In Case of Emergency: What to Do in a Ransomware Attack?

NetgainCybersecurity & Compliance, Financial IT, Healthcare IT

In a recent study of 4,000 small- and medium-sized companies, Kaspersky noted that 49% of SMB respondents reported ransomware as one of the most serious threats facing their organization. The study also noted that 67% of SMBs reported a complete or partial loss of corporate data due to ransomware attack, and of those organizations, one out of every five companies failed to get their data back after paying the ransom.

It’s obviously best to train your staff and secure your data to better prevent a ransomware attack, but what should you do if your data is compromised in a ransomware attack?

Timeline of an attack

  1. Perimeter penetration. When hackers identify a target organization, they’ll always look for the easiest way in, looking for a weak spot in the wall. These days, organizations are installing more sophisticated technology to protect their data, but despite all these safeguards, employees are—and always will be—the biggest vulnerability to an organization’s sensitive data. Hackers will penetrate the perimeter by tricking the user into clicking a malicious email link that installs malware on the user’s PC. The malware is loaded invisibly on the user’s PC without them ever knowing that they’re infected. Take action: Make sure that you have a robust security solution and safeguards in place that continually monitor for malware and frequently train your staff to identify the signs of a malicious email.
  2. Discovery and panic. During routine scans, the IT department identifies the attack, but the extent is not yet known. As the IT team alerts the rest of the organization, panic starts to spread across the organization. The IT team works hurriedly to figure out the entry point, identify how many computers and servers are infected, determine whether data been stolen or just being held hostage, detect the state of any data backups and determine how quickly the IT team recover any lost data. Take action: As much as you try to prevent a ransomware attack, the unpredictability of user behavior will continue to put the organization at risk. It’s important to be prepared for such an attack by having a comprehensive cyberattack preparedness plan in place that includes defined roles, responsibilities, policies and procedures to mitigate panic and business interruption.
  3. To pay or not to pay. The specifics of each attack may vary, but hackers will typically hold your data hostage for a few days until you pay a ransom, usually payable in bitcoin, an untraceable cryptocurrency. If you don’t pay by the deadline, they’ll threaten to permanently purge your critical files. You’re faced with a decision: do you pay the ransom so you can regain access to your systems, or do you take a stand and not pay the ransom but risk losing access to your data? The initial reaction might be to just pay the ransom to shorten any downtime, but remember that one out of every five organizations that pay the ransom don’t regain access to their data. (The fact is that once they have your money, hackers don’t care if your data is recovered.) Take action: You need to make a business decision. If the ransom is small enough, it may be less expensive to pay the ransom and cross your fingers that your data will still be there rather than to deal with lost business due to downtime. However, if you’ve prepared accordingly, you should already have installed a data backup and disaster recovery plan, which you can enact in the event of a cyberattack emergency. In which case, you can forego the ransom, and immediately begin working to restore your infrastructure.
  4. Downtime and business interruption. Regardless of whether you chose to pay the ransom or begin recovering your data, there is often some sort of downtime. How much downtime will depend on how quickly your IT team was able to identify the attack. The sooner the attack is identified, the less time the malware has to infect the system and the quicker you might be able to recover. Your recovery time will also depend on whether you have up-to-date backups and regularly patched software. Take action: As part of your cybersecurity plan, maintain regular data backups, software patches and employee cybersecurity education to better protect your organization in the event of an attack.
  5. Internal review and adjustments. After recovering from a ransomware attack, take advantage of a key opportunity to review how well (or poorly) the organization performed during the cyberattack. Use this as a learning opportunity to better prepare and protect your organization from a future attack. Take action: Get all key stakeholders in a room to conduct a thorough debrief of the event. Remember that while it’s important to identify the source of the breach, we advise against punishment. After all, today’s hackers are getting increasingly more sophisticated with their attacks, and punishment might discourage employees from speaking up in the future if they detect malicious activity for fear of reprimand. Use this as a learning opportunity for the entire organization.

With these steps, you’ll be better equipped to understand the various stages of a ransomware attack. However, if you don’t take action to start building (or reviewing and updating) your cyberattack preparedness plan, you’re keeping your organization at an increased risk of attack. Start preparing, today.