Understanding how to recover from a ransomware attack should be at the very top of every IT Departments security strategy. Since the beginning of 2020, organisations have had to change their IT model to enable employee remote working. As this was done quickly, many businesses are left with gaps in both IT security and employee security awareness.
Cybercriminals wasted no time exploiting these vulnerabilities, sending wave after wave of malware to find these security cracks to then deliver their ransomware payload. Coming up are 10 steps to help you recover from a ransomware attack should the worst happen.
How to Recover from a Ransomware Attack
1. Know What A Ransomware Attack Involves
Ransomware is a cyberattack that uses a combination of phishing and malware to invade your system and hold your critical corporate data hostage. Once the malware is downloaded to the user’s device, it goes to work. It enters your network, takes hold of your files, and locks you out by encrypting the data. You can’t access or decipher your data due to this encryption. Then, you must pay a ransom in exchange for a decryption key. The criminals holding your data may also threaten to publish it to the internet if the ransom isn’t paid. Quite often, victims never recover their data even when they pay the ransom.
2. Quickly Identify If You Are A Victim Of Ransomware
A ransomware attack does its dirty work covertly so that you won’t see many prior warning signs. After the event, of course, one clear indication is that your data becomes encrypted against your will. As part of the encryption process, the file names may also be altered.
Often, pop-up instructions on how to pay the ransom are visible on the screen. If the malware targeted the web browser, then the browser may be locked. Again, the ransom note will appear on the browser itself.
3. Do Not Pay The Ransom
Law enforcement agencies that deal with cybercriminals recommend that you do not pay the ransom. Most of the time, victims who do pay never recover their files. Also, most organisations have backup copies of their files that can be used to restore the lost data once any network vulnerabilities are fixed.
The time and effort it takes may cost many engineering hours, but restoring backups is the preferred approach. About 56% of ransomware attack victims recover their data through backups and avoid paying the ransom.
Even if you pay the ransom and recover your infected files, it’s likely there is still malware on your servers or user devices, so you’ll spend time cleansing your network rather than wiping devices and restoring backups. Either way, your company incurs that cost.
Of course, paying the ransom serves to encourage criminal behaviour. Ransomware attacks persist because it’s a lucrative endeavour. By paying the ransom, you become part of a group of victims who perpetuate the problem.
4. Report the Attack (UK Organisations)
Once you are aware that ransomware has taken hold of your data, you should report the attack. Doing so will assist authorities because, most likely, you are not the only victim of the same perpetrator.
In the United Kingdom, you can report ransomware attacks to the National Cyber Security Centre (NCSC) and Action Fraud, the National Fraud and Cyber Crime Reporting Centre. You can make your report by phone or through each agency’s online reporting tool. Reporting online also gives you the option to receive updates on your case.
The NCSC provides guidance for reporting as well as responding to cyberattacks of all types. Also, their website states that reporting ransomware attacks does not fulfil regulatory requirements. If you are required to adhere to such regulations, be sure to report to any other agencies. Your information is confidential. However, the NCSC will share details with law enforcement agencies like the National Crime Agency to aid in any ongoing investigations.
5. Notify All Staff
A ransomware attack of any size can bring your business to an abrupt standstill. Furthermore, it can also alarm stakeholders. If your organisation falls victim to ransomware, it is best to have an emergency response plan that includes a communication protocol so that everyone is informed promptly and before word gets out. Notification should come from you rather than from outside media outlets.
The first step in such a communication plan is to notify all staff of the attack and provide guidance regarding their next steps. Only those employees who are directly affected by the attack will be aware of it. Inform the entire organisation, so that staff who haven’t been affected can take the necessary steps to prevent the malware from spreading.
You may also need to provide your staff with alternate communication channels so they can continue their daily work. Finally, you’ll need to communicate to your employees how you will inform vendors, clients, and other stakeholders about the breach.
