The 7 Steps You Must Take if Your Organization Gets Hit by Ransomware
Ransomware attacks are on the rise, and organizations in the public sector are especially vulnerable. Unfortunately, with the increase in frequency and sophistication of cyberattacks, even the most secure systems are not completely immune. In the event of a ransomware attack, your organizational response will make a world of difference, which is why, no matter how confident you are in your cybersecurity, you must have ransomware protocols in place. What happens if the system is hacked? How can the damage be minimized? Which team member is responsible for executing what? How can you get your data back safely?
While every breach protocol must be customized to the infrastructure and capabilities of each organization, there are a number of crucial steps that must be taken in the event of an attack.
- Isolate. Disconnect the affected device from the network as quickly as possible to limit the affected perimeter and prevent the ransomware from reaching network storage and cloud storage. If a ransom note appears on the screen, make sure to record it to help recovery teams determine the type of ransomware that has infected your device, and in turn, find a solution or decryption code more rapidly.
- Identify. In order to combat any ransomware, you have to first identify what type it is. Make sure to have a knowledge library that you regularly update and store it outside of your system.
- Report. Call your local authorities, who will then connect you with the Internet Criminal Complaint Center(IC3), where you can lodge a formal complaint. IC3 has a success rate of nearly 82%.
In fact, various pieces of legislation – HIPAA, GLBA, etc. – require organizations in the public sector to report cyber incidents. And, the government may soon extend this requirement to critical infrastructure businesses, federal contractors, and agencies. - Consider your options. While paying the ransom may seem like the easiest route, the FBI strongly discourages this. Not only does it encourage this criminal behavior, but it does not guarantee that the attackers will deliver the decryption key. Paying the ransom should always be a last resort.
That being said, it is the decision of your organization whether the cost of the ransom is worth the potential risk in the future for a quick fix. - Cleanse and restore. Recovery teams should be able to regain access to encrypted files. To do this, you need to keep your computer off the network but turned on. Once the encrypted files have been either restored or duplicated, the device should be completely wiped and then restored. The affected storage should be replaced as well. Malware and ransomware can lurk in your system for months, which is why it is critical that the device is checked thoroughly after the restoration for any traces of remaining infection.
- Identify and fix the vulnerability. While this may seem like an obvious step, the rush to restore operations can easily make you vulnerable to getting attacked all over again. Earlier this year, an organization in the UK fell victim to a ransomware attack. It ended up paying millions to get its data back only to fail to address the vulnerability that let the hackers get into the system. Less than two weeks later, the same attacker used the same vulnerability to once again get into the system and demand ransom.
- Create a prevention plan. If you haven’t done so already, install cloud-based anti-ransomware packages to detect and prevent future attacks. Check that your networks are air-tight and update any operating system or cybersecurity protocol that may be outdated or no longer useful. Train employees to spot possible cyberattacks before they happen. Consider running mock cyberattacks to see how long it takes for the whole process to unfold and whether all members of your organization are aware of the protocols.
If your organization falls victim to a ransomware attack, executing the above steps as quickly and efficiently as possible is a good way to minimize damage and avoid paying hefty ransoms. No matter how aggressive or intimidating the attackers are, do not panic.