We'd like to start by saying that staff training and good quality prevention measures are your best friends when it comes to ransomware attacks - it is better if an attack doesn't happen to you in the first place! The sad fact of the matter is however that ransomware can strike anytime, anywhere, and even with the best of intentions, you might not be able to prevent human error from compromising your systems. So, let's assume you've done everything you can to prevent an attack, and you have a cyber incident response plan in place, but your business gets hit anyway. What do you do first?
Step one: identify which systems have been infected and isolate them immediately.
Speed and time are of the essence, as once ransomware is in your network, it can spread much more quickly and easily than it can between organisations. If you can, immediately take the individual systems offline, but if you can't, you might have to take the network offline at a switch level so that the virus can't spread further. It is better to have some system downtime but keep it intact than to lose your entire network to ransomware - the latter takes a lot longer to rectify if it is even possible!
If you can't immediately take the PCs or systems offline manually, locate the internet feed to the system and unplug it. This might be an ethernet cable, or it might be a WiFi connection. Whichever it is, start with the infected PC and take it offline, then work through all the others in your network in case it has already started spreading! Advice from the Cybersecurity and Infrastructure Security Agency in the US also states the following as part of their advice: "After an initial compromise, malicious actors may monitor your organization’s activity or communications to understand if their actions have been detected. Be sure to isolate systems in a coordinated manner and use out-of-band communication methods like phone calls or other means to avoid tipping off actors that they have been discovered and that mitigation actions are being undertaken. Not doing so could cause actors to move laterally to preserve their access—already a common tactic—or deploy ransomware widely prior to networks being taken offline."
When we say take the systems 'offline', we don't mean switching them off at the plug. While this is a legitimate way to prevent the spread, it may also destroy vital evidence that can be used to track and trace the threat actors. Instead, we're talking about disconnecting individual monitors or systems from your wider network and the internet to prevent the spread and loss of data. If you really can't stop it, then turning it off at the plug will work, but it really should be your last resort.
If you aren't sure what you are doing, ring your IT company. Our team can be reached 24/7 on 01453 700 800 and are happy to help!
Step two: update your passwords... carefully
Work through your systems and reset your credentials (particularly your administrator accounts). Make sure of two things when you do this:
- You're on an uninfected, virus-free system that doesn't have the ransomware virus or a keylogger. The threat actors may not know your old passwords, but if they do, you want to avoid giving them the new ones too.
- Make sure you aren't locking yourself out of the systems that you need to recover.
Step three: identify what has been compromised and what might need restoration and recovery
Once the systems are offline and disconnected, then your attention can turn to the recovery and restoration of your systems as well as identification of what (if anything) essential has been taken. Don't forget, the purpose of a lot of ransomware attacks is to access your data so you need to know what might have been compromised, who it pertains to, and whether it impacts any of the personal data you hold on-site as well.
This isn't about actually fixing the problem, but about working out which systems have been impacted and which are the most important to bring back online. It also helps you to work out who you will need to notify about the problem and when. Ideally, as part of your cyber incident response plan you will have prioritised your systems already, based on Health & Safety, Revenue Generation, and other essential services. If you've already done this, then step three will be a simple case of cataloging what has been affected and then listing them in priority order for the recovery and restoration process. The key members of your team or your IT company can then be tasked with sorting the systems one by one, in the right order, while you complete the next steps...
Step four: start the recovery
Once you know the systems are offline and you've contained the attack, start working through the systems in priority order and restore them if you can. This includes:
- Wiping the infected devices completely.
- Checking the backup and making sure that it is not infected, or if it is, isolating the infected version and moving backward until you find one that isn't infected.
- Connecting devices to a clean network in order to download and reinstall the operating systems and other software.
- Installing, updating, and running antivirus software, and if you know what ransomware hit you, then make sure it is listed on the antivirus software you are using.
- When you are sure this has all been done correctly and the system is no longer a threat, reattach it to the main network. Remember not to rush this as if it is still infected, it will start moving through your network again. It's better to lose access for longer than to lose the whole network.
- Setting up system monitoring and running antivirus scans throughout to identify if any infection remains.
Step five: document what happened
The more details you can get about the incident, the better off you will be and the more likely you are to a) be able to recover your systems and b) help bring the cybercriminals to account. Work out where and how the ransomware initially entered or deployed (don't forget, some viruses stay dormant for a while), whether there was any suspicious activity or emails, and what they were doing when it happened. Every detail might help and it's important to do this on the day of the attack while it is fresh in everyone's mind. This information should be reported to the necessary authorities too and can be useful in helping your recovery team.
Step six: don't forget your cyber insurance policy
It is a condition of many cyber insurance policies to notify your insurer within a certain timeframe (some immediately, some within 24-hours) and if so, you will obviously need to do this or risk a future claim not being paid. At the same time, check if there are any additional steps that they ask you to take and do these too (you should preferably have these listed in your cyber incident response plan as a helpful reminder) to make sure you stay covered and to gain the help that you need!
There are obviously lots more steps to take to recover your systems fully if you can, but none of these are emergency steps that you need to take straight away.
The National Centre for Cyber Security provides some handy guides for mitigating malware and ransomware attacks and helping to get you prepared. They also provide a useful list of contacts who can help you should the worst happen...