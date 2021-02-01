During 2020, the first year in almost a decade that saw businesses cut their IT and security budgets, the global ransomware threat grew even stronger. Now, in 2021, companies are more likely than ever to learn their defenses have been breached by a ransomware gang.

If your company becomes a victim, you’ll have to address defense and prevention quickly. Here are the four steps your team must follow:

Contain the incident

First, minimize the damage. The moment your security team is alerted to ransomware on a computer inside your network perimeter, they must isolate that computer from the network. That done, they should look through logs from your antivirus, firewall, and EDR solutions to see if any other devices were hit, and immediately isolate those as well. They should physically disconnect them from the network as well. The speed of this process is crucial: The faster the reaction, the more of your company’s infrastructure and data you can save.

During this process, your team should prioritize the preservation of forensic evidence for further investigation — image hard drives and collect memory dumps of any infected PCs. That done, your team should shut down infected machines and leave them untouched until the investigation is complete.

Analyze and exterminate

Ransomware infection is a result of network penetration, but not the cause, so once you’ve contained the spread, you’ll need to find out how it penetrated the network. Your team should look for a Trojan dropper, a downloader, a RAT (remote-access Trojan), or some other tool criminal cybergangs use for that purpose.

A good source of cyber intelligence will help you identify the criminal group associated with a strain of ransomware, and it can give you an idea of what other tools they use in their operations, so your team can keep an eye out for those as well. Armed with that knowledge, your team can actively seek out and expel the ransomware gang from the network, and then seal the breach.

Deal with the consequences

Now that you’ve removed the threat, it’s time to get your business back online and manage the consequences. That should not involve paying any ransom. Cybercriminals try to make ransomware transactions look like straightforward (if unfair) business deals — pay the money, get your data back — but giving in to their demands is not recommended. Observing a company’s willingness to pull out its checkbook, cybercriminals may try to extort more money, or they may simply not return access to your data. In some cases, they actually can’t recover the encrypted data. Some modern ransomware upstarts steal the data and blackmail businesses by threatening to leak it.

Looking at a ransomware gang’s demand, you can’t assume you know anything about the entity holding your company hostage, or its plans. If data was encrypted, assume it was also stolen and could be leaked — and communicate that to all interested parties, which may include customers, stakeholders, employees, government bodies, and others.

Transparent and honest communications can help immensely in terms of maintaining a company’s reputation, so have the incident response team work closely with your PR and compliance departments to ensure timely, clear incident communications. Hiring a team of professionals to handle this task may be a good choice here.

Learn the lesson

Before moving on, take any measures needed to avoid similar incidents in the future. Those may include strengthening security and training employees. Ransomware brings business to a halt, and managing it is costly. To avoid it in the future, ensure that every endpoint, including every mobile device, is protected with a robust security solution; segment the network, using next-gen firewalls and gateways; and strongly consider installing a security incident and event management (SIEM) or security orchestration, automation, and response (SOAR) solution to speed up incident response.

