What Can Enterprises Do After a Ransomware Attack?

By on

Click to learn more about author Evelyn Johnson.

There were 199.7 million ransomware attacks in just the last four months. That’s nearly 25 attacks per second. The recent surge in cybercrime is being attributed to the increased digitization caused by the COVID-19 pandemic.

Businesses have moved online in the last few months, and online criminals are smelling blood. It’s no longer the question of if but when you will be faced with a ransomware attack.

When such an attack happens, your data will either get encrypted, or you will be forced out of the device, that is, until you pay hefty extortion.

It goes without saying that losing critical data in such a situation will be disastrous for your business.

But is there a way out?

Steps to Take After Ransomware Attack

There are ways to protect your data and stop these attacks from happening in the first place. However, if you have already fallen victim, here’s what you should do:

1. Take a Screenshot

Before doing anything, you should take a screenshot of the ransom note. You might want to take a picture through your phone, too, just in case. Usually, a note will have payment info coupled with a threat. It tells you how much to pay, where to send the payment, and what happens if you don’t.

More than that, the ransom note can help experts understand which particular ransomware has infected your device. Once that’s done, it becomes easier to decrypt the files and recover the data you’ve been locked out of.

You will also need the screenshot for filing a complaint with the FBI and notifying your insurance carrier.

2. Isolate the Devices That Have Been Affected

Without wasting a moment, isolate the infected devices. Ransomware doesn’t stop after encrypting a particular file. It proceeds to spread across devices, shared storage, and the network. If your system has been compromised, remove it from the network immediately.

Ransomware might have been successful in encrypting data from your existing network drivers. But it may not have found your backups that were stored on the cloud. Backups that were not connected to the network at the time of the attack will also be safe.

Infected machines continue to post a threat to your network security until they are completely clean, so it’s important to isolate and remove them from the network without any delay.

3. Identify the Source

After disconnecting the infected devices, investigate your network to find the source. Systems with misconfigured and out-of-date software are more vulnerable.

Finding “patient zero” is a bit difficult in a larger organization. You will have to reach out to employees to find who was first targeted with the attack. Discover whether they clicked on a link in an email that caused the ransomware to breach. Or did they notice unusual prompts in their browsers?

You need to determine what permissions were needed to modify the files and who has these permissions. Scour through open files and identify infected users.

Once you zero in on the exact source, you might be able to limit the infection by acting quickly. However, this is not always the case, as most infections don’t even get noticed until the entire operation is completed.

4. Analyze the Backups

The fastest and most convenient way to recover your data without paying the ransom is restoring your systems from backups. This is the reason cybersecurity consultants insist that corporations create regular backups to protect their data.

Data that is recent and unaffected by the ransomware is easy to recover. Typically, you can make this happen by resetting your systems to factory defaults.

If your backups aren’t up-to-date, this strategy may backfire. The restoration process could take up hours and then fail, leaving you in a state where you have little to no time for paying the ransom or finding some other alternative.

It’s always recommended to perform a restore test. Have a specific number of encrypted files restored to see it happens successfully. It wouldn’t take long to restore the onsite backup. In contrast, offsite data could take days.

If the restore time is reasonable and you’re certain it will work, this is a good alternative to paying the ransom.

Get Specialized Help

Unless you’re running a big firm that has a dedicated cybersecurity department — you won’t have the expertise to deal with such a situation.

This is where you should consider hiring a firm that specializes in ransomware to steer the data recovery efforts. They might be able to decrypt the data and help you avoid the extortion altogether.

Even if you’re considering paying the ransom, it will help to have individuals who have previous experience. Since cybercriminals are criminals, they might not return the data even if the amount is paid. A good anti-ransomware firm knows all the tricks online criminals play on their victims.

Should You Pay the Ransom?

It’s not an easy decision to make. But companies facing cybercrime often find themselves in the corner and are forced to pay the ransom. This happens when the cost of losing the data is much higher than the ransom demanded. In most instances, hackers provide access to the data, and things go back to normal.

However, there are risks involved here, as well. As there’s little honor among the online thieves, many times, the access isn’t returned, and the organization loses both money and critical information.

Cybercriminals also share information with each other, and the company with a reputation of paying hefty ransom attracts more such attacks. The payment is mostly demanded in Bitcoin.

The FBI recommends firms not pay the extortion. According to the agency, this emboldens the attackers and inspires more individuals to take up hacking as a career.

Most organizations will find themselves between a rock and a hard place after being subjected to a ransomware attack. It’s important to consult experts and weigh all your options. Unfortunately, there’s no simple way out of this situation.

Leave a Reply