By Josh Breaker-Rolfe
Ransomware is the single most significant risk to modern business. The 2024 Verizon Data Breach Investigation Report found that ransomware was a top threat across 92% of industries in 2023. Ransomware actors are persistent and pervasive, and no business is completely safe from attack. What do businesses need to do in the wake of an incident?
Immediate Actions
If a ransomware attack has hit your business, the first thing you need to do is isolate infected systems. Disconnecting affected systems from the network and disabling Wi-Fi, Bluetooth, and other network connections will prevent the ransomware from spreading.
With the incident isolated, you may be tempted to comply with your attackers’ ransom demands to recover your files and get your systems back online – do not do this. You should only consider paying ransom demands in extreme cases, such as if human lives are at risk. Paying the ransom will not guarantee you recover your files and get your systems back online and may even make you a target for future attacks.
It’s then crucial to inform relevant stakeholders of the incident, communicate with management and employees to prevent further spread through phishing or other means, and notify law enforcement and any necessary regulatory body.
If you have one, you must activate your pre-established incident response plan. If you don’t, you need to establish an incident response team to manage the situation.
Investigation
You’ll then need to investigate the scope of the incident, determine which systems, files, and data are affected, and identify the type of ransomware. You can usually identify ransomware strains by reading the ransom note or using online tools like ID Ransomware. Once you know what ransomware strain has infected your systems, you can look for a decryption tool to recover your files if one is available. You can find these tools from reputable sources like No More Ransom. It’s also worth checking whether you have unaffected backups from which you can restore your data.
Recovery
The first and most crucial step of the recovery process is to remove the ransomware from your systems. Ensure your antivirus software is up-to-date and use Endpoint Protection (EPP) solutions to scan your systems and remove the ransomware.
If they are available, you can restore data and systems from clean, recent backups. However, you must ensure these backups are free from ransomware before you restore them, or you risk reinfection. If you don’t have backups, you may be able to recover files with file recovery software. These tools scan for and attempt to recover deleted files. Remember, however, that you are not guaranteed to recover all your files.
After backups are restored or files are recovered, you should verify the data and systems’ integrity. Monitor for signs of residual malware and check data and systems for integrity and functionality.
You must also ensure that the attackers have been completely evicted from your network and that all persistence mechanisms, hacking tools, and malware have been addressed.
Evaluation and Improvement
At this point, the worst is over, but your work is far from complete. You must understand how the ransomware attack occurred and how to prevent similar incidents by conducting a thorough security review. This process includes identifying how the ransomware infiltrated your systems and reviewing your security procedures. The insights gained from your security review will help you enhance your security measures and bolster your cyber resilience.
Here are some key metrics you should consider to achieve these goals:
- Mean Time to Detect (MTTD): Measures how quickly a cyber threat is identified. Lower MTTD indicates better detection, aiding in containment and preventing spread.
- Mean Time to Respond (MTTR): Measures how rapidly a threat is addressed. Lower MTTR signifies quicker response, emphasizing efficient incident response.
- Incident Response Plan Effectiveness: Evaluated by containment time, communication efficiency, and team coordination. Ensure plans are current and followed.
- Cybersecurity Training and Awareness: Track employee awareness, training completion, and performance in phishing simulations to mitigate human error.
- Cybersecurity Hygiene: Monitor patching frequency, vulnerability scans, and compliance with security policies for resilience.
- Cyber Risk Exposure: Quantify risk based on asset criticality, vulnerability severity, and threat likelihood to guide priorities.
- Third-Party Risk Management: Track assessments, compliance, and incidents involving vendors to manage third-party risk.
- Security Controls Effectiveness: Evaluate through IDS/IPS alerts, firewall effectiveness, and malware detection rates.
- Backup and Recovery Metrics: Measure backup success rates, RTO, and RPO to ensure data resilience. Regular testing confirms process alignment with needs.
- Business Continuity and Disaster Recovery (BCDR) Metrics: Assess operational maintenance during and after incidents by tracking RTOs, RPOs, and BCDR exercise success rates. Regular testing ensures readiness.
Communication and Legal Considerations
Throughout this process, you must constantly communicate with stakeholders, customers, partners, and regulatory bodies to provide regular updates on the incident and your recovery. You may face legal repercussions, so it’s also worth liaising with legal experts to guide you through any relevant processes.
Conclusion
All in all, it’s clear that although a ransomware attack can be disastrous, there are steps businesses can take to mitigate damage and recover from such an incident. However, it’s crucial to understand the incident response process before you suffer a ransomware attack, not after. Better yet, implement security controls to prevent an incident in the first place. Prevention is always better than a cure.
Josh is a Content writer at Bora. He graduated with a degree in Journalism in 2021 and has a background in cybersecurity PR. He’s written on a wide range of topics, from AI to Zero Trust, and is particularly interested in the impacts of cybersecurity on the wider economy.