas specifically employees need training in.
For businesses and organizations, it’s recommended to contact professionals that specialize in such attacks. It’s often difficult to find the origin of the attack. By the time a ransomware attack is launched and is noticed, cybercriminals will have been in the systems for a while, so it’s recommended to have professionals identify the origin of the attack.
7. Identify the ransomware
In order to figure out the next course of action, it’s essential to correctly identify the ransomware strain. It can be done by using free services like Emsisoft’s ransomware identification tool or ID ransomware. You would need to upload the ransom note, an encrypted file as a sample, and some information. If the ransomware is known, these services would identify it. Identifying the ransomware strain would also help determine whether there is a free decryptor available. There are various resources for victims of ransomware (e.g. NoMoreRansom) that can help find a free decryptor if one is available.
8. Make the decision on whether to pay the ransom
The decision that comes with a ransomware attack is whether to pay the ransom. For victims who have no backups, or if they’re damaged, paying the ransom may seem like a good option. Oftentimes, paying the ransom may be a cheaper option than facing downtime until systems are restored. But the decision to give in should not be taken lightly as it comes with consequences. For one, it should be emphasized that paying the ransom does not automatically mean a decryptor will be provided. In most cases, it will be but there is always that chance that the cybercriminals will just take the money. This is more likely to happen if you’re dealing with a relatively unknown ransomware strain. There’s also a chance that even if the decryptor is sent, it may not work as it’s supposed to. Victims should never rush the decision of whether to pay the ransom and consider all outcomes.
Prevent future ransomware attacks
If you have already dealt with ransomware, you will now realize that such an attack will have lasting consequences. And if you don’t want to go through the whole file recovery and ransomware removal process again, you need to ensure that ransomware will not be able to infiltrate your systems in the future. And the most efficient way to do that is to use security software that’s designed to prevent and deal with such attacks.
Anti-malware program SpyWarrior uses artificial intelligence technology to effectively deal with ransomware attacks. Known ransomware strains will be immediately detected and blocked before they can do any damage or encrypt files. And if the ransomware strain is new, its suspicious behavior would still be detected, and the attack would be stopped in time.