A Ransomware Incident Response Guide for Your Business

Does your business have a ransomware response plan in place? Unfortunately, ransomware has quickly become one of the most dangerous forms of cyberattack, making it a threat you cannot ignore.

The likelihood of your business sustaining a ransomware attack is more an issue of “when” rather than “if.” According to Statista, there were 304 million ransomware attacks worldwide in 2020, a 62% increase over the prior year. In addition, 75% of organizations are projected to experience one or more ransomware attacks by 2025, a sevenfold increase over 2020.

Read How Does a Ransomware Attack Work?

Why You Need a Ransomware Response Guide

Employee training and security software are the most commonly implemented ransomware solutions. Having a ransomware incident response checklist in place provides an additional security layer that helps prepare you for the possibility of a ransomware attack.

A checklist provides a framework for what to do before, during, and after an attack to protect yourself and your business assets.

A successful ransomware incident response plan should include the following steps:

1. Preparation
2. Validation
3. Containment
4. Investigation
5. Reporting
6. Restoration
7. Post-Incident Analysis

1. Preparation

Remember the Scout motto: Be prepared! Taking preventative measures to thwart ransomware attacks is always your best initial course of action:

• Install automatic updates and patches for your operating system, anti-virus software, and filters to keep employees away from malicious websites.
• Use email security software to prevent targeted attacks and data loss over email. Ransomware is often delivered through phishing emails. Moreover, attackers send reconnaissance emails to find out which of their target organizations are most susceptible to a ransomware attempt.
• Keep firewalls properly configured and active to protect against malware threats.
• Create network segmentations to protect critical systems, data, and personnel from threat actors. Network segmentation keeps viruses from expanding their reach to infect endpoints and servers.
• Maintain current backups of critical files, keeping RPO (recovery point objectives) and RTO (recovery time objectives) in mind.
• Train employees on how to identify phishing and ransomware attempts and where to report incidents.
• Maintain strong usage policies, including policies on passwords, BYOD (bring your own device) and MDM (mobile device management), and software restriction policies.

Read Preventing Ransomware: What Your Business Needs To Know

2. Validation

Is it a ransomware attempt, or isn’t it? Here are some common ways to identify whether your company has been hit with a ransomware attack:

• Users have received messages that their files have been locked or encrypted, and a ransom payment is demanded to recover them. For example, “Your computer was used to visit a website with illegal content. To unlock your computer, you must pay a $1,000 fine.”
• A user (or users) report that their files are corrupted, inaccessible, or have had unusual file extensions (e.g., .aaa, .abc, .xyz) added to them.
• A user has reported that seemingly professional emails contain attachments that don't load correctly.
• A user has noticed that an unusual amount of files have been modified quickly.
• Network monitoring has revealed high CPU usage or unusual processes running on a computer.

3. Containment

Follow these steps to contain the ransomware incident immediately:

• Examine the incident’s reach by noting which systems, applications, and networks were affected, then determine if the malware is spreading.
• Disconnect any infected computers from the internet to ensure the attack doesn’t spread to other computers and systems. Then, remove the virus with anti-malware software. While removing the malware won’t decrypt your files, it will protect the rest of your network from further damage.
• Ransomware incidents generate evidence like system images, log files, and recoverable encryption keys. If you detect the attack quickly enough, you may be able to stop the encryption process.

Pro tip: After removing infected devices from the network, remember to change all network and account passwords. Additionally, change all system passwords once you remove the offending malware from your system.

4. Investigation

Identifying which type of ransomware was used helps you determine its dangers and recovery options. For example, some ransomware uses encryption methods with decryption keys that are freely available on the internet.

The No More Ransom initiative is a partnership between IT security companies and law enforcement to help ransomware victims recover their data. Their website publishes free decryption tools for several common ransomware threats.

However, some ransomware threat actors have recently started using "double extortion" techniques. They not only encrypt data but also exfiltrate it and threaten to leak it on public sites if the ransom isn’t paid.

5. Reporting

Remember, ransomware is a crime. You should document the incident and report it to your closest FBI office. Filing a ransomware complaint with the FBI’s Internet Crime Complaint Center (IC3) raises awareness, documents new and developing threats, and may help others avoid similar attacks.

Note: Most security experts and law enforcement agencies do not encourage paying the ransom to cybercriminals.

6. Restoration

While there’s no guarantee you’ll regain access to your encrypted data – whether you make ransom payments or not – restoring it via your own backups is the most effective way to resume normal business operations.

There are various backup levels, but the 3-2-1 backup method is often recommended to protect your critical data. The 3-2-1 rule states:

• You should always have three copies of your data
• Two copies are stored on different media types (like a server and an external hard drive)
• One copy is kept offsite

Test your backup restoration process periodically to ensure its effectiveness.

7. Post-Incident Analysis

What happens after a ransomware attack? Understanding what happened (and how) is the best way to prevent future incidents.

• Affirm the complete restoration of backups to ensure all your sensitive data is safe.
• If the ransomware was triggered by a malicious email, consider repeating or increasing employee security awareness training.
• Did the ransomware response plan work? What went right — or wrong? Enhance the plan and update security policies as needed.

Avoid Ransomware Attacks With Armorblox

Taking preventative measures to fend off ransomware attacks is always the best course of action.

Ransomware is a significant concern for companies worldwide. Hackers can target your network or personal data from anywhere, threatening your financial security and exposing confidential information.

Armorblox detects and prevents Business Email Compromise (BEC), phishing, ransomware, and other cyberattacks. Your business, your employees, and your customers deserve the utmost protection.