The worst has happened, you’ve fallen victim to a ransomware attack. Now what do you do? Credit: Thinkstock Protecting your organisation’s critical data is a costly endeavour, with security budgets continually being squeezed to mitigate against the ever-expanding threat landscape. Ransomware is undoubtedly one of the most crippling cyberattacks, catching victims unaware and ultimately causing long-term consequences for the companies that become infected. Although ransomware attacks have started to stabilise, now is not the time to get complacent with your security strategy. Ransomware attacks are still happening and just because your organisation might not be individually targeted, if you fail to patch properly there’s a very real chance you’ll become the victim of a wider attack, designed to infiltrate any system that has been left vulnerable. Here, we provide a brief overview of ransomware alongside a list of steps security professionals advise you take in the event of a ransomware attack alongside a couple of things you should aim to avoid. What is ransomware? Ransomware first came to prominence in 2005 and since then, it has become the most pervasive cyberattacks across the world. Since day one, its purpose has been to generate revenue from its unsuspecting victims and recent calculations from Cybersecurity Ventures put the estimated cost of ransomware attacks around $11.5 billion. There are two major types of ransomware; crypto and locker. Once a malicious link has been clicked on or a misleading application has been opened, crypto-ransomware will encrypt all the files, folders and hard drives on the infected device, promising to reinstate once a ransom has been paid to the attacker. By comparison, locker- ransomware simply locks users out of their devices. Unfortunately, ransomware attackers aren’t fussy when it comes to who they target. Attacking a business might see them do the most damage but regular end-users who aren’t necessarily clued-up on cybersecurity are more likely to pay the ransom in an attempt to retrieve their files. As a result, cybercriminals launching this type of attack usually take a scattergun approach, as even if only a small minority of the victims pay out, ransomware is so cheap to deploy the attackers are guaranteed a profit. Falling foul of a ransomware attack can be damaging enough however, if you handle the aftermath badly the reputational damage could be catastrophic; causing you to lose much more than just your files. What should you do in the event of an attack? Trace the attack The most common way ransomware makes it into your system is through a malicious link or email attachment. If you’re lucky, the malware will only affect the machine it was opened on however, if you’ve failed to patch your entire network (hello WannaCry) your entire system will end up becoming infected. First you need to locate the machine that was initially infected and find out if they’ve opened any suspicious emails or noticed any irregular activity on their machine. The sooner you find the source, the quicker you can act. Ransomware attacks tend to have a time limit on them before files are erased. Unplug Once it has initially infiltrated a machine, ransomware spreads via your network connection, meaning the sooner you remove the infected machine from your office network, the less likely other machines are to become infected. When notifying employees about the need to unplug devices from the network, don’t forget to reach out to any remote workers you might have. Just because someone isn’t physically in the office, if they’re connected to the network they can still fall victim to the attack. In the perfect world, your security team or equivalent should already have a plan for situations like this, so it might be the case that you just hand over to them and allow them to mitigate the damage as best they can. In the instance that a plan doesn’t exist, a meeting should be held to outline what needs to happen next. It’s important to let everyone know exactly what is expected of them. Notify your IT security team or helpdesk It’s not uncommon for bigger organisations to have an IT security team and even a dedicated Chief Information Security Officer who will be the one to execute your plan of action and handle protocol in the aftermath of an attack. However, for some smaller companies, budgetary restraints often mean having these experts in-house just isn’t feasible. In that instance, it’s important that the CIO is fully briefed on all security issues and can take the reins in the event of a crisis. It’s also helpful to map out a timeline of the breach. This should help for future attacks and help you learn about your current security systems. Often cyberattacks leave clues in the metadata, so a full search of that will be necessary in most cases. Notify the authorities If your company handles data that belongs to citizens inside the European Union, GDPR now requires you to inform the ICO within 72 hours of a breach having occurred. Failure to do means your organisation is non-compliant with legislation and with potential fines of 4% of annual global turnover or €20 million, that’s something you cannot afford to do – literally! If the data stored has numerous identifiers, you should alert a data protection officer or equivalent. Inform all employees and customers Transparency is key in situations like this. When it comes to cyber-attacks, your weakest link is often your employees and despite our best efforts, we can all easily make mistakes that can jeopardise company data. Rather than pointing fingers, inform your staff that there has been a breach, what this means and what action you plan on taking. You should also let them know of any expected system downtime which will impact their work. It’s also important your upfront with your customers who might have had their data compromised in a ransomware attack. Obviously, there’s no point putting out a statement the minute you discover the breach as at this point you won’t know all of the facts surrounding the attack. Once you’ve had a bit more time to establish exactly what went wrong, that’s when you need to inform them. It’s important your customers hear the bad news from your company, not a media report. Update all of your security systems Patch, update, invest and repeat. After the incident is over, you’ll need to perform a total security audit and update all systems. This may take some time, and even cost some money, but if you value your data and your company’s reputation, you’ll do it. What you definitely shouldn’t do Panic While we would always to advice you have a plan in place before you fall victim to a ransomware attack, if the worst happens and you don’t have a strategy it’s important you try not to panic. Impromptu decisions won’t help your situation, if you need help, ask for it. Any obvious disorder could potentially be exploited by cyber criminals, leaving you vulnerable to further attacks. Pay the ransom Ransomware attacks saw a significant spike a few years ago because criminals realised they can make relatively large amounts of money for a small upfront cost. Most alarmingly, research has shown that one third of companies admit that it’s actually more cost effective to just pay the ransom each time than invest in a proper security system. Unfortunately, this has created a vicious circle where businesses continue to pay the ransom meaning ransomware will continue to be a popular money-making tactic, serving only to perpetuate the problem. Generally, cybercrime experts and authorities advise against paying the ransom for many reasons. Firstly, just because you’ve paid the ransom, it doesn’t mean that you’ll receive an encryption key to unlock your data. Secondly, it might encourage the hackers to request larger amounts of money from future victims. Ultimately, only you can assess if your data is worth the cost. Related content brandpost Sponsored by SAP When natural disasters strike Japan, Ōita University’s EDiSON is ready to act With the technology and assistance of SAP and Zynas Corporation, Ōita University built an emergency-response collaboration tool named EDiSON that helps the Japanese island of Kyushu detect and mitigate natural disasters. By Michael Kure, SAP Contributor Dec 07, 2023 5 mins Digital Transformation brandpost Sponsored by BMC BMC on BMC: How the company enables IT observability with BMC Helix and AIOps The goals: transform an ocean of data and ultimately provide a stellar user experience and maximum value. By Jeff Miller Dec 07, 2023 3 mins IT Leadership brandpost Sponsored by BMC The data deluge: The need for IT Operations observability and strategies for achieving it BMC Helix brings thousands of data points together to create a holistic view of the health of a service. By Jeff Miller Dec 07, 2023 4 mins IT Leadership how-to How to create an effective business continuity plan A business continuity plan outlines procedures and instructions an organization must follow in the face of disaster, whether fire, flood, or cyberattack. Here’s how to create a plan that gives your business the best chance of surviving such an By Mary K. Pratt, Ed Tittel, Kim Lindros Dec 07, 2023 11 mins Small and Medium Business IT Skills Backup and Recovery Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe