What is ransomware?

Eliminate simple network-sharing protocols when backing up data, and implement viable security features to protect backup data and administration consoles from attack. This will help ensure that uncorrupted data copies are available when you need them.

As new malware is identified, security software providers and other vendors update their products and systems to counter these new threats. Unfortunately, organizations sometimes neglect to keep up with the latest security patches, leaving themselves vulnerable to known threats. Regularly check for new updates, and install them as soon as they are available.

Create and distribute internet policies throughout your organization detailing best-practices and safety measures employees should follow when online. For example, never allow employees to conduct company business or access sensitive systems while on public WiFi. Train all relevant personnel in these policies, and establish response plans that they can follow in the event of exposure to malicious software.

Protect administrative accounts from unauthorized access and control by employing two-factor (or more) authentication. Configure accounts so that they only provide the minimum necessary system privileges by default.

Build ransomware recovery into your overall disaster-recovery strategy. Establish an isolated recovery environment (IRE)—a separate, closed off datacenter in which data copies may be kept secure from outside access. Include the IRE in all disaster-recovery tests.

Knowledge and awareness are some of the most effective weapons in your anti-ransomware arsenal; keep them at the ready by following security professionals and experts on social media, regularly checking risk-advisory feeds and advisory sites, and keeping up to date on relevant news.

In the event that you are targeted by a ransomware attack, do not give in to the criminals’ demands. Doing so only identifies you and your organization as willing victims, and encourages the criminals to continue to target you. In most cases, businesses that pay to have their data or files returned to them never actually receive a working encryption key. Instead, the attackers simply continue to increase their demands until the targeted business stops paying. Additionally, by paying the ransomers, you would be funding their criminal activity, and opening up other organizations or individuals to the same risk.

If you find that you’ve been targeted by ransomware, act quickly by following these steps:

Ransomware gets into a network by infecting a single device or system, but that doesn’t necessarily mean that it remains in that one spot. Ransomware can easily spread through your network. As such, the first thing you need to do when you discover ransomware is to disconnect the infected system and isolate it from contact with the rest of the network. If you are able to do so quickly enough, there’s a small chance that you’ll be able to contain the malware to a single location, making the rest of your job that much easier.

Much like how firefighters will remove brush and trees from the path of a raging wildfire, you should next take steps to stop any possible ransomware spread by disconnecting and isolating any other systems that might have been exposed. This should include any devices that appear to be behaving abnormally, including those that might not be operating on-premises. Further hinder the spread by shutting down any wireless connectivity options.

With suspicious files isolated away from the network, you now need to assess the extent of the damage. Determine which systems have actually been affected, by looking for recently encrypted files (often with strange extension names). Take a close look at the encrypted shares in each device; if one has more shares than the others, it may be the original point of entry for the ransomware into your network. Turn off these systems and devices, and create a complete list of everything that may have been affected (including external hard drives, network storage devices, cloud-based systems, desktops, laptops, mobile devices, and anything else capable of running or passing along the ransomware).

As mentioned in the previous point, checking the affected devices for high numbers of encryption shares can help you locate ‘patient zero.’ Other methods of locating the source of the ransomware include checking for any antivirus alerts that directly precede the infection, and reviewing any suspicious user action (such as clicking on an unknown link or opening a spam email). One you’ve discovered the source, remediation becomes much easier.

Effectively countering a ransomware attack often depends on your ability to identify exactly what variety of ransomware you’re dealing with. There are a few different ways to identify the ransomware. The note included in the attack (the one telling you were to send money to unlock your files) may actually identify the ransomware directly. You may also be able to search the email address associated with the note to discover what ransomware this particular threat actor is using and what next steps other organizations have taken after being infected. Finally, there are sites and tools available online designed to help identify ransomware types—just be sure to fully research your options before you commit to any; you don’t want to download an untrustworthy tool only to drop more malware into your already-hobbled system.

Once you’ve contained the ransomware, it is now your responsibility to contact law enforcement. In many cases, this goes beyond simple protocol; under the terms of certain data privacy laws, you may be required to file a report within a predetermined amount of time for any data breach your businesses experiences, with failure to do so potentially resulting in fines or other penalties. But even if you don’t have a legal obligation to contact law enforcement, doing so should be a top priority. For one thing, cybercrime agencies will likely have access to better authority, resources, and experience in resolving these kinds of issues, and can help your business more quickly return to normalcy.

With the fire effectively put out, now is the time to start repairing your systems. Ideally, if you have uncorrupted backup data, you should be able to restore your systems without too much trouble. Double check to make sure that all of your devices are free of ransomware and other forms of malware, and then restore your data. Just be aware that modern ransomware attacks often target data backups, so you’ll need to be sure that your data is sound before restoring it.

If you don’t have data backup available, or if the data itself has also been corrupted, then your next-best option is to try to find a decryption solution. As mentioned before, with some research you may actually be able to find a decryption key online to help you restore access and control.

Whether you restore your devices, find a decryption solution, or just accept that your sensitive data is gone for good, your final step will always be the same: Rebuild and move on. In even the best-case scenarios, getting back to pre-attack levels of productivity can be an expensive and time-consuming process. Just make sure that you come away from the experience having gained a better understanding of the threats that face your organization, and a clearer idea of how to defend yourself against them.