So, You’ve Been Attacked by Ransomware. What Next?
Ransomware is lucrative for cybercriminals but crippling for businesses. And all the while it continues to be profitable, targeted ransomware attacks are likely to continue to grow in number. Robert Scammell puts together a five-step guide for those that have suffered a ransomware attack, with various industry experts providing their top tips on how to minimise the damage
You’re sat tapping away at your computer when the machine becomes unresponsive. A message glares from your screen: ‘Oops! All of your files are now encrypted.’
You look around the office and see the same on other screens. All of your files are gone, unless you cough up some Bitcoin to unlock them.
First of all, you’re not alone.
There were 151.9 million ransomware attacks in the first three quarters of 2019, according to cybersecurity firm SonicWall. And the cost, from downtime to reputational damage, is expected to surpass $10bn this year.
The most common way the file-encrypting malware infiltrates an organisation is through a phishing email containing a malicious link, as well as lax Remote Desktop Protocol security – the mechanism that allows computers to connect across a network.
Ransomware is a constantly evolving threat. While the infamous WannaCry malware that crippled the NHS 2017 cast a wide net, today ransomware is less frequent but more targeted to maximise profits from victims.
And with new strains becoming available on the dark web all the time, staying ahead of the cybercriminals is a never-ending battle.
Of course, the surest ways to protect your most important files is to invest in robust cybersecurity and regular cyber training.
But it’s too late for that now – your files are encrypted and the clock is ticking.
Step 1: Don’t panic
A ransomware attack is scary. Cybercriminals know this and play to these fears, from using threatening imagery to short deadlines to pay.
But the fear-factor is what they’re after – you’re more likely to give in to demands if you’re panicking.
“A real-time simulation is the perfect way of ironing out all the disaster points.”
Breathe. In an ideal world, this is where your cyber-incident training should kick in.
“The best way to help prevent a ransomware disaster is to set up a simulation attack,” says Jake Moore, cybersecurity specialist at ESET.
“A real-time simulation is the perfect way of ironing out all the disaster points which may be overlooked in a normal documented policy. All relevant units need to be involved and should usually last a day.”
Step 2: Get IT on the case
You’re calm – or as relaxed as you can be for someone that’s being held to ransom. If your organisation’s security or IT team isn’t already aware of the ransomware, let them know immediately.
Their job will be to isolate the incident by separating infected devices from the rest of the network. They’ll also look to gather more information about the attack, from the strain of the malware to the entry point used.
“Best practice is to track both the tasks and findings.”
Andy Miles, CISO and founder of cyber and information security practice Quantum Resilience, says that cybersecurity professionals should consider the attack in terms of severity and category.
“Best practice is to track both the tasks and findings, together these should be correlated and then any response can be reprioritised,” he says.
“Consideration should also be given as to whether the affected organisation will be taking legal action against a third party or rogue employee. If so, then this must be taken into consideration within the business continuity and response plan so as to not inadvertently compromise any evidence.”
Step 3: Assess the damage
How bad is the damage? Are business-critical files encrypted? Are they backed up?
These questions are all geared around getting the business up and running in as little time as possible. Good data management and a regular backup here will make the attack far more manageable.
“Kidnappers hate backups.”
“Ransomware is different to other attacks; the effect and damage is to your data, not the systems it sits on,” says Malcolm Taylor, director of cybersecurity at consultancy ITC Secure.
“A backup is therefore critical – and check the frequency they’re taken. A good, recent backup can make the difference between lost data and revenue and business, and not. Kidnappers hate backups.”
In an ideal world, your most critical data will be backed up automatically in a different location, allowing you to wipe systems, restore, and return to normality.
“Offsite backups should be compulsory and when set up correctly can be restored in hours,” adds Moore.
For those that haven’t backed up, it is worth contacting groups such as the No More Ransom Project, which will attempt to decrypt your files.
Step 4: Should you pay?
But what if you’ve not backed up and the files are essential for the running of your business? Should you pay up?
On this, cybersecurity professionals are pretty much unanimous – you should never pay the ransom.
That’s because there’s no guarantee the attackers will return all or any of your data.
While the amount could be comparatively low against the backdrop of lost revenue, paying signals to the attacker that you have no alternative and shows you are desperate.
“It’s better to patch and protect rather than pay.”
“They will therefore usually return a portion only of your data and demand significantly more money for the rest,” says ITC Secure’s Taylor.
Paying also fuels and sustains the criminal activity and, as Taylor points out, you could even be supporting terrorist groups and hostile nations.
“Ransomware is spreading in part because more people are paying the ransom – it’s basically a business deal on behalf of the attacker and so the more successful it is, the more they will do it,” he says.
Paying also puts you on a ‘suckers list’ circulated among cybercriminals that
identifies firms likely to pay, and so increases the likelihood of future attacks.
“I never condone paying the ransom as you can never be 100% certain you will see the data back but no doubt businesses will have this as a consideration if they are cornered,” says Moore. “It’s better to patch and protect rather than pay.”
Step 5: Notify affected parties
You’ve not backed up, your files are still encrypted and business has ground to a halt. People are asking questions. It’s time to notify those affected, be it customers, employees or third-party vendors.
The first priority is to protect the reputation of your business. But failing to notify those whose data may be lost or compromised will cause far more damage in the long run.
“Whatever approach you take, if you find yourself in the eye of a ransomware storm, I beg you to be honest with your business partners, your employees, and of course your customers,” says Carole Theriault, independent cybersecurity expert and co-host of the Smashing Security podcast.
“Your actions will have impact for years to come. Whatever the relationship, most can survive a mistake or an attack, but they all tend to fizzle at the waft of deception.”
If appropriate, prepare a statement for those affected and for the media.
“Most relationships can survive a mistake or an attack, but they all tend to fizzle at the waft of deception.”
Ultimately, it’s up to an organisation to decide whether to report a ransomware attack to the appropriate data regulator, such as the Information Commissioner’s Office (ICO).
“Organisations don't have to report every data breach to the ICO. Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach unless it is unlikely to result in a risk to people’s rights and freedoms,” says an ICO spokesperson.
“If an organisation decides that a breach doesn’t need to be reported they should keep their own record of it, and be able to explain why it wasn’t reported if necessary.”
Put another way, there’s no harm in reporting it to be on the safe side – even if you’re fairly sure personal data isn’t affected.
Step 6: Update, patch, learn
Did you manage to recover most of your files? Great, but there’s no time to rest. Carry out a complete security audit and patch and update all systems.
Look at the attack vector. Was it a phishing email? It’s probably worth investing in more cybersecurity training for staff.
“It’s a sad fact that once you’ve suffered a ransomware attack, you are statistically more likely to suffer again.”
Not being able to recover the files can be crippling, and in some cases business ending. But it is possible to rebuild, with lessons hopefully learned.
“Like burglary, it’s a sad fact that once you’ve suffered a ransomware attack, you are statistically more likely to suffer again,” says Taylor.
“Learn – not recognise – the lessons. Ransomware can be beaten, relatively easily with good anti-virus or endpoint detection and response, regular backups stored somewhere separate and updated software.”
Back to top