Ransomware attacks are incredibly prevalent – and can also be very damaging. Successful attacks occur all the time – this year alone, a major infrastructure company in the US was hit with an attack that came with a US$ 4.4m demand for ransom. Closer to home, Doncaster-based One Call Insurance found itself unable to service customer requests after a computer system blackout due to ransomware.
As a business, you need to invest in internet security to protect your systems against ransomware – but at the same time, also assume the worst-case scenario: that a successful attack can occur. Responding rapidly and effectively is critical – the better your response, the lower the cumulative cost of the ransomware attack – and the less disruption your clients or customers will experience.
Assess the situation
A ransomware attack is a high-pressure cyber security situation. The very first step to recovery is to take a step back and to truly assess the situation. Which systems or data is compromised? What are the risks to losing the associated data?
Consider how long it will take to restore your systems to normality and get an understanding of the associated disruption. Based on your assessment, develop an action plan – including remedial measures, alongside the necessary reporting that keeps all stakeholders abreast of what happened.
Isolate critical systems
As part of the assessment process, you need to determine which business-critical systems have been affected – and isolate these systems from the public internet, and the rest of your network. It’s a key step to limit attack progression.
It’s easy to assume that an attack is complete, but you don’t know whether a ransomware attacker has fully infiltrated your network and rapid isolation allows you to rapidly contain an attack. It may mean simply disconnecting a system from the network, blocking all logins – or indeed powering of a system altogether.
Report the attack
It’s tempting to hide a ransomware attack because you fear the reputational damage, but the faster your company is honest about the internet security incident – and the risks it poses to stakeholders, the better. Yes, there will be a hit on your reputation, but a lack of transparency will be even more costly.
Furthermore, your industry’s regulatory and compliance regime may oblige you to report a ransomware attack and to report those affected – including under GDPR, for example. If you don’t rapidly report the situation you could be fined heavily. It’s also worth talking to law enforcement agencies who may also be able to offer you critical help – but only if you report the attack.
Kick-off your business continuity plan
Ransomware is a cyber security attack that inevitably leads to disruption – there’s simply no two ways about it. That’s where your business continuity plans come into play. With this step-by-step guide, you’ll know how to recover essential system functionality amidst the chaos.
Your continuity plan will outline how you can restore the most critical systems – and what systems you can rely on as a backup while you wait to restore full functionality. It provides an essential bridge between service disruption and eventual full recovery.
Work to restore your backups
While in some cases you may be able to recover the data captured by a ransomware attacker, there is, in reality, no assurance that even if you paid the ransom that your data will be returned. That’s why you need a backup strategy that you can rely on when your internet security fails.
After the attack you need to action a backup restoration as fast as possible – there’s little question that a full backup restore can be time-consuming, so any delay in getting your backups restored can set you back in the recovery process. Once restored, you need to double-check that nothing critical has gone missing between the restoration of the backup – and the
Remediate your technology risks
A ransomware attack is one of those cyber security risks that are sometimes essentially unpreventable, but many attacks could have been prevented had your organization taken the right preventative measures. As an obvious point, patch or close the entry point that resulted in the original attack – ensuring you don’t get hit twice on the same spot. However, you also need to make a full cybersecurity assessment – not only may the original attacker decide to strike again, but you will want to minimize the chance that any future attacker has an opportunity for success.
After a ransomware attack is also a good time to push your colleagues to take it more seriously – after all, the evidence of an attack is right in front of them. Use the opportunity to enforce more secure passwords and multi-factor authentication and educate users on how to avoid phishing scams – a common entry point for ransomware.
Assess your post-ransomware situation
After the crisis, it’s worth checking that you’ve fully restored operations to normal functionality. While you will already have communicated key details to your stakeholders including customers, shareholders, and regulatory bodies – you may well want to send a post-attack summary, detailing your final assessment of the risks created by the ransomware attack.
It is also an opportunity to think about what you can do better. Is it worth rethinking your business continuity plan, for example? Are there some aspects of your data protection strategy that needs a review? While your business should be prepared for a ransomware attack, a post-attack review will nonetheless provide the opportunity to think of improvements to your ransomware strategy.