View All R&D Articles

Quick Tips For Properly Responding To Ransomware Infections

October 2, 2019

Jigsaw ransom message with Saw characterYou’ve probably heard about ransomware, but if you’ve never suffered an infection, it probably seems like a negligible threat. Unfortunately, that’s not the case. Ransomware attacks are fairly commonplace, with major attacks compromising data at large enterprises, hospitals, government institutions, and even city libraries.

Ransomware is a type of malicious software that automatically encrypts files on the target computer, preventing users from accessing those files until they pay a ransom. This ransom is usually paid via cryptocurrency (such as Bitcoin), which is difficult to trace. By one estimate, ransomware costs businesses more than $75 billion per year.

In our experience, that’s a low estimate. Many ransomware infections don’t make the news, as they’re able to be contained fairly quickly, and data recovery specialists can help to minimize expenses and downtime. However, most organizations don’t have a dedicated plan for ransomware recovery, and a poorly coordinated response can result in permanent data loss. 

Responding to a Ransomware Infection

Note that no ransomware infections are identical, and if you have mission-critical data on the affected systems, we strongly recommend contacting or another qualified ransomware recovery service as soon as possible.

With all of that said, here are some tips to keep in mind if your organization encounters ransomware. 

Make a plan. Isolation is a key component of a proper disaster response, but — and we can’t stress this enough — you need a full accounting of all devices in order to quarantine effectively. 

Hopefully, you’ve created a disaster recovery plan for addressing malicious attacks, but if not, make one as soon as possible (ideally, before any infection). Make a list of every device on each mission-critical network. Outline a step-by-step response for ransomware attacks, along with responsibilities for each team member. An effective disaster recovery plan could save you tens of thousands of dollars, so it’s well worth the minor inconvenience of a few days’ work.

Quarantine the infected computers and systems. Immediately disconnect every other server, personal computer, SAN, or other device susceptible to infection. Do not immediately attempt to recover data. 

Don’t worry about shutting down devices via a “proper” shutdown procedure — a ransomware infection does far more damage than an improper shutdown. At this point, data corruption is not a significant concern. Unplug affected devices from the wall. Make sure they’re off.

If you can verify with complete certainty that some devices were unaffected, you can start them up and attempt to recover data, but make sure they’re disconnected from the network. 

Notify the authorities if necessary. If you’ve suffered any type of data breach and you handle data from European Union countries, you’re legally required to inform the ICO within 72 hours of said breach. Ransomware certainly qualifies. 

As the ICO notes:

“If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay […] You must also keep a record of any personal data breaches, regardless of whether you are required to notify.”

Data breach laws in the United States vary from state to state, but generally, businesses are required to notify private individuals when their data has been compromised. Contact an attorney as soon as possible if you have such an obligation.

Don’t announce the ransomware infection immediately. Except as required by law, you should never announce an infection of a major system until it has been mitigated. Announcing the details of a ransomware attack gives the malicious actors leverage; they can increase the ransom or refuse to negotiate. 

Unfortunately, most modern ransomware variants do not have a simple fix, and to resolve the infection, ransomware experts have to deal directly with the malicious actors. That does not mean that every case results in a payout, but in the initial stages of an attack, it’s important to keep options open. Announcing details of an attack will harm your position. 

Do not attempt typical disaster recovery strategies. A ransomware attack is different from a server failure. Typical strategies may expose other computers to the infection, so if you don’t have a plan for addressing ransomware specifically, contact a company with experience in the field. 

Identify the ransomware variant. Some ransomware variants use weak encryption, and while any variant capable of affecting a larger network is likely to use advanced methods, you might get lucky.

Write down any information you can find about the ransomware, including any messages from the malicious actors. Gather as much information as is possible about the origin of the attack.

Do not immediately attempt to contact the attackers. This may be illegal, depending on the data in question, and even if the ransomware message warns about an impending mass deletion, you can afford some time to coordinate your response.

Likewise, you shouldn’t immediately pay the ransom. This incentivizes attackers and can create enormous accounting issues — most accounting departments don’t appreciate a massive, undocumented Bitcoin expenditure, for obvious reasons.

Assess backups and disaster recovery plans. If you have a recent backup, restoring from that backup will be the best possible solution in the vast majority of cases. However, you’ll have to completely eliminate the ransomware first, and that means securely deleting every piece of media that came in contact with an infected computer.

Determine possible downtime, working with your IT team to develop a step-by-step plan for disaster recovery. This is where early preparation pays dividends. 

Contact qualified ransomware experts. Ransomware recovery is substantially different from data recovery and from other types of malware recovery. Ideally, you should work with experts that have handled cases involving the exact ransomware variant affecting your machines. This isn’t always possible — we’ve seen dozens of new ransomware variants in 2019 alone, and targeted attacks rarely use identical methods.

A ransomware specialist can help you understand the methodology of the attack and can evaluate encryption to determine whether a software solution is possible. If you decide that you’d rather pay the ransom, the specialist can help you do so legally and provide relevant documentation to help with accounting.

Remember, though, that paying a ransom should be a last resort; even if your organization can easily afford the ransom, you should try not to reward malicious attackers.

Identify the weaknesses that allowed for the ransomware infection. Unfortunately, there’s no rule that prevents ransomware attackers from trying to infect your systems after an initial infection. If your systems have been compromised once, expect additional attacks.

Assess firewalls, email standards, quarantine protocols, and other factors that allowed the infection to take place. Look at your backup practices and consider making changes to allow for efficient disaster recovery in the future. While ransomware infections can be disastrous, they’re not unavoidable, even at larger enterprises with massive networks of disparate devices. 

To discuss your ransomware case with an expert, call at 1-800-237-4200 and ask to speak with a ransomware specialist.