So, you believe you’re the victim of a ransomware attack.
You’re not the only one. High-profile cases, like the Colonial Pipeline attack, are the exceptions to the rule. Most ransomware attacks occur on a smaller scale and don’t disrupt critical infrastructure.
They never make international headlines. And that’s just the way the bad guys like it.
Likewise, some ransomware attacks are more obvious than others. Everyone knew what was happening at Colonial Pipeline in real-time. But there are many events whose causes are less clear-cut, like the data incident that affected Asiaciti Trust and other firms in the fall of 2021.
It’s unlikely that that incident was the direct result of a ransomware effort, but the affected organizations nevertheless took steps to address perceived cyber vulnerabilities in its wake.
You should do the same. Here’s what needs to happen as soon as you become aware of the issue.
Article Contents
Do: Screenshot Or Take A Photo Of The Ransom Note
You’ll want this evidence no matter what happens. If you choose to investigate internally or hire an external cyber investigator, this could be critical evidence of what occurred early in the attack. Even if you don’t formally investigate, photographic evidence of the note could help you identify those responsible or at least figure out how to respond down the line.
Do: Isolate Affected Systems
Disconnect any systems that you believe to be infected with the ransomware program from your broader corporate network.
Often, ransomware remains isolated to a single machine or group of machines within a network. It doesn’t “go systemic” and create even bigger problems. But you can’t be sure whether the program used to compromise your device has that capability, so it’s best to be safe.
Do: Isolate Data Backups As Well
If you regularly back up data to the cloud, congratulations. You’re likely to avoid a worst-case scenario coming out of this attack.
However, if your backup is connected to your main network, all that work could be for naught should the ransomware find its way to the data trove. Make sure that doesn’t happen by isolating backed-up data stores from your main network. (And, if you’re reading this proactively, create physical backups that help scale your data storage without increasing systemic risk.)
Do: Take Stock Of Backed-up Data (So That You Know What You Could Lose)
Next, take a detailed inventory of the data you’ve backed up. If you’ve automated this process, this exercise could be as simple as checking with your backup client to see when the most recent backup occurred.
However you get it done, this is important because you need to know your downside risk. Any data that’s not backed up is at risk of loss during a ransomware attack. In fact, you should mentally prepare to lose all that data, as there’s no guarantee that your system will emerge unscathed.
Do: Disable System Maintenance Tasks
In the midst of a ransomware attack, the boring system processes that you probably never think about can cause grave harm. That’s because some ransomware programs take advantage of system maintenance processes and other routine background activities to distribute themselves between devices within a network. Again, you don’t know for sure unless you can be positive about the specific ransomware program you’re facing, which isn’t always possible early on.
Do: Reset Passwords And PINs for Affected Devices And Accounts
There’s not a moment to waste. The longer your credentials remain the same, the likelier it is that they can be stolen and used to further compromise your system.
Don’t: Immediately Attempt To Restore Your Data
If you attempt to restore data you believe is lost until the attack is over, you could lose it all over again. Perhaps for good this time. Wait until you’ve been given the all-clear by an expert.
Don’t: Pay The Ransom Before Taking Stock Of Potential Losses
Law enforcement agencies generally recommend not paying ransomware ransoms, according to Gartner. That’s because, as the saying goes, there’s no honor among thieves. You can’t be sure the attacker will hold up their end of the bargain.
Don’t: Publicly Disclose That the Attack Occurred Until You Have More Information
The lessons of data incidents like the one faced by Asiaciti Trust are clear: Don’t go public until you know what happened and what you can disclose safely. If you must, inform directly affected stakeholders privately.
Stay The Course — And Plan For The Worst
No one wants to contemplate a ransomware attack. Unfortunately, your organization is more vulnerable to one than you probably realize.
Even as you keep up with business as usual, it’s prudent to prepare for anything but.