When your business is hit with ransomware, the clock starts ticking. You have very limited time to act before the damage becomes irreparable. While it may be tempting to pay the ransom and hope for the best, this is almost never a good idea. Instead, you need to immediately take the following steps to minimize the damage and begin the recovery process.
1. Don't panic
When your systems become compromised, it's essential to stay calm so you can think clearly. Ransomware can be a daunting adversary, but if you keep a level head, you'll be better able to make the right decisions and take the necessary actions to recover.
2. Report the attack and inform users and customers
You need to report the attack to the concerned authorities right away. This will help them track down the perpetrators and prevent other businesses from suffering the same fate. Take a photo of the ransom note or screengrab the encryption message and include it in your report.
It's also important to inform your users and customers about the attack as soon as possible. This will help them take steps to protect themselves and their data, as well as give you a chance to gauge the extent of the damage.
3. Isolate affected systems
The first step in containment is to isolate any systems that have been infected. This will stop the ransomware from spreading further and infecting other systems. If possible, disconnect the affected system from your network entirely.
4. Disconnect backups
To thwart recovery attempts, most modern ransomware strains are sophisticated enough to infect your backups too. This is why it's crucial to disconnect any backup drives or systems as soon as you've isolated the affected system.
5. Disable all maintenance tasks
Automated maintenance tasks, like temporary file removal and disk cleanup, can interfere with files that may be needed for investigation or recovery. Make sure to disable all such tasks on the affected system to avoid accidentally deleting critical files.
6. Determine and investigate the source of the infection
Once you've stopped the spread of the ransomware, start investigating how it got there in the first place. Understanding how the attackers gained access to your systems will help you close the security holes that they exploited and prevent future attacks.
7. Identify the ransomware strain before removing it
To determine which decryption tool you'll need to recover your files, you'll need to identify the ransomware strain. There are a number of online resources that can help with this, such as ID Ransomware and No More Ransom. These services allow you to upload a sample of the encrypted files or the ransom note to identify the ransomware.
8. Recover files
If you're lucky, you may be able to avoid paying the ransom and still recover your files. Some strains of ransomware can be decrypted for free using publicly available tools. Others may have flaws that allow security researchers to develop decryption tools.
If you can't decrypt your files, your only option is to restore from clean backups. This is why it's so important to have regularly updated off-site backups that can't be infected by ransomware.
9. Reset passwords
After you've cleaned up the ransomware and restored your systems, it's time to reset all of your passwords. This includes not only user passwords, but also those for administrator or service accounts. Be sure to use strong, unique passwords for all accounts to make it harder for attackers to gain access in the future.
10. Conduct a post-breach assessment and audit
Once you've dealt with the immediate aftermath of the attack, it's important to conduct a post-breach assessment to understand what went wrong and how you can prevent a similar incident from happening again. The assessment should include an audit of your security controls as well as a review of your incident response procedures.
Taking these steps after a ransomware attack will help you mitigate the potentially devastating consequences of an infection. But if you really want to avoid the headache of dealing with ransomware, the best defense is to invest in prevention.
Leveraging NetQuest's cybersecurity services can help you proactively defend against ransomware and other similar threats. Our team of experts will assess your risks, implement security controls, and monitor your systems to help keep your business safe. Get in touch with us today to learn more.