Ransomware, like the massive WannaCry cyberattacks earlier this year, is likely here to stay. It may not be headline news every week, but it’s out there. Click on the wrong link, download the wrong file and zap — cybercriminals now hold your data hostage.
A lot of organizations pay up — which, of course, is why cybercriminals do it. It’s easy money, especially when they have access to ransomware-as-a-service toolkits.
The only way to stop ransomware is to not pay. It takes some planning, but you can avoid the spread of ransomware. Let’s look at what steps to take before and during an attack.
Before the cyberattack
We cannot stress this enough: backup your data. Ransomware has no effect so long as you can safely restore a copy of the data that cybercriminals have locked down. Remember, they don’t have possession of your data, they’re just preventing you from accessing it.
What you need:
- A clean copy of your data
- Securely store the backup separately from your production network, on-site or in the cloud
- Regular testing to ensure the backups work and — this is crucial — you can restore the data
Depending on how frequently your backup occurs, you may lose some of the most recent data, but relatively little.
Other best practices to consider:
- Conduct awareness training about malware for end users — and make it clear they will not face repercussions for reporting
- Keep software up to date with security patches (especially your antivirus software and operating system)
- Manage administrative accounts to ensure least privilege
- Disable macros
- Limit BYOD policies to an approved list of devices —these should adhere to strict security policies
During the attack
Despite your best efforts and end users best intentions, things happen. What now?
All employees should know to do the following:
- Disconnect the device from the network immediately — The first rule of responding to ransomware is, “Don’t try to figure it out.” In some circumstances, time is of the essence in limiting the spread. Users should not waste potentially critical moments. Frequently the first sign is users unable to open common files they open often.
Tell IT — End users need to report attacks right away, which is why you “decriminalize” it in training. Users should receive no blame or penalties for what were likely an innocent mistake.
Now IT needs to spring into action:
- Scramble a response team — Time is of the essence, IT needs to make sure everyone, legal, PR, HR and Execs, are aware of what is happening and loop in anyone who needs to be involved.
- Assess the scope of damage — How bad is it? You need to communicate with employees so they’re aware of what to do.
- File a police report — It’s not a simple choice and may not seem necessary, but ransomware is a crime and should be treated as such. Additionally, a police report is usually required to file an insurance claim or lawsuit. Filing a report also allows authorities to track the spread of the ransom attack.
Ideally, you will have a response plan documented as part of a more complete Disaster Recovery plan, so the team proceeds with their tasks in an efficient and orderly manner.
At what point do you recover? It depends on how widespread the ransomware infection is. Consider working with a group of anti-virus specialists to ensure complete removal of the offending malware before restoring data.
A last resort
Some law enforcement agencies admit that in certain circumstances, organizations will simply have no choice but to pay up to recover essential data. A few even encourage businesses to get a bitcoin wallet just in case, so you can make a payment quickly to meet ransomware criminals’ tight deadlines.
But to be honest, so long as you’re smart about backup and disaster recovery, and put plans in place to respond efficiently, you can manage any risk associated with ransomware — and never have to pay a cent.
Learn more about ransomware
- How to Protect Your Business from the Rise of Ransomware
- 6 Key Lessons from the WannaCry Ransomware Cyberattack