A ransomware attack can disrupt operations and significant cost and damage to a company. When faced with a ransomware infection, responding appropriately is essential to minimizing the damage.
#1. Protection and Prevention
Once the files are encryupted, the damage has already been done. Unless a company can restore all files from backups, some data will be lost even if a ransom is paid. The modern ransomware commonly steals and exfiltrates data before encrypting it, meaning that the company has likely already suffered a data breach.
Prevention is the best way to manage the threat of ransomware. Some of how a company can protect itself against ransomware include:
Patch Management: Some ransomware variants are spread by exploiting vulnerabilities for which patches are available. Promptly installing updates and security patches can help to close these infection vectors.
Phishing Prevention: Phishing is one of the most common delivery mechanisms for ransomware. Companies should train employees to identify and properly respond to phishing campaigns and deploy anti-phishing solutions to block malicious messages from reaching the inbox.
Access Management: With the rise of remote work, cybercriminals are increasingly leveraging compromised credentials and secure remote access solutions to plant and execute their malware. Deploying multi-factor authentication (MFA) and restricting access based on the principle of least privilege can help to prevent and reduce the efficacy of these types of attacks.
Anti-Ransomware: If ransomware reaches enterprise systems, detecting and eradicating it as soon as possible limits the damage that it can do. All corporate devices should have anti-ransomware solutions deployed to identify and delete ransomware before it can exfiltrate and encrypt sensitive data.
Closing these potential attack vectors can help to reduce the probability of a ransomware attack. However, bolstering these protections with a strong backup policy can help to reduce the impact of a ransomware attack if one occurs.
#2. Incident Response
Rapid response to a ransomware infection can help to reduce the impact and cost of a successful attack. A quick, effective response requires an organization to have an incident response team (IRT) and strategy in place before it is needed. When responding to a ransomware infection, incident responders should:
Remain Calm: Ransomware infections can be stressful, but it’s important not to panic. Keep a cool head, follow the incident response plan, and save a picture of the ransom note to ensure that it is available in the future for law enforcement and further investigation.
Contain the Infection: Some ransomware strains attempt to spread through enterprise networks, so disconnect infected systems from the network as soon as possible. Also, trace back the attack chain to ensure that the attacker does not have a presence on other systems.
Maintain System Status: Ransomware may leave a system in an unstable state, and changes to the system may cause loss of data. Don’t reboot infected machines, install updates, or perform any other system maintenance.
Don’t Touch Backups: Ransomware commonly attempts to infect backups to force organizations to pay the ransom. Avoid to connect backups to infected machines until the ransomware infection has been eradicated and the integrity of backups has been verified.
Coordinate with Stakeholders: Collaboration is vital to the fight against ransomware. Don’t be afraid to contact law enforcement or reach out to a reputable incident response provider for help in remediating the incident.
#3. Removal and Recovery
After halting the spread of the ransomware and investigating the incident, recovery is the next step in the process. After removing the ransomware, the crucial decision to make here is whether to pay the ransom or attempt to recover from backups.
While paying the ransom may seem like the easiest and cheapest way to address the issue, it should be a last resort. Paying the ransom provides no guarantee that data will be recovered and helps to fund future campaigns by the attackers. Explore whether data can be recovered from backups or if a decryptor exists for the ransomware before deciding to pay a ransom that could be in the hundreds of thousands or even millions of dollars.