What to Do Under A Ransomware Attack

by | Cybersecurity

A ransomware attack happens every 11 seconds with 2.8 Million per year. There are many preventative measures to help you mitigate the success of a ransomware attack on your business. Bad actors are incentivized to find and exploit new weaknesses and even with protective measures in place, a ransomware attack is possible. What can you do when your business is actively under a ransomware attack?

Organizations can prepare for this by taking steps to ensure that their information will not be corrupted or lost, and that normal operation can resume quickly. Before an attack, you should develop and implement an incident recovery plan, plan, implement, and test a data backup and restoration strategy, and maintain an up-to-date list of internal and external contacts for when an attack occurs. If you are currently under an attack, take the following steps:

  • Isolate the infected computer immediately. Infected systems should be removed from the network as soon as possible to prevent ransomware from attacking network or share drives.
  • Isolate or power-off affected devices that have not yet been completely corrupted. This may afford more time to clean and recover data, contain damage, and prevent worsening conditions.
  • Immediately secure backup data or systems by taking them offline. Ensure backups are free of malware.
  • Contact law enforcement immediately. We strongly encourage you to contact a local field office of the Federal Bureau of Investigation (FBI) or U.S. Secret Service immediately upon discovery to report a ransomware event and request assistance.
  • If available, collect and secure partial portions of the ransomed data that might exist.
  • If possible, change all online account passwords and network passwords after removing the system from the network. Furthermore, change all system passwords once the malware is removed from the system.
  • Delete Registry values and files to stop the program from loading.

Implement your security incident response and business continuity plan. Ideally, organizations will ensure they have appropriate backups, so their response to an attack will simply be to restore the data from a known clean backup. Having a data backup can eliminate the need to pay a ransom to recover data.

There are serious risks to consider before paying the ransom. USG does not encourage paying a ransom to criminal actors. However, after systems have been compromised, whether to pay a ransom is a serious decision, requiring the evaluation of all options to protect shareholders, employees, and customers. Victims will want to evaluate the technical feasibility, timeliness, and cost of restarting systems from backup. Ransomware victims may also wish to consider the following factors:

  • Paying a ransom does not guarantee an organization will regain access to their data; in fact, some individuals or organizations were never provided with decryption keys after paying a ransom.
  • Some victims who paid the demand were targeted again by cyber actors.
  • After paying the originally demanded ransom, some victims were asked to pay more to get the promised decryption key.
  • Paying could inadvertently encourage this criminal business model.

If you are not confident in your current IT team’s ability to respond and help you recover by working through these steps or your team is too small to deal with recovery AND continue their daily responsibilities to support your network and staff, you should find an expert to help.

Let's chat about how we can help.

Call us at 636.949.8850, grab a spot on our calendar, or fill out this form and we will reach out to you.

  • This field is for validation purposes and should be left unchanged.