Steps to Take After You’ve Been Hit by Ransomware
Comments Off on Steps to Take After You’ve Been Hit by RansomwareRansomware attacks can halt your business operations and threaten your business’s standing. The best approach is prevention—proactively protecting your business through the right managed services, protocols, and cybersecurity practices. However, even the best defenses can fail or leave a vulnerability gap large enough for ransomware to wreak havoc on your business. When that happens, you need an action plan ready for immediate implementation. Use this guide to start building your plan so you can respond quickly and appropriately to a ransomware incident.
What Is Ransomware?
Ransomware is a type of malware with a two-step operation. The first sign of ransomware is that it hijacks some or all of an organization’s information, encrypting it so employees can no longer access it. Then, the operators behind the ransomware demand a ransom payment to release the encrypted information and restore the company’s access.
Ransomware can spread quickly throughout an entire organization, compromising access to individual files, specific applications, or even whole databases. Cybercriminals can make billions of dollars by targeting companies and government organizations of all sizes. In addition to the money lost in paying the ransom, businesses may lose their customers’ confidence and suffer from reduced business operations during the attack.
Steps to Take After You’ve Been Hit by a Ransomware Attack
If your organization gets hit by a ransomware attack, the most important thing you can do is act fast to minimize the damage it causes. Start by following these eight steps.
Prevent the Spread!
First, switch off the network. There’s a chance the ransomware hasn’t yet reached every corner of your organization. By powering off your network switches and immediately halting network communications, you can prevent the attack from reaching untouched files or applications and potentially keep your backups safe.
Don’t Shut Down Endpoints
This step is about what not to do. Unless otherwise instructed by your IT services provider, don’t shut down endpoints in your organization by rebooting, power-cycling, or fully powering down your workstations and servers. Doing so can severely jeopardize the forensic investigation your services provider will handle. For example, powering down your firewall could purge the logs, and wiping any endpoints by powering them down will reduce the information forensics can recover.
Also, don’t contact or respond to the ransomer yourself. Your forensic vendor will handle the next steps and any communications with them.
Stay Calm and Call Your MSP
As soon as you can, call your managed service provider (MSP). Your forensic vendor or cybersecurity provider will have a detailed process for handling the emergency, alleviating the stress on your employees. Stay calm, contact your MSP, and follow their instructions.
Record the Details of the Attack
The ransom note on your monitor or device screen will have key details:
- The ransom amount
- Payment instructions
- Formatting details that can aid in a forensic investigation
You can record these signs of ransomware by taking a photo of the screen with your device (unless it has a QR code) or writing down the information. These details will help your forensic vendor determine what type of ransomware it is and find an existing recovery key. The information can also help with filling out reports for insurance companies or the police. Pharr Technologies does not recommend paying ransoms.
Alert All Users
Communicate with internal teams regarding the emergency and what steps they need to take. For example, they should immediately change their passwords for work-related accounts and any personal accounts they may have accessed from infected computers. If possible, have a network administration force password changes for everyone.
Secure Your Backup
Stop the automatic backup and scheduled backup processes. Your backups from before the attack will be critical in continuing your business operations. Ideally, restrict access to cloud backups, and disconnect backup servers from the infected network.
Disable Maintenance Tasks
Next, stop all automated actions like temporary file removals on the affected network. These maintenance tasks may interfere with future investigation and remediation steps.
Start With a Clean Slate
From there, your managed services provider or mitigation team can zero in on the threat, eliminate it, and secure your data backups. Completely remove old passwords to reduce the risk of getting the same ransomware attack again, and wipe infected devices (both physical and virtual) completely clean. These actions are the only way to fully remove the threat.
Stop Ransomware Attacks Before They Start—Contact Pharr Technologies
At Pharr Technologies, we’re a managed services provider committed to keeping our clients as safe as possible from ransomware and other cyber threats. That’s why we focus on both preventive and responsive methods for ransomware attacks. Contact us today to learn more, or request a quote to start protecting your business.