How to respond to a ransomware attack
- 27 June, 2018 14:43
Most businesses will fall victim to a nasty ransomware attack eventually, so knowing what to do when it strikes is a must for any CIO, as the wrong course of action could damage your business even further.
Most ransomware attacks target small to medium businesses as their security systems are less sophisticated, plus ransomware attackers normally only charge a small-ish fee so SMBs are more likely to pay the ransom for their files.
However, all hope is not lost. There are a few things you can do to limit the effect of a ransomware attack.
Trace the attack
One of your first steps should be to find out which machine became infected with the ransomware.
This is normally very simple as ransomware usually locks the screen of PCs, however, if you have a lot of remote workers, you’ll need to reach out and gather as much information as you can from them.
You should also ask your employees if they have opened any suspicious emails or if they have noticed any irregular activity on their machines.
The sooner you find the source, the quicker you can act. Ransomware attacks tend to have a time limit on them before files are erased.
Notify your IT helpdesk or IT security team
As soon as you know you have fallen victim to a ransomware attack, you’ll need to make sure all the right people are notified.
Some organisations have a Chief Information Security Officer (CISO) who will direct the team on the next steps, but for many organisations that don’t, security issues like this often fall within the CIO’s remit.
As a precaution, you should cut the network connection from the infected machine to the rest of your office network. This should restrict any further damage to your infrastructure.
Your security team or equivalent should already have a plan for situations like this, so it might be the case that you just hand over to them and they take it from there.
In the instance that a plan doesn’t exist. A meeting should be held to get one created as soon as possible. You’ll need to let everyone know exactly what is expected of them.
Notify the authorities
If the data stored has numerous identifiers, you should alert a data protection officer or equivalent.
Should you pay?
Ransomware is a really effective way of getting money from businesses, as the amount demanded is usually small enough that businesses will pay it.
But this does create a vicious circle. If businesses continue to pay the ransoms, then ransomware will continue as a popular money making cyber attack. It will only perpetuate the problem.
Generally, cybercrime experts and authorities advise against paying the ransom for many reasons. Firstly, just because you’ve paid the ransom, doesn’t mean that you’ll receive an encryption key that actually unlocks the data. And secondly, because it might encourage the hackers to request more money.
You should assess whether your data is worth saving. If you decide not to pay, you might not only lose your files, but also damage your reputation. There is a chance that the perpetrators may be willing to decrypt a few files for a reduced fee or even to show they can be trusted to release them all.
You should get a plan together and stick to it.
Inform all employees
Transparency is really important in situations like these. When it comes to cyber attacks, your weakest link is your employees. We’re all humans after all, and can easily make mistakes that can jeopardise data.
Rather than pointing fingers, inform your staff that there has been a breach, what this means and on any action you’re taking.
You should also let them know of any expected system downtime which will impact their work.
This is also a good chance for you to reinforce existing security guidelines.
Find out exactly what happened
Next, you’ll need to try and create a timeline of the attack. This will probably be undertaken by your IT team but will need some form of support from the CIO or CISO.
This should help for future attacks and help you learn about your current security systems.
Often cyber attacks leave clues in the metadata, so a full search of that will be necessary in most cases.
Update all of your security systems
After the incident is over, you’ll need to perform a total security audit and update all systems.
This may take some time, and even cost some money, but if you value your data, you’ll do it.
- Forrester to businesses: Plan your response to digital extortion in advance
- Bots, AR and digital giants: How to survive the storm of digital disruption
- Building cyber resilience: The state of the nation
- Education emerges as prime target of cybercriminals
- A CSO’s tale: Moving security from the department of ‘no’ to ‘how’
Get the latest on cybersecurity: Sign up for CIO newsletters for regular updates on CIO news, career tips, views and events. Follow CIO New Zealand on Twitter:@cio_nz