6. Coordinate Your Efforts
At this point, your disaster recovery plan has been activated. Because a ransomware attack can infect your entire network, it’s recommended that you coordinate your response efforts using in-person meetings, an all-hands conference call, or over the phone. Communicating through text or email is not advisable during this time.
Ransomware attacks demand that you act quickly. Even when you have current backup files available and ready, restoring them takes time. Business processes are slowed or stopped until recovery is complete, so timely execution is critical.
If you are considering paying the ransom for whatever reason, the criminal entity has likely placed a deadline for doing so, which means your team must make decisions quickly. Gathering everyone together is the fastest way to decide on a response, delegate tasks, and get the job done.
7. Isolate Impacted Systems Straight Away
Your IT security team must isolate the impacted files or systems as soon as the attack is discovered. Any infected systems must be removed from the networks to prevent the ransomware from infecting more devices and spreading to shared and cloud drives.
Pulling the infected components offline will slow further infection and buy you time. If the infection is isolated to a single device, physically disconnect it from the rest of the network. If it has spread to multiple systems, take the affected network or networks offline to keep the infection contained.
These are the best base scenarios. The infection may have already been distributed more widely. If so, you must take more significant action to prevent further spreading. Your IT teams must determine the scale of the attack as soon as possible. From there, they can recommend what action to take from a device isolation perspective.
8. Take All Systems with Vital Business Data Offline
Once you have determined which portions of your network are infected, take all healthy systems with important data offline. This ensures the safety of your data as your team works to remove the malware from the affected areas. Even if you have current backups of this data, there’s no reason to allow the ransomware to spread and make your clean-up and restorations efforts any more complicated than needed.
Isolating these files and the drives they reside in may cause a temporary halt to some business processes. It is better to lose a few days’ worth of productivity rather than compromise sensitive data. Remember that cybercriminals often do more with your data than hold it for ransom. They can publish it to the web for profit or as a repercussion for not paying the ransom. For these reasons, it’s best practice to pull your sensitive data offline as soon as possible until your systems are sanitised.
9. Confirm Your Backups Are Safe
Even if you’ve pulled the majority of your data offline, do check that all your backup files are safe. Most organisations back up their files in three places, and two out of those three are at greater risk for infection.
Localised backup disk arrays can hold backup data on the network for easy restore should devices fail. However, this form of backup is usually the first to succumb to a ransomware attack.
Backups are also stored in the cloud, which can offer additional security. However, the cloud is also vulnerable to a ransomware attack. So, take the necessary steps to ensure that any backups on another network or a cloud server are safe.
Securus offers an immutable backup solution to ensure your cloud archived data is fixed, unchangeable, and cannot be modified, encrypted or deleted, even by ransomware. Check out our article on How Immutable Backups Protect Against Ransomware.
The third backup location should be in the form of physical disks or tapes that are stored offsite and isolated from any network. If your company follows this protocol, then you have recoverable backup files that should be at least recent copies, if not completely current. Regardless, secure all backups to curb the attacker’s leverage to ransom your data under the threat of publishing sensitive data to the internet.
10. Engage Professional Help
Should you fall victim to a ransomware attack, you must react and recover quickly to secure your data and continue with business as usual. Even if you have a talented IT security team, you may need to bring in a professional service such as Securus Communications to ensure timely recovery. In addition to handling the current issue, we can help you build your security defences to avoid future attacks.
As discussed earlier, you must remove the malware from your systems even if you have backup files ready to go. In addition, as ransomware professionals, we are current on the types of malware and the proven remedies to remove them and can recommend the best recovery options to mitigate the specific malware infecting your system.
Statistically speaking, your company will most likely be hit with a ransomware attack at some point. The key to recovery is making sure you understand how to recover from a ransomware attack and have a clear recovery plan to follow. Even with this in place, you may still need to call in professional help to ensure a smoother recovery and complete removal of the malware from your system. This is where Securus Communications can help, so please get in touch if you require our knowledge and assistance.