background image


Responding to a Ransomware Attack


Ransomware is a costly business and organizations are becoming increasingly concerned that their systems and data may one day fall victim to a ransomware attack. Among 582 surveyed cybersecurity professionals, 50% of them didn’t believe their organizations had sufficient protection in place to repel a ransomware attack. These concerns are valid when you consider the alarming statistic that a new organization will fall victim to ransomware every 14 seconds in 2019, and projected to become as low as 11 seconds by 2021.

For businesses, preventative measures are essential for thwarting attack attempts in first place and a rehearsed disaster recovery plan helps minimize overall loss for the organization. Nevertheless, regardless of the ransomware prevention and protections in place, companies may still fall short and, in the event of a compromise, appropriate personnel must be ready with a proactive response, removal, and recovery plan.

1. Gather Information and Identify the Source

The critical first step in the event of a ransomware attack is to remain calm. Take the time to make notes about the attack, what the malicious party is requesting, while taking photos of what the message looks like. Look for key clues to identify what type of ransomware you’ve been infected with. There are several ransomware identification tools available that have a database with common encryption extensions gathered from popular ransomware such as WannaCry, CryptoLocker Petya, and more.

At this point, the source of the attack may be isolated to a single host, or it could be infecting your company at multiple endpoints. Identify what devices have been compromised, what files have been encrypted, and how wide spread the attack is. This is where concise and clear communication is key, as everyone must do their part to ensure the attack is contained.

2. Isolate the Attack

Once the source(s) of the attack have been identified, it’s important to isolate these from the environment to prevent further damages. This may mean unplugging from the network both physically and wirelessly, removing the power source, extracting infected drives, or booting into safe mode if possible. The objective of this step is to, at all cost, keep the damages and extent of the compromise as contained as possible. An extension of this step is to ensure that if the ransomware was triggered by a phishing email or malicious link, that this is flagged and notified to employees immediately to prevent more devices and files from becoming infected.

3. Consult and Consider Your Options

Before any executive decisions can be made, it is pivotal to notify the appropriate personnel for updated information about the attack. This may include your company’s IT/security department, the authorities, and depending on the organization, your security team lead, CISO, or equivalent.

Once the impact and severity of the compromise is under control, it’s time to start considering the course of action. As mentioned, it is fundamental to understand that preparation in the event of an attack is one of the best strategies for responding and recovering from one. This ultimately gives you more alternatives if your company is hit with ransomware. It should be noted however, that your options are reliant on a variety of factors including the size of your company, the cost of potential downtime and lost revenue, the number of affected assets, and more.

a. Wipe & Recover from Backups

Companies should have offline, external backups and copies of critical data, segregated from the original data so that if any type of disaster occurs the company can attempt to minimize loss. If this is applicable to your business, then you could start to consider this option. Contingent upon whether the malicious party was able to encrypt all original copies and their corresponding backups across each system and branch, this might not be a viable solution. Therefore, it’s important to evaluate the amount of effort and downtime this alternative will cost your company. If the cost to wipe, reimage, and restore from backups/restoration points, in addition to lost revenue from taking your company offline will impair your organization more than paying the ransom, that is something that must be assessed.

b. Attempt to Decrypt Files

If you were able to identify the type of ransomware from the first step and research reveals there are existing and trusted tools that attempt to decrypt your files, then it may be worth it to further investigate this option. Again, there are pitfalls with trusting third-party software with the decryption of your files. One must consider price, legitimacy, and reliability of the tool before carefully exploring this option.

c. (Don’t) Pay the Ransom

If your company didn’t employ correct measures to recover in the event of an attack, there’s no way to recover the files, and each minute that passes where your company is not responding is resulting in significant damage, paying the ransom comes into consideration. There are severe warnings that come with this option however, and that is even if the ransom is paid, there is no guarantee that the files will actually be recovered or decrypted. In 2018, it was calculated that only about 50% of victims that decided to pay the ransom demand actually got their data back. If your company decides to pay the ransom however, you’re obligated to inform the law enforcement of such.

Though, many security experts suggest against paying the ransom, as it only promotes success statistics and further encourage hackers to partake in this culture and economy. For many organizations however, rolling the dice on paying the ransom becomes ultimately a more realistic and cheaper decision than venturing other opportunities. It should be noted though, that if your company is even in the position where it must explore this option, your security team should take the time to evaluate your security posture, understand your vulnerabilities, and devise an efficient response plan.

At the end of the day, it is about considering what option is best for your company by weighing the factors. What option gives your organization the best possibility to stay afloat, while minimizing the cost of downtime, and impacting your clients/customers the least.

4. Learn from Mistakes

From Step 1, your company must fully understand what weaknesses or vulnerabilities within your business allowed for this attack to take place. Note down how the process of response and recovery went, what can be improved for next time, and determine what mitigation strategies can be implemented to ensure that this attack vector is eliminated.

Though delivering ransomware is a unique type of attack, the avenues through which it is distributed are similar to how malicious parties gain unauthorized access to your company’s sensitive data. If your business is not versed with employee awareness training and proper security practices, and you lack a full-proof plan to respond to such attack, then you may be more vulnerable than you think. For more information on how to prepare and deal with ransomware, please contact us today.