Addressing the continually shifting threats posed by ransomware is top of mind for everyone these days. In the second of our two-part blog series, our team breaks down key ransomware response strategies. If you would prefer, the entire content is also available as a download in our free eGuide: Ransomware Readiness & Recovery Strategies.
Emergency Ransomware Response – Initial Steps
Your ransomware plan can’t just contain the steps designed to stop malicious code entry. Your plan must include measures that allow rapid response, involvement of key stakeholders inside and outside your organization a plan for Return to Operations (with timeframes identified in advance) to guide service and data restoration. The goal is to reduce downtime to the bare minimum, and return to normal as quickly as possible.
Some might think it cheaper to simply pay the ransom. That’s a terrible idea for at least three reasons:
- It’s not uncommon that organizations never get their data after paying the ransom. The cyber criminals have your money and you can’t trace them. There’s no customer complaint department when dealing with criminals.
- If you can recover the data, it may be corrupted and won’t decrypt. Instead, rely on data recovery from your own tested backups. It provides 100% confidence in your recoverability and return to normal operations.
- If you rely on decrypted data, you have to find and remove the ransomware code that is still in there! Cyber criminals don’t clean up after themselves.
According to a recent survey by Citrix, 36% of organizations are not confident they can eradicate malware after the fact. In our experience, that number is under-stated. We’d put that number well over 66%. This takes a very particular skillset.
1. Identify Your Threat: Source, Vector and Damage
When an attack happens, you need to know what’s impacted, where it originated from and what has been impacted as a starting point for your response. If you have a Cyber Insurance policy, this information will be required before any remediation can start.
In fact some policy holders are dismayed to discover that they insurance companies aren’t concerned with getting your business back to business right away. They want to see if there’s an grounds for them to not pay because of gross negligence. Only once they have the source and vector will they allow access to systems to begin the recovery process. Proactive deployment of cyber-security monitoring systems and services can significantly reduce this necessary step in the process. Without it, we have seen data restorations that could be completed in days remain offline for weeks.
2. Recover the Server Data
Ransomware connects from the infected computer to any servers it can reach via existing or cached connections. The end user device is the “snack” on the way to the big prize – servers and application data. An infected end user computer can easily allow ransomware to encrypt files on many servers at once. To be certain data is back in a production state, restoring the affected data set is vital. Because you won’t know ahead of time what data may be affected; it’s a best practice to back up both end user and system data. We recommend a 3-2-1 data protection strategy with an archive system for critical information.
3. Have a Ransomware Response Plan for User Devices Too
Whether notebooks, desktops or other computing devices, all harmed by ransomware need to be wiped and reset. This removes any traces of ransomware; then data from your backup will need to be restored. Devices used by key users or functions may need image-level backups to prioritize their return to normal operation. Other users can use a redeployed standard workstation image.
4. Engage Your Emergency Communication Plan
Much like a fire drill, training everyone how to react in an emergency increases response success. Train your employees and prepare a response plan in advance. During an incident, keep key team members informed according to the plan. This reduces stress, provides transparency and supports a more graceful return to normal.
Want to learn more? Schedule a no obligation discussion with us today.