Getting hit with ransomware can be scary for any business, and it can be tough to know exactly what to do in the immediate aftermath. Hopefully, your organization has taken the time to form a ransomware response plan. If your organization hasn’t, here are some things to think about.
1. Don’t Pay the Ransom
After a ransomware attack happens, the first instinct for many is to pay the ransom, especially if the amount demanded is relatively low. However, paying a ransom is usually the worst thing that you can do.
Besides being illegal in some localities, paying the ransom helps to fund future ransomware attacks and embolden the attackers.
It is also worth noting that paying the ransom is not the quick and easy fix that it might appear to be. In many cases, once a ransom is paid, the attacker will demand additional money. At that point, the attacker knows you are financially invested in getting your data back and will likely pay a second ransom demand rather than cut your losses.
Additionally, there is no guarantee that the attacker will give you back your data. The internet is full of horror stories about people who paid a ransom demand and still suffered data loss.
2. Contain the Damage
After getting hit, the first step of a ransomware response plan should be to stop the bleeding.
It’s important to shut down any affected systems and remove those systems from your network. Otherwise, the attacker may try to inflict additional harm.
3. Consider Your Obligations
Laws pertaining to ransomware attacks can vary widely based on locality and industry. That being the case, you should determine whether you have any legal obligation to perform specific actions in the wake of the attack. For example, an organization can be legally required to inform both its customers and regulators of the attack. Likewise, laws in some localities require ransomware victims to report attacks to law enforcement.
If your organization is not legally required to disclose ransomware attacks, it’s worth carefully considering whether it is in the organization’s best interest to hide the incident. If customer data was potentially exposed, it’s probably best to acknowledge the attack. Even though such an admission will undoubtedly lead to some bad press and lost revenues, a coverup could do far more damage if it is ever exposed.
4. Perform a Thorough Forensic Analysis
A ransomware response plan should also include a detailed forensic analysis. Such an analysis seeks to answer several important questions.
Questions should include the following:
- How did the attack happen?
- Which systems have been compromised?
- What data has been exposed?
It is impossible to recover from a ransomware attack until you know how the attack happened and which systems were impacted.
5. Do Not Attempt to Fix the Damage
While it might seem a bit counterintuitive, you should resist trying to fix the systems affected by the attack. Those systems could still contain software that was planted during the ransomware attack, which would allow an attacker to launch subsequent attacks.
It’s best to completely reimage such systems and to apply any necessary security fixes before bringing those systems back online.
6. Perform an Active Directory Audit
Another key step of a ransomware response plan is to perform a full audit of your Active Directory environment. This audit should review the log file entries over at least the last year with the goal of identifying any suspicious activity or any accounts that should not exist (especially privileged accounts).
Such a review should focus on more than just user accounts. Computer accounts should also be examined, as should other Active Directory objects, including service accounts, group memberships, and group policy objects. The idea is to verify that the attackers have not tampered with the Active Directory and identify weaknesses that could be exploited in the future.
7. Assess the State of Your Backups
Conventional wisdom has long held that the best way to recover from a ransomware attack is to restore a backup. However, immediately restoring a backup could lead to future problems.
It’s best to first restore backups to a sandboxed environment so that the backups can be examined. After all, you don’t want to accidentally reintroduce anything harmful into your environment (e.g., restoring a backup that just happened to include malicious files).
8. Don’t Go It Alone
One last bit of advice for what to do after a ransomware attack: Unless your organization employs IT pros with specialized skillsets, avoid trying to do all the post-attack forensic analysis and cleanup on your own.
Even though I am a big believer in doing things yourself, there is a time and a place for everything. If an organization has suffered a ransomware attack and lacks the skills to effectively deal with the aftermath, it’s time to bring in a security consulting firm.
In this video, Omdia security analyst Tanner Johnson explains the three pillars of data security.