One of the most damaging forms of malware a company can face is ransomware. It infects their system and encrypts their files, rendering them all unreadable. Then the criminal demands a ransom payment to restore access.
The City of Racine, WI was hit with a ransomware attack on January 31, 2020 that caused their online payment system, email systems, and voicemail to all go down. The city expected to be struggling with manual systems for at least a week because of the attack.
Ransomware is such a big problem that the FBI put out a public service announcement about it last October, warning of “high-impact” ransomware attacks on U.S. businesses and organizations.
The best defense against ransomware is a multi-pronged approach to cybersecurity, including things in our Quantum Care IT security program such as patch management, antivirus, and ongoing monitoring. User awareness training about phishing is also important because ransomware is often delivered via a phishing email.
The average ransomware demand is $13,000 and about 36% of organizations pay the ransom.
Ransomware attacks are costly whether you pay the ransom or not. Each moment that a company is down due to IT issues, they’re losing money. If an attack happens, the steps that you take in the moments afterwards can make all the difference in how fast your business recovers.
Steps to Take Immediately After You’ve Been Hit with Ransomware
The first indication of a ransomware attack will typically be the inability to access your data and/or a ransomware warning that comes up on your screen. For example, you may find that you can no longer access a customer database to record a new appointment, and then find a ransom demand with instructions to follow on your computer.
Some ransomware demands come well after the files are encrypted, leaving an organization wondering what to do next and whether they need to await the ransom demand.
If you discover ransomware on one or more of your devices, here are the steps to take immediately to help mitigate the damage.
Isolate and Disconnect Impacted Devices
You want to reduce the spread of the ransomware before you do anything else, so it’s important to disconnect any impacted endpoints (computers, servers, etc.) from the internet and any internal local area network they may be connected to.
This means inspecting all your computers, servers, and any other devices in your network to see which ones are infected with the ransomware and which ones aren’t.
Call in Your IT Team/Provider for an Assessment
While it’s tempting to just want to remove the infection and restore any backups you have right away, it’s important to first get a full assessment of what type of ransomware you’re dealing with, how it got in, and what removal efforts are needed.
Another reason not to remove the ransomware before you’ve reviewed your options is that if you decide to pay the ransom and hope to get a decryption key, removing the ransomware may cause that key not to work.
You’ll need IT experts to help with this forensic investigation of the incident, so you’ll want to call in an IT provider you work with or your own team to move as quickly as possible to identify the who, what, when, and how of the attack and document everything.
Review Your Options
While the IT professionals are investigating the incident, you’ll want to review your options for recovering your data and systems as soon as possible. Some questions you’ll want to ask and answer to do that are:
- Do we have a recent backup that we can use to recover our data?
- If you have a backup, how long with recovery take?
- Is paying the ransom our best or only option for getting our data back?
The FBI warns organizations not to pay ransomware ransoms because it just emboldens the perpetrators to continue their attacks, but many organizations find it’s their only or quickest option for getting back up and running.
Recover Your Data
Once you’ve decided on your recovery options, work with an IT professional to go through the recovery process which will either involve deploying the decryption key provided (hopefully) after a ransom was paid, or if you have a backup to rely on, removing the ransomware and restoring your data.
You’ll want to ensure all traces of the ransomware are removed and that you test your systems after restoration to ensure everything is intact and working properly.
Make Notifications If Any Data was Compromised
If your IT forensics showed that sensitive customer or employee data (like credit card numbers, name/address, SSN, etc.) were possibly exposed during the attack, you’ll need to follow data privacy guidelines for notifications of a data breach to the affected parties.
Report the Incident to Local Law Enforcement
Even if it’s a long shot for the hacker to ever get caught, it’s still important to report the ransomware incident to local law enforcement. They do make attempts to track down the cyber criminal and also report attacks to the FBI, who keeps tracks of reported ransomware attacks and their numbers and warns the public accordingly.
Review & Fortify Your Cybersecurity
Review the vulnerability that allowed the attack to happen as well as how smoothly (or not) your recovery attempt was. Use this information to fortify any weaknesses in your cybersecurity plan to help ensure you’re able to avoid falling victim to another attack in the future.
Learn More About Quantum Care for Device Protection
Quantum PC offers an easy way to strengthen your small business cybersecurity and get the care you need to keep your technology running efficiently. Our Quantum Care plan comes in three different options and includes multiple safeguards, such as ongoing monitoring, antivirus, and more.
Protect your business and sign up for Quantum Care today! Call 920-256-1214 or reach us online.