Seemingly every day, a new organization announces they've been hit by a ransomware attack. The agnostic nature of ransomware leaves no industry immune to vulnerabilities. Be it school systems, healthcare providers, or government agencies, the battlegrounds are increasingly widespread. Companies should operate not on a basis of if they'll be hit, but when. Executives and IT teams must be prepared to take specific steps in the immediate aftermath of a ransomware attack to best protect their employees, assets, and sensitive information.
1. Don't Panic
In high-stress situations, panic is a bad adviser. When organizations are hit with ransomware, many are unprepared, which leads to reactionary and uninformed decision-making — often with catastrophic results. Avoid "reacting" and focus on "responding" by understanding and practicing what must be done in advance. Identify who will be involved: What will they need to do? How will the team communicate? If/when a ransomware attack takes place, the plan and everybody's role in it should already be known.
2. What Are You Dealing With?
It's important to try and understand what a company has been hit with, and perhaps even the source. Anything that can potentially identify the ransomware strain or group will help your security teams identify a decryptor, if available. This is important when deciding whether to pay a ransom. Additionally, information on the attack will help you understand how it propagates.
3. Isolate and Save
To minimize the blast radius of an attack, it's critical to isolate devices that have been hit. Pulling devices offline will prevent ransomware from spreading further. Administrators should isolate affected systems from the network as soon as possible. Any updates to IT architecture, such as migrations to new environments, or installing new applications and servers, should be stopped immediately. This, plus any sort of scheduled task, including backups, should be paused to stop the communication between the affected devices and the network. From there, you can begin to understand the attack vector without having to worry about continued spread of malware. Additionally, securely save anything that has been encrypted. Even if a decryptor is not available today there is a good chance one will become available in the future, which may save you money and negate a repeat attack.
4. Try to Understand the Attack Vector
By understanding the attack vector, you can get to the bottom of how the ransomware infiltrated the network. Ask certain questions: Who was patient zero on the affected network? How was it shared? Was it an email someone opened, or a link that was sent to them? Pinpointing the attack origin will help harden the recommendations for next steps and improve processes following the event. You can provide real-time, immediate guidance to others to ensure no one else falls victim to the same infiltration. If you don't have the security staff needed for investigations and/or post-event threat hunting, consider recruiting outside help from a managed security services or managed detection and response (MDR) provider.
5. Offline Backups
Your ticket out of this situation is to both validate and secure your offline backups. If you've been diligent about backing up your information prior to the attack, take your backups offline as soon as possible. This will ease the process of bringing devices back online after the attack. Ransomware attackers have learned to identify and encrypt online backups, so an offline component to your backup strategy should be considered table stakes.
6. To Pay or Not to Pay?
This is an important subject. By paying a ransomware, we satisfy the "demand" component of the adage "supply and demand" — if ransoms are paid, ransomware attacks will not only continue but escalate. The community can defeat this type of attack by cutting off the supply. That's a difficult business decision that will vary from case to case. It's worth remembering that not only is there a macro challenge of "supply and demand," but companies that pay the ransom identify themselves as fruitful targets for attackers. In some studies, up to 80% of ransomware victims suffer repeat attacks.
Overall, there is no one-size-fits-all solution for triaging a ransomware attack. However, there are certain guidelines that should be observed, including simple steps like changing passwords. In the hours following a ransomware attack, IT administration will be under extreme pressure to locate and remediate the source issue. It's important they have the tools necessary to make the correct decisions. After all, it is precisely in an emergency that companies need a blueprint so no sensible measures are forgotten. These processes should be practiced and updated regularly . With an emergency plan in place, the risk of making mistakes under pressure resulting in further damage is minimized.