How to protect your organisation after a ransomware attack

So, your computer screen has been hijacked by ransomware and the criminals behind the attack are demanding money to return your systems. Now what?

That’s a question countless organisations are asking themselves nowadays, with attacks increasing and, according to Mimecast’s The State of Email Security Report 2020, organisations suffering three days of downtime on average following a ransomware attack.

The problem often stem from a malicious attachment contained within a phishing email. If an employee opens it, the malware will spread rapidly through the organisation’s systems locking you out of your files.

When this happens, many victims feel obliged to pay up, because it appears to be the quickest and least expensive way to get back to business as usual.

However, experts generally urge organisations not to negotiate, with increasing reports that attackers will leak sensitive data even if you pay up.

But what’s the alternative? Take a look at our seven-step guide to find out.

1) Prepare for attack: back up your data

The only way to avoid paying ransoms and avoid catastrophic delays is to make sure you have a second, uninfected copy of your sensitive information.

That way, when crooks encrypt your systems, there’s no need to worry. Let them keep the decryptor. You can just wipe those files and upload clean duplicates.

Because you are continuously creating new files and amending old ones, backups should be performed regularly.

You don’t need to do everything in one go; instead, look at each folder and determine how often substantial changes are made.

The more frequently things are added or amended, the more often you should back them up.

Once you’ve determined that, you should set up a backup schedule, saving your work on an isolated local device or in the Cloud.

2) Be sure that it’s ransomware

Don’t assume that the person who has spotted the attack knows that it’s ransomware.

The attack method is more well-known than ever – thanks in part to WannaCry – but many people wouldn’t be able to identify the attack.

This means you could be wasting valuable time identifying the problem.

You can avoid this by teaching staff about ransomware and establishing a line of communication in the event of security incidents.

That way, the employee who first discovered the malware can immediately contact someone who can identify what the threat is and initiate response measures.

Looking for more ransomware tips? Alan Calder’s latest book, The Ransomware Threat Landscape, contains everything you need to know.

This book provides a simple explanation of ransomware and how it works, helping business leaders better understand the strategic risks and the measures they can implement to stay safe.

The author, Alan Calder, is IT Governance’s founder and executive chairman. He is an acknowledged international cyber security guru and a leading author on information security and IT governance issues.

3) Disconnect infected devices from the network

Now that you’re sure that you’ve been hit by ransomware, you should isolate the infection by taking affected devices offline.

This will stop the ransomware spreading, giving you partial functionality and time to implement the next steps.

4) Notify your employees

Employees will quickly notice that something is amiss.

Even if their computers haven’t been infected, they’ll see that others have and that certain systems are unavailable.

Whether or not they are aware that the disruption has been caused by ransomware, staff are liable to worry.

Is it just their team that’s affected? How are they supposed to do work? Are their bosses aware of the problem?

That’s why you should explain the situation to your employees as soon as possible.

Let them know which areas of the organisation have been infected and how you are going to manage in the meantime.

Many ransomware victims use pen and paper instead of computers where possible. If that’s possible in this situation, you should help out as much as you can.

For example, you should provide them with said pens and paper, direct them to hard copies of information they might need and bring in colleagues who can’t work to help out.

5) Photograph the ransom note

You can use this as evidence of the attack when submitting a police report.

This might seem futile – the police will almost certainly be unable to recover your data, let alone catch the crooks – but evidence of the attack is necessary for filing a cyber insurance claim.

If you don’t already have cyber insurance, it’s worth considering.

Damages associated with information security incidents generally aren’t mentioned in commercial insurance policies, meaning most providers won’t pay out if you make a claim based on, say, a business interruption.

You must therefore take out a specific cyber insurance policy if you want to protect yourself from the costs associated with cyber attacks and data breaches.

6) Find out what kind of ransomware it is

Identifying the ransomware strain used in the attack might save you a lot of time and effort.

Some strains have been cracked with decryption tools available online, and others are fakes that don’t actually encrypt data.

The ransom note might explicitly state what strain it is, but if it doesn’t, there are other clues that can help you identify it.

Try uploading the encryption file type, the way the ransom demand is phrased and the URLs within it to a website such as ID Ransomware, which can help you determine the strain you’ve been attacked with.

7) Remove the ransomware from your device

If the ransomware behind your attack has been cracked, you can use an online decryptor to remove the infection.

Similarly, if you’ve been attacked with a fake, you can simply delete the malicious file.

But what if it’s the real thing? Fortunately, that’s not much more complicated.

The safest way to remove ransomware is to restore your infected devices to factory settings.

You can do this on Windows devices by going to the update and security menu within your settings, or by holding F8 as your computer turns on until the recovery screen appears.

If the ransomware stops you from reaching recovery screens, you can use the installation disk or USB sticks on which your operating system is stored.

Be warned that this process will remove all data stored on the device, which is why it’s important to have backups.

Once your computer has been restored, you can transfer the duplicate files back onto your device.

Depending on how much data you have, this could take anywhere from a few hours to a few days – so you’re not completely out of the woods.

However, this process won’t take much longer than getting the decryptor from the fraudster and regaining access to your files.

Protect your organisation with our training course

Because the majority of ransomware attacks are delivered via phishing scams, the best way to protect your organisation is to train employees to spot scams and understand the importance of staying vigilant.

With our Ransomware Staff Awareness E-learning Course, you can provide those lessons quickly and easily. The course is designed for all employees, and covers:

  • The threats posed by a ransomware attack;
  • The main forms a ransomware attack can take and how they work; and
  • Actions that individuals and organisations can take to help protect against ransomware.

A version of this blog was originally published on 11 June 2019.

No Responses