How to Respond to a Ransomware Attack – A Framework for Companies
Ransomware attacks can have devastating consequences for an organization. Some companies could not retrieve all their lost data, even after paying the ransom (let’s face it, attackers do not set up a support team to help you get your data back once they have your money!). Others have been met with subsequent ransom demands from their attackers.
According to Sonic Wall, there were 493.3 million ransomware attacks worldwide in 2022 and more than 200 million in the US alone. Although the number of attacks is down more than 20% from 2021 (largely due to better attack prevention and response techniques), attackers respond by increasing the amounts demanded. Ransomware poses a clear and present danger to businesses, governments, healthcare providers, and educational institutions worldwide.
An ounce of prevention is worth a pound of cure
The reality is that prevention offers a better ROI than reacting to an attack. Moreover, companies should adopt the attitude of what they will do WHEN an attack occurs, not IF. Assuming an inevitable attack carries the urgency needed to ensure safeguards are prioritized and in place quickly.
All companies should have security plans to protect themselves from ransomware attacks. Maintaining security updates to your devices and networks, enforcing cyber-hygiene practices across the organization, and regularly performing and testing backups are actions that can minimize the impact of an attack when it does occur.
Keeping devices up to date is critical to securing you from attacks. For example, the recent Log4j attacks exploited a known and fixed vulnerability but not patched. Firewalls can only help so much. The number of out-of-date servers and devices contributed to the severity of the attacks.
That said, only a small percentage of ransomware attacks leverage system and network vulnerabilities. More often than not, cybercriminals gain entry through the unsuspecting actions of users who fall prey to phishing emails and various social engineering tactics. User education needs to be your top priority for ransomware prevention. Training your employees with the knowledge and skills to recognize and report phishing emails is crucial, as these remain the primary avenues for ransomware delivery.
What to do in the event of a ransomware attack
If your organization does fall prey to a ransomware attack, it is crucial to respond quickly to minimize the impact. Below are some recommended actions to take in the event of an attack:
- Isolate and Disconnect – Isolate and disconnect any affected system from the rest of the network to prevent spread.
- Assess the Impact – Determine the scope and severity of the attack and identify the systems, files, and data that might have been affected. Evaluate the impact on operations, company assets, and any intellectual property or customer information that might have been compromised.
- Report the Attack – Notify all internal stakeholders promptly, such as IT, management, and legal. Determine if the incident should also be reported to law enforcement or regulatory agencies.
- Bring in Experts – Involve cybersecurity experts specializing in ransomware attacks to help with investigation, containment, and recovery efforts.
- Preserve Evidence – Collect and secure any data that is still intact. Capture logs, files, and any other evidence available to identify the actions taken by the attacker.
- Communicate with stakeholders – Be transparent. Regularly communicate with employees, customers, suppliers, and other stakeholders about the incident, the actions being taken, and the possible impact the attack might have on them.
- Restore from Backups – Attempt to restore the systems targeted in the attack with uncompromised backups. NOTE: Many ransomware attackers will wait a week or more before activating the attack. Make sure you are using backups made before the attack appeared on your system.
- Consider Your Options – Decide whether your organization will pay the ransom. Understand there might be legal and ethical risks to making a payment, and be aware that paying the ransom does not mean you will be able to retrieve any or all of your data. Include your legal counsel, law enforcement, and cyber response experts before deciding to pay.
- Conduct a Review – Perform a thorough review of the incident. Identify the weaknesses in your security and the actions taken, then update your security measures based on the results of the review.
Next Steps
All organizations should already be actively securing their networks, devices, and data to prevent cyberattacks. Your company should engage with cybersecurity experts to ensure your business is protected and your employees are trained on proper security practices.
For more information on network security and ransomware attacks, read our blogs:
- Azure Provides Security to Prevent Ransomware Attacks
- Ransomware ‘Gangs’ Are Maturing, So Should Your Company Cybersecurity Policies
- Cybersecurity Business Policies Moved Forward in 2022 But Need to Improve
Watch our webinar, Demystifying Cybersecurity, to learn how to start protecting your organization now and what to consider in your cybersecurity strategy, including endpoint management, password health, managed detection/response, backups, disaster recovery, and user education.
Be sure to check out the excellent resources from the SANS Institute on ransomware prevention.
Finally, find out more about ArcherPoint’s Cybersecurity Assessments. We will review and test your disaster recovery plans, assess your cybersecurity vulnerability, make recommendations, and help you with cybersecurity training and awareness.