What to do When Hit by Ransomware
So you’ve seen the ransomware display note on your computer. A ransomware attack can be a stressful and disruptive incident for individuals and businesses alike. We’ve seen a lot of companies make mistakes causing the ransomware to be longer and more expensive than it should have been.
This guide provides a step-by-step approach on what to do after a ransomware attack, helping affected parties respond effectively and mitigate the impact.
1. Identify and Isolate the Ransomware Infection
Upon detecting ransomware, isolate the affected systems immediately. Disconnect it from the network and/or internet to prevent the ransomware exfiltrating data and from spreading to other devices. If you detect the ransomware while it is still encrypting systems you can attempt to kill the processes or shutdown systems to stop the encryption, but you risk deleting evidence that you’ll need later.
If the systems are already encrypted (locked up), DO NOT delete files or turn off systems. You may need this evidence to investigate how it happened, what vulnerabilities were exploited, what/who’s information was accessed, and for other legal/compliance reasons.
2. Seek Professional Ransomware Help
Contact cybersecurity professionals that specialize in ransomware and/or cybersecurity incident response experts (like us) to assist in assessing and handling the situation. We can provide guidance to you and your IT team on the recovery process below; perform digital forensics to determine what happened, restore operations, etc.
Cybersecurity Incident Response Experts can make recovery much quicker. The shorter the breach lifecycle, the less costly it will be. You don’t want to find yourself playing a game of whack-a-mole.
3. Investigate the Ransomware Attack
Determine what happened and the extent of it. Prevent the recovery process from turning into whack-a-mole. Digital forensics experts (like us) can help you determine:
What vulnerabilities were exploited?
Did the cyber criminals engineer any persistence mechanisms or backdoors into your network?
What/who’s information was accessed for compliance with data breach disclosure and/or data breach notification laws?
Were backups infected?
The last clean backups
Information for legal defense and/or other litigation
4. Public Relations:
The chances are there are going to be some business interruptions which can range in severity depending on the nature of your business and the breach. You’ll need to carefully communicate this with the stakeholders. The right communication can make all the difference in your customers’ eyes. This is something our team can help with.
5. Consider Reporting the Ransomware Incident to Law Enforcement
It is unlikely that reporting the ransomware attack to law enforcement authorities, such as the local police or the FBI’s Internet Crime Complaint Center (IC3) will get you much help if you are a small business.
Although there is always the small possibility that the FBI has infiltrated the ransomware group responsible and may have the decryption keys. Outside of that it’s pretty much like any other low priority police report.
6. Avoid Paying the Ransom
If you can avoid paying the ransom, don’t pay it. Paying the ransom won’t change the breach disclosure and reporting requirements and paying it encourages targeting you again; you’ll basically be added to the ransomware group’s CRM; a list of companies that pay ransoms. Although, there is some use in negotiating the ransom, even if you’re not going to pay it. It can help determine more information about what happened, confirm what information they’ve stolen, etc.
Although we understand, you’re in a bind, and sometimes paying the ransom is the best option. If you do choose to pay we can help you negotiate.
Its important to confirm what ransomware group you’re dealing with. With major ransomware groups, their reputation for honoring their word is part of their business model; they want to make it more likely that victims will pay. There is no guarantee that paying it will lead to the recovery of your data, or that they won’t post the data they stole from you on the dark web, so its all dependent upon reputation.
If you do pay, the recovery process will vary in length depending upon the complexity of your IT environment.
7. Remediate the Exploited Vulnerabilities & Revoke Access
Before continuing the recovery process, it's important to remediate any vulnerabilities that were exploited and revoke any other unauthorized access mechanisms, otherwise it's likely that you’ll be successfully re-targeted or the cyber criminals will persist in your network.
8. Restore from Backups
If available, use unaffected and secure backups to restore your data. Ensure the backups are clean and free from any traces of the ransomware before restoration. Ransomware will often infect backups before making themselves known.
Another option is to wipe and (factory) reset all the systems, if there is not a lot of important information on the system, like if most is stored in an unaffected system, this may be the best bet.
9. Enhance Security Measures
Review and strengthen security measures to prevent future attacks. Update security software, conduct employee training on cybersecurity best practices, and implement robust security protocols.
10. Monitor Systems
Over half of ransomware victims are retarted within a few months of the ransomware attack. Continuously monitor systems for any signs of suspicious activity post-attack. Furthermore in more complicated cases, the investigations may not always be 100% conclusive, so monitoring is imperative.
11. Legal Disclosures
There is a mesh of state breach notification and breach disclosure laws with different requirements and deadlines. There are also other disclosure requirements in the data security and data privacy laws for regulated industries; HIPAA, FINRA, etc.
If people’s information was accessed, you’ll need to disclose that to the affected parties. Depending on how many people’s information was exposed and what states they live in, you may need to report it to the different state attorney generals.
We suggest hiring a cybersecurity/data privacy attorney. We know some good ones.
12. Educate and Train Employees
Educate employees with role based cybersecurity awareness training ranging from recognizing phishing attempts and maintaining cybersecurity hygiene to secure coding and more technical practices.
13. Stay Informed and Prepared
Need Help after being Hit by Ransomware?
We provide Quick Cybersecurity Incident Response services for Ransomware Attacks. We can help investigate, remediate, and recover as quick as possible. Call our Cybersecurity Emergency Hotline!