Posted On: December 1, 2020
10 Steps to Take After Falling Victim to a Ransomware Attack
Find out what you should do when your company experiences a ransomware attack.
With more people working remotely due to the global pandemic, ransomware attacks have increased 715% year over year. Additionally, the FBI says ransomware is one of the fastest growing threats. This rise of attacks is fueled by many factors, including the dramatic increase in ransomware payments and bad actors who are becoming more targeted, smarter, and sophisticated.
What is Ransomware?
Ransomware is a form of malware that encrypts a company’s files, according to Chief Security Magazine (CSO). The attacker then demands a ransom to restore access to the data upon payment. Users are shown instructions for how to pay a fee to get the decryption key and costs can be high. A survey of organizations affected by ransomware attacks found the average cost of a ransomware attack is in the millions of dollars.
How Big of a Threat is Ransomware?
Ransomware attacks significantly impact a company’s business processes. These incidents leave organizations without the data they need to operate. The attacks usually take down a company’s mission-critical applications and services, preventing them from serving their customers. Put it into context, businesses fall victim to a ransomware attack every 14 seconds. If your company hasn’t experienced an attack, it’s only a matter of time according to one former law enforcement leader.
“For it is no longer a question of ‘if’, but ‘when’ and ‘how often’. I am convinced that there are two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”
— Robert Muller, Former FBI Director
How Does a Typical Ransomware Attack Go Down?
After breaking into a network, attackers wait before attacking. They search for at least three days to identify the crown jewels of an organization such as mission-critical applications like SAP, Oracle E-Business Suite, and JD Edwards. These malicious actors are able to move around in your IT environment to discover and encrypt important applications to demand higher ransoms and increase their profit.
Bad actors often attack outside of normal business hours such as late at night on the weekends (i.e. 2 a.m. on Sunday morning). Hackers launch their attack at this time because they know response times and remediation by the company will be slower.
What are the 10 Steps You Should Do After a Ransomware Attack Occurs?
There are 10 critical steps you should take immediately following a ransomware attack. Let’s dive into each of these steps.
Step #1 | Confirm the Ransomware Attack
It’s important to confirm whether the event was actually an attack. Many incidents are a result of phishing or malware incidents but not specifically ransomware. If it’s ransomware, you should confirm if the files are encrypted or locked.
Step #2 | Assemble Your Incident Response Team
This incident response team should consist of members of your C-suite or executive team, IT staff, marketing, public relations agencies, and legal teams. And of course, you should bring in the ransomware professionals. Is everyone aware of the ransomware attack? Are they ready to tackle the response efforts? Time is of the essence so it’s important to have the list of team members created ahead of time.
Step #3 | Analyze the Attack
The next step is to scope the incident and figure out which applications, networks, and systems were affected. How actively is the malware spreading? It’s important to identify associated entities to determine if ransomware payment is possible. Sometimes, law enforcement such as the FBI steps in and you are prevented from paying the ransomware.
Step #4 | Contain the Incident
Once you analyze the attack, the next step is to contain the incident by disconnecting infected systems from the network to ensure the attack doesn’t spread to other computers and devices. Make sure backups are secure and free of malware. Look at the evidence such as log files, system images, and the recoverable encryption key.
It’s important to document evidence for insurance and the government. You should check your evidence frequently to make sure it is still around, especially if the attack is still active. Hackers may try to cover their tracks. You should figure out if the hackers are present in your environment. If they moved around for a while without you noticing, they could still be doing that.
Additionally, you should document how quickly the incident was detected so you have that information for your key stakeholders, insurance, and law enforcement.
Step #5 | Perform a Comprehensive Investigation
Next, you should identify what ransomware strain is used. There are lot of ransomware strains to look out for such as STOP (DJVU), Dharma, Phobos, Globelmposter, REvil, and GandCrab. Determine potential risks and recovery options. How strong is the ransomware encryption? You may want to look into the No More Ransomware initiative. It is a partnership between law enforcement and IT security companies. It helps ransomware victims recover files where plausible.
Step #6 | Contact Law Enforcement
After you perform your internal investigation, you should report the ransomware attack to law enforcement such as the FBI, the Multi-State Information Sharing and Analysis Center, and the Internet Crime Compliant Center. You should involve law enforcement if the case is a high-impact incident or data breach. Law enforcement experts can provide you with guidance on next steps, depending on what criminal organization is involved in the attack. You should also hire a third-party company like Syntax who can assist with Ransomware Response Services. In partnership with CrowdStrike, Syntax has developed a ransomware attack response strategy and process.
Step #7 | Eliminate Malware and Recover
Now you need to wipe the infected systems and restore lost data from your backups. It’s important to change all accounts, especially your network and systems passwords. Remove devices of systems from the network and then change passwords again once the malware is completely removed.
Step #8 | Perform Post-Incident Activities
Adhere to regulatory and breach notification requirements. Verify restoration of backups to ensure all applications, data, and systems are counted. Identifying data exposure of customers and preparing requiring legal notifications such as General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other laws.
Step #9 | Organize a Lessons Learned Meeting
Discover and analyze why the ransomware attacked happened. Make sure your vulnerabilities are not compromised in the future. Perform additional security awareness training and establish or revise security policies. Also, create or refine your ransomware incident plan. You may need to develop one or revisit your existing plan. Also, update the plan based on your key lessons learned.
Step #10 | Set Up a Security Operations Center (SOC)
Set up a SOC internally for future security incidents or partner with a managed services provider who has a SOC that can help you around the clock. For example, all of Syntax’s security services are managed and monitored by our team 24/7. Our customers find this critical because acquiring and retaining talented security professionals in today’s competitive environment is challenging. By using our SOC, you can transfer heavy lifting of security analysis for your IT environment to Syntax. We provide our clients with an industry-leading suite of security tools so your IT staff can focus on running your business.
Invest in an Endpoint Detection and Response (EDR) Solution
To protect your company from ransomware, you should purchase an EDR solution that provides advanced algorithms for detection and containment of ransomware by the bad actors’ behavior. Ransomware is a file encryption process that many popular anti-virus (AV) solutions such as McAfee and Symantec allow and that EDR solutions are designed to stop. There’s a lot of heavy lifting with EDR so you should consider hiring a third-party provider who can manage the solution in a Managed EDR model.
Bringing It All Together
Cyber criminals can make thousands or even millions of dollars from one attack on an enterprise. With hackers becoming more sophisticated and targeted, it’s important to protect your company from a ransomware attack.
To learn more about how we can help you better secure your company, watch our Ransomware on-demand webinar, download our ultimate guide to IT security, or visit our resources page. You can also contact us today to find out how we can protect your company from ransomware around the clock with our Security Solutions and Services.