How to Respond to a Ransomware Attack

How to Respond to a Ransomware Attack
Home » Blog » How to Respond to a Ransomware Attack

Ransomware attacks are malware attacks that block access to data or threaten to publish sensitive consumer data until you pay a fee or ransom. A ransomware attack encrypts data and information and blocks access to sensitive and critical information until you fulfill certain conditions or obligations by paying money to the attackers or perpetrators.

Knowing how to protect yourself against ransomware attacks is critical because ransomware continues to disrupt critical business operations globally, with a 90% increase in incident attacks in the last six months.

To make ransomware attacks worse, attackers use the Triple Extortion technique, whereby they steal sensitive information before initiating the attack and then threaten to release or publish this information if victims fail to pay a ransom.

Preventing many ransomware attacks is challenging, primarily because attackers will target unsuspecting employees using phishing attempts.

So, what can organizations do if they realize they’re targets or victims of ransomware attacks?

Well, let’s discuss some steps on how to respond to a ransomware attack:

Isolate the infected system

The ransomware software works by sniffing your network to identify all vulnerabilities before laterally propagating and infecting all unprotected or vulnerable systems, networks, and infrastructure.

So, it’s advisable to isolate the infected system(s) or network as soon as possible.

Secure your back-ups

Back-ups can equally be affected by ransomware attacks even though they play a critical role in remediation efforts. Many modern ransomware attacks will especially target data back-ups. They will try to delete back-ups, override them, or corrupt these back-ups to thwart recovery efforts.

Organizations must disconnect their back-ups from infected servers and networks – and completely lockdown access to back-ups until the infection is restored in case of a ransomware attack.

Disable maintenance tasks

In addition to securing back-ups, organizations must disable automated maintenance tasks since some files in these tasks can interfere with information and documentation that may be critical for investigators and forensics.

For instance, file logs may contain critical pointers as to the source of the attacks. On the other hand, poorly programmed ransomware variants may leave the information on corrupted data files, such as encrypted keys.

These details are critical for investigators. However, failing to disable maintenance tasks may interfere, delete, or even override these critical details.

Report the attack

In case of a ransomware attack, conduct the above operations and notify the relevant authorities. Reporting the attack may help the authorities identify the perpetrators, especially if you report shortly after or during the incident.

And if you can help the authorities identify the perpetrators, they can help you obtain the decryption keys on your behalf, thus a win-win for you both. Notifying the relevant bodies and reporting the issues may help authorities identify vulnerable organizations and inform the targets beforehand.

For instance, if you’re in the United Kingdom, you can report an incident to Action Fraud. If in the United States, you can report to your local FBI field agent. And if you’re in Australia, you can report to the Australian Cyber Security Centre.

If you’re unsure where to report, contact your local police post with such queries.

Shut down ‘Patient Zero’

Patient Zero refers to the source of any infection. The best place to start would be to note all the open files and computers at the time of the incident attack and which files or computers were affected. Knowing what users were doing with these computers and the files that were opened will help you identify the root source of the infection – or simply Patient Zero.

For instance, if you identify one user with access to a large set of files, that could be a source of infection. And in this case, the best thing to do would be to disable their accounts and make follow-ups to mitigate the chances of further attacks. Also, to prevent the attack from happening to other users.

Create back-ups for the infected system

Organizations must create images or back-ups of infected systems before isolating them.

There are two main reasons for creating back-ups before isolation:

  • Prevent data loss. Some decryptors contain bugs that can compromise data. The decryptor of renowned ransomware Ryuk deleted one bite of each file during the decryption process. And while this deletion didn’t cause significant damage to some file formats, some crucial information was at risk of compromise.
  • Free decryption may be possible in the future. If the encrypted data is not critical to an organization’s core business operations, it should be backed up and secured for the future.

That’s because there are cases of authorities apprehending ransomware authors and C&C servers found. These incidents led to the authors releasing the decryption keys and victims recovering their critical information.

In addition, several ransomware organizations like CrysisTeslaCrypt, and Shade have released their decryption keys after closing down, allowing thousands to access business-critical information and data.

Quarantine the malware

Victims of ransomware attacks should not remove, reformat, or reimage the infected system unless guided explicitly by a recovery specialist. Instead, it’s advisable to quarantine the ransomware to allow forensic experts to identify the specific strain propagating the attack.

Removing the entire ransomware attack or software makes it hard for forensics to identify the specific strain used to laterally propagate the attack, thus making it hard to solve similar cases in the future.

Identify the ransomware strain

You can identify the ransomware strain using freely existing websites and platforms. Identification tools and ID ransomware tools allow investigators to determine specific strains infecting existing systems. Ransomware strain identification tools also guide users and investigators to free decryption keys if one is available.

Decide whether to pay the ransom

Organizations may be tempted to pay the ransom if back-ups are infected and no free decryption tools are available. While paying the ransom can be cheaper and may prevent business disruption, it is not a decision to take lightly.

Organizations must only consider paying the ransom if all other factors have been considered and all options exhausted. Organizations must only pay if data loss automatically results in the organization closing down.

Edafio Technology Partners – Your Number One Cyber Security Provider!

Edafio Technology Partners provides IT consulting and managed IT services to business organizations across Northwest Arkansas, Conway, and Little Rock.

Edafio further provides cybersecurity services that cover everything from cyber health assessment, cybersecurity bundling, cyber risk assessment, cyber awareness, vulnerability management, incident response, and many more.

Contact Edafio Technology Partners for cybersecurity solutions, including protecting yourself from a ransomware attack.


Take Edafio’s Cyber Health Assessment

Scroll to Top