Does your business have a ransomware response plan in place? Unfortunately, ransomware has quickly become one of the most dangerous forms of cyberattack, making it a threat you cannot ignore.
The likelihood of your business sustaining a ransomware attack is more an issue of “when” rather than “if.” According to Statista, there were 304 million ransomware attacks worldwide in 2020, a 62% increase over the prior year. In addition, at least 75% of organizations are projected to experience one or more ransomware attacks by 2025, a sevenfold increase over 2020.
A ransomware incident response checklist helps prepare you for the possibility of a ransomware attack. In addition, it gives you a framework for what you should do before, during, and after an attack to protect yourself and your business assets.
A successful ransomware incident response plan should include the following steps:
- Post-Incident Analysis
Remember the Scout motto: Be prepared! Taking preventative measures to thwart ransomware attacks is always your best initial course of action:
- Install automatic updates and patches for your operating system, anti-virus software, and filters to keep employees away from malicious websites.
- Use email security software to prevent targeted attacks and data loss over email. Ransomware is often delivered through phishing emails. Moreover, attackers send reconnaissance emails to find out which of their target organizations are most susceptible to a ransomware attempt.
- Keep firewalls properly configured and active to protect against malware threats.
- Create network segmentations to protect critical systems, data, and personnel from threat actors. Network segmentation keeps viruses from expanding their reach to infect endpoints and servers.
- Maintain current backups of critical files, keeping RPO (recovery point objectives) and RTO (recovery time objectives) in mind.
- Train employees on how to identify phishing and ransomware attempts and where to report incidents.
- Maintain strong usage policies, including policies on passwords, BYOD (bring your own device) and MDM (mobile device management), and software restriction policies.
Is it a ransomware attempt, or isn’t it? Here are some common ways to identify whether your company has been hit with a ransomware attack:
- A user has received a message that their files have been locked or encrypted, and a ransom payment is demanded to recover them. For example, “Your computer was used to visit a website with illegal content. To unlock your computer, you must pay a $1,000 fine.”
- A user (or users) report that their files are corrupted, inaccessible, or have had unusual file extensions (e.g., .aaa, .abc, .xyz) added to them.
- A user has reported that seemingly professional emails contain attachments that don't load correctly.
- A user has noticed that an unusual amount of files have been modified quickly.
- Network monitoring has revealed high CPU usage or unusual processes running on a computer.
Follow these steps to contain the ransomware incident immediately:
- Examine the reach of the incident by noting which systems, applications, and networks were affected, then determine if the malware is spreading.
- Disconnect any infected computers from the internet to ensure the attack does not spread to other computers and systems. Then, remove the virus with anti-malware software. While removing the malware won’t decrypt your files, it will protect the rest of your network from further damage.
- Ransomware incidents always generate evidence like system images, log files, and even recoverable encryption keys. If you detect the attack quickly enough, you may be able to stop the encryption process.
Pro tip: After removing infected devices from the network, remember to change all network and account passwords. Additionally, change all system passwords once you remove the offending malware from your system.
Identifying which type of ransomware was used helps you determine its dangers and recovery options. For example, some ransomware uses encryption methods with decryption keys that are freely available on the internet.
The No More Ransom initiative is a partnership between IT security companies and law enforcement to help ransomware victims recover their data. Their website publishes free decryption tools for several common ransomware threats.
However, some ransomware threat actors have started using ‘double extortion’ techniques more recently. They not only encrypt data, but also exfiltrate the data and threaten to leak it on public sites if the ransom isn’t paid.
Remember, ransomware is a crime that you should always report to your local police department or closest FBI office. Filing a report raises awareness, documents new and developing threats, and may help others avoid similar attacks.
Note: Most security experts and law enforcement agencies do not encourage paying ransom to cybercriminals.
While there’s no guarantee you’ll regain access to your encrypted data (whether you pay the ransom or not), restoring it via your own backups is the most effective way to resume normal business operations.
There are various backup levels, but the 3-2-1 backup method is often recommended to protect your critical data. The 3-2-1 rule states that you should always have three copies of your data: two stored on different media types (like a server and an external hard drive) and one copy kept offsite.
Test your backup restoration process periodically to ensure its effectiveness.
7. Post-Incident Analysis
What happens after a ransomware attack? Understanding what happened (and how) is the best way to prevent future incidents.
- Affirm the complete restoration of backups to ensure all your sensitive data is safe.
- If the ransomware was triggered by a malicious email, consider repeating or increasing employee security training.
- Did the ransomware response plan work? What went right — or wrong? Enhance the plan and update security policies as needed.
Taking preventative measures to fend off ransomware attacks is always the best course of action. But how do you know where you stand in your preparedness response?
The Ransomware Incident Response Blueprint equips you with actionable templates and tools to protect your sensitive data from threats. It includes:
- Ready-to-use presentation templates and recovery roadmaps
- A maturity assessment tool
- Strategic guidance from Info-Tech Research Group
These resources assess your organization’s maturity for ransomware response and set people, processes, and technologies in place for when (not if) an attack happens.