How to handle a ransomware attack

So, your computer screen has been hijacked by criminals who are demanding money to return your systems. Now what?

That’s a question more organisations are having to ask themselves nowadays, with at least 55 ransomware attacks reported in the first half of 2019.

Many victims feel forced to pay up, because it’s the quickest and least expensive way to get back to business as usual. However, experts generally urge organisations not to negotiate, because ransom payments help fuel the cyber crime industry.

But what’s the alternative? Take a look at our seven-step guide to find out.

1. Prepare for an attack by backing up your data

The only way to avoid paying ransoms and avoid catastrophic delays is to make sure you have a second, uninfected copy of your sensitive information. That way, when crooks encrypt your systems, there’s no need to worry. Let them keep the decryptor. You can just wipe those files and upload clean duplicates.

Because you are continuously creating new files and amending old ones, backups should be performed regularly.

You don’t need to do everything in one go; instead, look at each folder and determine how often substantial changes are made. The more frequently things are added or amended, the more often you should back them up.

Once you’ve determined that, you should set up a backup schedule, saving your work on an isolated local device or in the Cloud.

2. Identify that the attack is ransomware

Don’t assume that the person who has spotted the attack knows that it’s ransomware.

The attack method is more well-known than ever – thanks in part to WannaCry – but many people wouldn’t be able to identify the attack.. This means you could be wasting valuable time identifying the problem.

You can avoid this by teaching staff about ransomware and establishing a line of communication in the event of security incidents. That way, the employee who first discovered the malware can immediately contact someone who can identify what the threat is and initiate response measures.


See also:


3. Disconnect infected devices from the network

Now that you’re sure that you’ve been hit by ransomware, you should isolate the infection by taking affected devices offline.

This will stop the ransomware spreading, giving you partial functionality and time to implement the next steps.

4. Notify your employees

Employees will quickly notice that something is amiss. Even if their computers haven’t been infected, they’ll see that others have and that certain systems are unavailable.

Whether or not they are aware that the disruption has been caused by ransomware, staff are liable to worry. Is it just their team that’s affected? How are they supposed to do work? Are their bosses aware of the problem?

That’s why you should explain the situation to your employees as soon as possible. Let them know which areas of the organisation have been infected and how you are going to manage in the meantime.

Many ransomware victims use pen and paper instead of computers where possible. If that’s possible in this situation, you should help out as much as you can. For example, you should provide them with said pens and paper, direct them to hard copies of information they might need and bring in colleagues who can’t work to help out.

5. Photograph the ransom note

You can use this as evidence of the attack when submitting a police report.

This might seem futile – the police will almost certainly be unable to recover your data, let alone catch the crooks – but evidence of the attack is necessary for filing a cyber insurance claim.

If you don’t already have cyber insurance, it’s worth considering. Damages associated with information security incidents generally aren’t mentioned in commercial insurance policies, meaning most providers won’t pay out if you make a claim based on, say, a business interruption.

You must therefore take out a specific cyber insurance policy if you want to protect yourself from the costs associated with cyber attacks and data breaches.

6. Find out what kind of ransomware it is

Identifying the ransomware strain used in the attack might save you a lot of time and effort. Some strains have been cracked with decryption tools available online, and others are fakes that don’t actually encrypt data.

The ransom note might explicitly state what strain it is, but if it doesn’t, there are other clues that can help you identify it. Try uploading the encryption file type, the way the ransom demand is phrased and the URLs within it to a website such as ID Ransomware, which can help you determine the strain you’ve been attacked with.

7. Remove the ransomware from your device

If the ransomware behind your attack has been cracked, you can use an online decryptor to remove the infection. Similarly, if you’ve been attacked with a fake, you can simply delete the malicious file.

But what if it’s the real thing?

Fortunately, that’s not much more complicated. The safest way to remove ransomware is to restore your infected devices to factory settings. You can do this on Windows devices by going to the update and security menu within your settings, or by holding F8 as your computer turns on until the recovery screen appears.

If the ransomware stops you from reaching recovery screens, you can use the installation disk or USB sticks on which your operating system is stored.

Be warned that this process will remove all data stored on the device, which is why it’s important to have backups.

Once your computer has been restored, you can transfer the duplicate files back onto your device. Depending on how much data you have, this could take anywhere from a few hours to a few days – so you’re not completely out of the woods.

However, this process won’t take much longer than getting the decryptor from the fraudster and regaining access to your files.

What should you do when you’re under attack? 

When your defences fail and your organisation is compromised, every second counts. You must respond quickly and follow a systematic, structured approach to the recovery process.

That is, of course, easier said than done, particularly if you don’t have a cyber security expert onboard. Fortunately, IT Governance is here to help.

With our cyber security incident response service, expert consultants will guide you through the recovery process, from identifying the source of the breach and how to stem the damage to notifying the appropriate people and returning to business as usual.

Win the war on cyber crime

You can find out more about the steps you should take to defend yourself from cyber attacks by enlisting in Operation Cyber Secure.

This five-week boot camp drills you on the ways you can prepare for and respond to ransomware, phishing, insider threats and a variety of other security incidents.

By signing up, you’ll receive a free copy of the Cyber Security Combat Plan, which outlines the defence measures you should take to protect your organisation from cyber attacks.

You’ll also receive weekly emails that provide more information on the direction you should take to meet those steps.

Enlist now >>

Leave a Reply

Your email address will not be published. Required fields are marked *