We spoke about how GETTING YOUR A$# KICKED BY A RANSOMWARE ATTACK IS A HARD LESSON LEARNED in a previous post.
But what happens if you don't learn this lesson, or didn't read this post, or any other warning about ransomware and get your ass kicked anyway?
Well, that is what this post will discuss. If you do get your ass kicked by ransomware, or want to know what to do if it happens because someone has a brain fart, then read on. Like my other IT and Cyber related posts, it is for the non-IT and non-cyber type folks (business owners, managers, employees, HR peeps, bean counters, box kickers, etc.)
Here we go…
Don’t Be The ‘Victim’
There is an alarming increase in the number of ransomware attacks. A BitDefender 2020 Consumer Threat Landscape Report said there was 485% growth for these types of cyberattacks. It gets worse! Cybersecurity Ventures predicts that in 2021, there will only be 11 seconds between businesses being impacted by a ransomware attack.
Frankly, unless you have your crap wired tight, it is not a matter of if; it is a matter of when.
First, let's do some housekeeping. I want to be upfront right now. I hate using the term 'victim' when talking about ransomware attacks on businesses. This word choice is because often successful ransomware attacks against a business are preventable and due to conscious decisions by management or administrators to accept the risk they shouldn't have. Thus, I do not see them as victims.
That said, I will move forward with this post so that we can ensure that if your business does become a 'victim' and gets its backside blasted, you'll have an idea of what actions need to be taken, or at least what questions you should be asking your IT and Cyber folks, besides "HOW THE F@%K COULD THIS HAPPEN? "
What To Expect
It's not uncommon for those suffering a ransomware attack to be greeted with red screens telling them that their business files are encrypted. You will not be able to do anything, and they love to leave all kinds of helpful instructions, especially on how to pay them and how to get your data back. It's so polite of them, right?
Cybercriminals are not to be trusted. They could provide the encryption key needed for your files, or they might give you a virus that will keep on giving after this ransom is paid. Know that it's widely considered bad practice to pay these digital criminals because it only encourages them and rewards their criminal activity of hacking into computers with malicious intent. Plus, there isn't even any guarantee if they'll return what was rightfully yours in the first place!
What! Do you mean we can't trust the bad guys?
The DR Plan
The first thing you'll want to do is make it all go away. But wishful thinking won't get the job done, so instead of walking around in a fog and hoping for the best when disaster strikes, start by turning immediately to your well-researched plan on how to recover from an IT infrastructure compromise - because there's no time like now.
With the 'handy-dandy' disaster response plan that you should have in place, you'll be able to make calm and considered decisions when the time comes. Without one of these plans in action, before an incident occurs, it will just feel like chaos with little direction or logic about how best to proceed when the worst happens.
Now that you have broken out the DR plan let's continue.
Disconnect and Isolate
Step one is to identify the systems and networks involved then isolate them immediately. Disconnection of the systems and networks will limit the spread and minimize damages. Do not be conservative here. Better safe than sorry. In a large-scale compromise, remove all devices from the network if you need to contain the malware.
When you disconnect stuff, don't forget about storage drives, USB devices, printers, etc.
Do not turn systems off if you don't have to. Only turn them off if you are unable to disconnect them from the network. In addition, turning them off could lose potential evidence for future criminal investigations.
To avoid having your communications monitored by the asshats who rained on your parade, you should move offline and use phone calls or text messaging.
Triage & Restore
The next step in this process is for the team to identify and isolate the problem. After that, your business can move into damage control mode. Have your data restoration priorities straight, but approach recovery with caution. There is a possibility the ransomware could have infected your systems long before it made itself known and already made itself onto your backups. Restoring those infected backups will start the entire gaggle all over again. Then you will need to consider the importance of each of these systems to health, safety, and revenue generation.
Now get to work restoring those systems in an organized manner before folks get even more pissed off!
Ransomware is a growing threat to every business sector. Your business doesn't want to be the next bunch of goobers on the news, paying the ransom, repairing your reputation, or all of these. To help prevent this, some standard practices are:
- preventing an attack with anti-virus and anti-malware tools;
- installing email filters to keep phishing emails from reaching your employees;
- making frequent backups and keeping them separate from your network;
- keeping up with ransomware and other cybersecurity threats.
Businesses with solid IT policies, especially disaster recovery and data backup and restoration plans, can cut ransomware risk. Plus, if the shit goes down, having these policies at the ready to identify and prioritize restoration of systems and recovery of data will make things go much smoother than they would otherwise.
Having agile ITSM processes, like Incident and Problem management, allows you to more systematically execute the troubleshooting and carry out what is required within those policies to recover from the ransomware attack.
So, hammer down on those processes and policies before ransomware hammers your backside like a prison love affair gone wrong.
