We have seen increases in ransomware attacks on businesses, only made worse by the pandemic. But what should you do if your system is infected? Here is your ultimate ransomware recovery guide on what to do if you receive a ransomware attack.

Ransomware attacks have increased by 102% in 2021 compared to 2020, according to the Institute of Information Security and Cyber Risk. They say that it is due to more people working from home, where employees use their own devices on poorly secured networks, often without proper IT support.

The danger of a ransomware attack is a concern. You might have some defence to prevent ransomware attacks but no plan for when you might experience one. So, what should companies do when they suffer a ransomware attack?

Should I pay the ransom?

It is tempting for companies who don’t have a disaster recovery plan to pay the ransom. But should you?

The answer is no, and you shouldn’t have to.

There is no guarantee that the perpetrator will free up your network and its data. Not only are you paying a criminal group, but they might target you again in the future. 

Some cybercriminals do send the decryption key. However, most take the money and run, knowing there are more targets out there. A survey from Sophos found that 92% of targeted companies didn’t get all their data back. 

Often the attackers won’t release the encryption keys, but they will sell your data, creating more significant fines for the data breach. 

Why time matters

When a ransomware attack occurs, time is critical. Make sure you have someone who understands security to call.

The first step is to contain the breach by isolating the infected device(s) from other computers and storage devices. Furthermore, disconnect them from the internet. Any networked computer can be a spreader. 

Once contained, you should investigate the nature of the breach. If you have received a ransomware note, you may know which ransomware infected your system; this can help you disinfect and remove the ransomware.

Then, you’ll need to conduct a deep forensic investigation by analysing system logs in detail. For example, you must identify which accounts were accessed and where the attack originated. 

As soon as you know what you’re dealing with, you can eradicate it, for example, resetting passwords, removing malware and closing ports. 

Only when you have removed all traces of the ransomware can you restore the network. However, this doesn’t mean you can instantly reconnect your computers to the network. Administrators will need to reset login credentials, especially administrator-level accounts, wipe infected devices and reinstall the operating system. It can be a lengthy process.

Restoring your system to health

If you have regular backups, you can now restore your system. However, turning the clock back to a time before the infection is usually insufficient as you need to verify that any backup is free from malware. 

Moreover, it’s easy to focus on the technical aspects, but you also need to communicate with stakeholders, for example, your bank, the police, insurers, employees, clients and suppliers. 

Companies are often reluctant to reveal a breach because they don’t want the bad press or a plummeting share price. However, if you don’t share that information, you could lose the trust of your stakeholders. Having a robust communication strategy will help get the information to the right stakeholder at the right time. Furthermore, this will ensure you don’t breach any notification laws.

It is crucial to understand the impact on operations before notifying external parties. The last thing you want is panic to ensue, and teams can’t focus on recovering systems.

Once you have restored your networks, monitor them for at least two weeks to ensure they’re clean. 

Recovery from a ransomware attack

If you survive a ransomware attack – most companies don’t – you need to put a disaster recovery plan in place to ensure you back up your data. So, if your data is encrypted or help to ransom in the future, you won’t have to pay the ransom.

By investing in disaster recovery, you are investing in control. Only businesses that invest money in hardened security and have a validated disaster recovery programme that tests and restores data backups from offline locations will protect themselves. 

Practice your data restoration at least once a year. Often companies think their backups are good, but they fail on restore.

Companies also need to invest in helping employees identify threats. Ransomware is a con trick, so it’s crucial to teach employees to recognise suspicious emails and communications. 

All companies should implement a trusted cybersecurity and information governance framework like Cyber Essentials or ISO 27001. These certifications ensure someone external is auditing your security and data protection systems.  

Ransomware isn’t going away. Make sure you’re protecting your data in the best way possible. 

For more information on ransomware recovery, contact Northstar today.