How to deal with a ransomware attack: a quick guide
A ransomware attack can be an existential threat to any organization. Dealing with an attack takes weeks and months of hard work and leads to a significant loss of earnings: The attack on Norsk Hydro in 2019 cost around $71 million, the Maersk attack affected global supply chains and lead to losses of around $300 million.
Preventing Ransomware attacks is possible and should be the aim of any cyber security strategy, but every organisation should also have a plan for dealing with an attack when it does occur despite best efforts at preventing it.
The points below are a basic guide on dealing with a ransomware attack. You can use the ‘ask yourself’ prompts to help develop or improve a response plan.
Technical / organisational
Isolate and contain the infection: It is essential to isolate the infected device or network segment to prevent the ransomware from spreading further. Disconnecting your entire IT estate from the internet and severing other network connections can help contain the infection, limit data loss, and stop the attackers from communicating with infected devices or attacks spreading automatically on your network. This is can be done easily via the firewalls.
Turning devices off can seem like an obviously good idea at first, but can come at the cost of problems down the line. Discuss this step with your forensics- or ransomware response experts.
Ask yourself:
-
- How can we make sure we detect an attack early?
- How can we quickly and easily disconnect our network from the internet?
- Who can / should make this decision?
- What will the consequences be and how can we mitigate them?
- How will we be able to communicate internally and externally after an attack?
Assess the damage: Evaluate the extent of the damage caused by the ransomware attack. Identify the files, systems, and data affected by the attack and prioritize the recovery process. During the first day or two at least (usually for up to 1-2 weeks), the forensics team will not know the exact timeline of the attack.
Ask yourself:
-
- Do we know what our high-value assets and processes are?
- Do we know the costs of not having these assets or processes available?
- Do we know how long we can make do without having access to these assets or without the processes functioning?
- Are there workarounds?
- Do we have an up-to-date asset register?
- Do we have IT forensics capabilities or a retainer with an IT forensics provider?
- Do we know where sensitive data and personal data is stored? Is this encrypted?
Identify the ransomware strain: Determine the type of ransomware involved in the attack. This information can help identify potential recovery options, as some ransomware strains may have known decryption keys or tools.
To ensure forensics can do their work, it is important not to tamper with or delete/wipe affected systems. Forensics will need to find out how and importantly when the attackers first gained access to your organisation’s systems.
Restore data and systems: Once the ransomware has been removed and contained, restore the data and systems from backups or other recovery mechanisms. Asses the state of your backups (attackers will attempt to destroy any backups they can access). Verify the integrity of the restored data to ensure that it is free from malware.
You should also reset all passwords used in your organisation and ideally move to multi-factor authentication.
Ask yourself:
-
- Are our backups robust enough? Can they be accessed by an attacker?
- Do we have backups going back far enough? Just having one backup isn’t sufficient.
- Have we tested these backups? Do we know how to restore a system from backups?
- Do we have a plan for restoring potentially compromised backups?
- Do we have a plan for assessing backups?
- If we rely on suppliers, will they work with us when we have an active ransomware attack?
Report and inform: Notify senior management, and any third-party vendors or partners that may have been affected by the attack. Consider involving legal counsel and law enforcement authorities, as appropriate. Remember that you have up to 72 hours to inform the data protection authorities if personal data has been affected.
Ask yourself:
-
- Do we know all our reporting obligations?
- How can we ensure we meet them?
- How do we inform employees, stakeholders, and partners? (See also ‘communications’ below)
Decide whether to pay the ransom: Experts generally recommend against paying the ransom, as it can encourage further attacks and may not guarantee the return of the encrypted data. However, this decision ultimately depends on the specific circumstances of the attack and the organization’s risk tolerance. It might be useful to open and keep open a channel of communication with the attacker if it can’t be ruled out that paying the ransom may be the only way to restore operations. (Do keep in mind that it does take significant time to decrypt and verify the systems.)
Ask yourself:
-
- Does our cyber insurance cover ransom payments?
- Do we have access to professional negotiators?
- What is our general stance on ransom payments?
Strengthen cybersecurity defences: Conduct a post-attack analysis to identify vulnerabilities and areas for improvement. Enhance cybersecurity defences by implementing measures such as regular backups, employee training, and network segmentation.
Ask yourself:
-
- What standard or framework should our security measures be aligned to?
Communications
Develop a crisis communication plan: Develop a crisis communication plan to manage internal and external communications during and after a ransomware attack. The plan should identify key stakeholders, including employees, customers, vendors, and partners, and outline the appropriate messaging and channels for each group.
Communicate regularly and transparently: Keep stakeholders informed of the situation, including the scope of the attack, the measures being taken to contain it, and the status of the recovery process. Be transparent about any potential impact on the organization and its stakeholders.
Provide guidance and support: Provide guidance and support to employees, customers, vendors, and partners who may be affected by the attack. Offer resources such as training, technical support, and credit monitoring, as appropriate.
Monitor media and social media: Monitor media and social media channels for any coverage of the attack or related issues. Respond promptly to any inaccuracies or misinformation and use social media to provide updates and information.
Ask yourself:
-
- Do we have a communications plan for emergencies or crises?
- Do we know who to communicate to and how we can do this, if our primary communications (address databases, email, telephony) are affected?
- Are senior managers trained in giving interviews or making press statements?
- Do we need / have a communications specialist we can call on?