How to Respond to a Ransomware Attack

Barely a month after the global WannaCry ransomware attack, a variation of the Petya malware stuck networks in both Ukraine and the European Union. Now one of the most common forms of malicious software of all, ransomware attacks continue to claim countless terabytes of data on thousands of computers around the world.

Businesses as large as Maersk, Deutsche Bahn and Telefónica O2 are just a few of the victims of the latest two high-profile attacks, proving that no one is immune. We’ve already written about how to prevent ransomware from ever taking hold of your organization, but what should you do in the unfortunate event that you get infected?

Containing a Ransomware Attack

When a computer falls victim to ransomware, a ransom note usually appears when you boot up the machine. Unfortunately, by this point, the first wave of damage has already been done, but that doesn’t mean it’s too late to contain the attack. Ransomware uses a variety of methods to spread throughout a network, encrypting the files on all connected devices as quickly as possible.

The first and most important step to take the moment you notice an infected computer is to disconnect it from the network. This also means disconnecting and preferably disabling any wireless networking capability. By disconnecting the machine, you’ll also be able to prevent the hacker from doing any further damage to the device or possibly stealing confidential information from it.

Even if only one device in your organization gets infected with ransomware, it’s wise to disconnect your entire network from the internet until the issue is resolved. Disconnecting each individual device will also make it easier to isolate infected machines and take any necessary steps needed to restore them.

Getting Rid of Malicious Software

One thing you should never do if you’ve fallen victim to ransomware is pay the extortion fee in the hope that your files will be restored. After all, you’re dealing with criminals, so they’re hardly to be trusted. Additionally, you need to make certain that the malware is completely removed from your system before you can start using it again.

By far the safest approach is to wipe the machine along with any other storage devices that might have been connected to it at the time of infection. For the best results, you should perform something called a secure NIST wipe that completely sanitizes the drive. Afterwards, you will need to reinstall your operating system. These steps will wipe out all data on the device, but the method offers the only way to be certain that the malware is gone for good.

Unlocking Encrypted Data

A ransomware attack should never cause severe data loss, since you should have everything backed up in the first place. If you’re using an automated and reliable solution to keep your company data backed up, then a ransomware attack shouldn’t present anything more than an inconvenience. Nonetheless, if an attack does claim the only available copy of important data, it may still be possible to recover it.

Another reason you should never pay the ransom is because sometimes it’s still possible to decrypt your files using a third-party decryptor. Many older ransomware decryption algorithms have successfully been broken, in which case you may be able to obtain a reliable decryptor from one of the major cybersecurity firms; both Kaspersky Labs and Trend Micro have tools for decrypting old ransomware.

Prevention Is Always the Best Cure

In the end, the first step in any strong cybersecurity strategy should always be prevention, even if no measures can ever be 100% perfect. Always maintain a strict backup schedule, preferably one that involves storing a copy of all your data off site in a completely self-contained and independent network.

But even with all that, the benefits of round-the-clock monitoring solutions are impossible to deny. Training your staff is also extremely important, particularly since most ransomware and other malware ends up on computers starting with a social engineering scam. Your staff need to be able to recognize, identify and report suspicious activity as well.

Dyrand Systems understands the risks facing business networks, and that’s why we provide comprehensive cybersecurity solutions to ensure that technology is your friend, not your foe. To get a free assessment, give us a call today.