How should a company handle a ransomware attack

The risks of ransomware

It finally happened. In spite of your best efforts, you experience an active ransomware attack.

How did it happen? Ransomware can get in via so many paths. Maybe somewhere, somebody in the company fell for a phishing scam and now you find…

1. Some or all of your customer and data files are scrambled with unbreakable encryption and bizarre file extensions.

2. Your stores’ endpoints such as cash registers or credit card payment terminals are frozen leaving customers and employees unable to complete transactions.

3. Mission-critical applications such as reservation, ordering, or logistical systems are crashed.

4. Users are entirely blocked from access to their computer systems.

5. Some combination of the above.

Then a pop-up message appears on your computer screen demanding a large sum of money in untraceable cryptocurrency in exchange for a decryption key or your data/assets will be destroyed or made available to the public. Maybe that pop-up even shows a clock ticking.

Sure, there’s concern about the risk of losing valuable company data or assets. That’s not all though, is it? There are also costs of disruption to daily business activities, remedying the breach, possible regulatory fines and legal fees for compliance violations, plus damage to the company reputation.

How to handle a ransomware attack

Now you have a choice to make: ignore the threat or pay the ransom.

How you handle the ransomware attack often depends on the resources and measures you had in place before the attack.

Fortunately, an organization can take many steps to reduce the risk of becoming a ransomware victim – which is different than a ransomware target – such as raising employee awareness, effective backup and disaster recovery policies, and anti-ransomware solutions.

You can read more about these preventative measures and other options in our article “How to Avoid Ransomware."

This article presents guidance for how a company can handle a successful ransomware attack, and why responding swiftly and appropriately is essential to minimizing the damage.

Related content

Article: What is ransomware

Article: 11 essential hacking terms, defined

Responding to a ransomware attack

Rule #1: If at all possible, don't pay the ransom!

What you do is up to you, but here are a few things to consider before you consider paying the ransom.

Even if you do not have a backup system in place, the cost to rebuild your database will be partially offset by the expense of the unpaid demand, especially if the ransom is for hundreds of thousands or millions of dollars. 

Remember, you are dealing with unethical criminals here and there is no guarantee that your files will be decrypted/returned even if you pay the ransom. Further, once attacked and the criminals know you are apt to pay the ransom, they’ll be back.

Assuming your organization is able to not yield to the hacker’s demands, follow these steps:

1. Isolate and contain

Immediately disconnect infected computers and servers from the network. Ensure wireless connections are disabled as well. If not sure which front-end assets are infected, or if the ransomware is still actively spreading and encrypting files, disconnect storage devices before they become infected.

Do not attempt to reboot, install updates, or perform maintenance to affected machines as this may result in permanent data loss or damage.

2. Attempt decryption

There are many decryption tools commercially available from anti-virus software manufacturers, some are downloadable for free. Depending upon the type of malware strain used in the attack you may be able to recover your data.

3. Install anti-malware software

These applications search for known ransomware code strings across your entire system so that IT administrators can scrub the network of any traces of the virus. Anti-malware programs do not decrypt infected files, but they alert IT to the presence of ransomware and help prevent infections from spreading.

4. Restore

If you have clean versions of your files and databases safely stored off-line, use data backups to restore your systems to the latest possible state before the attack occurred. Some types of ransomware will require a complete reformat of storage media and a reinstall of the operating system and all applications to be sure all code is removed.

Next, reset all system passwords after the ransomware has been completely removed.

5. Report

Notify affected parties such as supply chain partners, customers, or vendors that may have access to your systems and alert them to your breach so they can take preemptive measures to secure their own networks.

Small businesses should report ransomware attacks to the local FBI field office and the provider of your anti-malware software. Employees in larger organizations should immediately report ransomware incidents to the IT helpdesk or cybersecurity office.

Related content

Article: Protecting against ransomware attack

Rapid response is key, have an incident response team

Every organization should assemble an incident response team (IRT) with defined roles and strategies. Each member must be prepared to manage one facet of the cyberattack response playbook, i.e., containment, restoration, notification, etc.

A quick, coordinated response is critical to containing the infection and limiting the damage.

However, the best way to manage the threat of ransomware is through preparation and prevention. Part of the IRT’s mission is to ensure business continuity through the development of disaster recovery (DR) procedures or engaging with DRaaS providers and other managed security services to recover from any attack or disaster, not just ransomware.

One of the fastest responses to ransomware is an isolation software.

Bullwall Ransomware Containment, for example, provides a last line of defense and an additional layer of protection against ransomware threats through instant detection of attacks that have bypassed perimeter defenses. It automatically isolates infected devices to help minimize the impact of a successful ransomware attack.

Our Ransomware Containment solution works in the background, constantly monitoring your network without impacting performance. For more about Ransomware Containment works visit our Ransomware Containment services page.

No solution provides 100% protection 100% of the time. But there are steps you can take to protect your organization.