News your company never wants to hear―you’ve been the victim of a ransomware attack, and now you’re wondering what to do next.
The first thing to keep in mind is you’re not alone. Over 17 percent of all cyberattacks involve ransomware—a type of malware that keeps a victim’s data or device locked unless the victim pays the hacker a ransom. Of the 1,350 organizations surveyed in a recent study, 78 percent suffered a successful ransomware attack.
Ransomware attacks use several methods to infect networks or devices, including tricking individuals into clicking malicious links using phishing emails and exploiting vulnerabilities in software and operating systems, such as remote access. Cybercriminals typically request ransom payments in Bitcoin and other hard-to-trace cryptocurrencies, providing victims with decryption keys on payment to unlock their devices.
The good news is that in the event of a ransomware attack, there are basic steps any organization can follow to help contain the attack, protect sensitive information, and ensure business continuity by minimizing downtime.
Initial Ransomware Response
Determine which systems were impacted, and immediately isolate them.
Power down devices if you are unable to disconnect them from the network to avoid further spread of the ransomware infection.
Triage impacted systems for restoration and recovery.
Examine existing organizational detection or prevention systems (e.g., antivirus, EDR, IDS, Intrusion Prevention System) and logs.
Notify your security team.
Containment and Eradication
Now that you’ve isolated affected devices, you’re likely eager to unlock your devices and recover your data. While eradicating ransomware infections can be complicated to manage, particularly the more advanced strains, the following steps can start you on the path to recovery.
If you’ve been lucky enough to remove the ransomware infection, it’s time to start the recovery process.
Start by updating your system passwords, then recover your data from backups. You should always aim to have three copies of your data in two different formats, with one copy stored offsite. This approach, known as the 3-2-1 rule, allows you to restore your data swiftly and avoid ransom payments.
Deciding whether to pay
Deciding whether to make a ransom payment is a complex decision. Most experts suggest you should only consider paying if you’ve tried all other options and the data loss would be significantly more harmful than the payment.
Regardless of your decision, you should always consult with law enforcement officials and cybersecurity professionals before moving forward.
Paying a ransom doesn’t guarantee you’ll regain access to your data or that the attackers will keep their promises—victims often pay the ransom, only to never receive the decryption key. Moreover, paying ransoms perpetuates cybercriminal activity and can further fund cybercrimes.
Preventing future ransomware attacks
Email security tools and anti-malware and antivirus software are critical first lines of defense against ransomware attacks.
Organizations also rely on advanced endpoint security tools like firewalls, VPNs, and multi-factor authentication as part of a broader data protection strategy to defend against data breaches.