Steps to take if your business is the victim of a ransomware attack

Posted June 7th, 2021

By: Mario DiMarcantonio, CEO @ Progressive IT Solutions in Dallas, Tx.

 

Ransomware is by far one of the most common threats to businesses of all sizes.  Even people with no technical background have a basic understanding of what "ransomware" is, because unfortunately, ransomware attacks are happening just about every day and it's getting a lot of news coverage.

So, if your business is hit with a ransomware attack, what can you do?

First, let me just tell you that there is no "easy" button.  Ransomware recovery is stressful, messy and time consuming.  The best thing that you can do as a business leader is to make sure that your company's cybersecurity is strong BEFORE an attack happens.  We can't go into all of the details here, but a large part of that falls on your IT people, assuming they are skilled enough and that you didn't shoot down all of their security recommendations because you "didn't have it in the budget" (be honest!).

The rest of the responsibility is on your employees and you as the business leader.  It's no newsflash for most, ransomware is VERY disruptive.  Companies can go under, or at a minimum, suffer great financial and reputational damage from an attack.  You as the business leader must take cybersecurity seriously, budget for it and look at this as a cost of doing business.  This is just the reality and companies that try to save money, will end up paying the price one way or another.

This article won't cover all of the the details involved in recovering systems and data after a ransomware attack, or what security tools you need in place, but will give you a place to start when it does happen so that you are clear on what to do.

Here are some steps to take if your company is the victim of a ransomware attack:

STEP 1 - Call Your IT Folks: One of the most important steps in ransomware response is limiting the damage that the ransomware is doing.  This involves taking some system offline (NOT powering them off, they should stay on for now) by isolating their activity through special software or by pulling the network cable to computers that are known to be infected.  Your IT people SHOULD know how to handle this.  Their goal is to limit the spread at this point.  Machines that are known to be clean might be taken offline as well to prevent infection.  This is the stage where we isolate and hold until we have more guidance.  It's likely that most systems will need to be completely rebuilt, but vital forensics information might need to be retained or the company could be subject to certain regulations preventing them from destroying evidence.  Hopefully your IT people have been backing up your critical data and can restore a clean copy of it.  you'll likely need this.

You might ask: Shouldn't we just pay the ransom and be done with it?

The answer is generally "no", and here's why.  First, paying the ransom is no guarantee that you will get the decryption keys needed to unlock your data.  Also, there is a good chance that the attackers have dropped some other "surprises" on your network and will make use of them later.  Paying the ransom also INCREASES your chances significantly of being hacked or attacked again.  These attackers essentially see you as a willing participant in their little game and know you'll pay.  After all, you paid once, why not twice or three times?  Remember, you are dealing with criminals.  Would you trust a criminal with your wallet? Lastly, paying the ransom supports and encourages this industry as a whole to continue.  It's noteworthy that the FBI actually discourages paying the ransom.

Which leave you with "Plan B" in most cases: System restoration and data recovery.  A very time consuming and expensive path, but ensures that your systems are clean.  There may also be some breach reporting and other fun stuff to deal with but your insurance carrier and attorney should be able to guide you here.

STEP 2 - Call your insurance carrier and activate the benefits in your cyber policy (you do have a cyber policy right?): The insurance carrier is familiar with the process and can guide you on next steps, who should be called, etc.  You may get recommendations to contact an attorney, a data forensics team, and more.  More commonly, insurance carriers (because of having to pay so many claims in recent years) are requiring that companies PROVE what is called "due care", meaning that you have been doing everything you should have to protect your network, train your people, etc.  If you haven't been doing this, you could be looking at an UNPAID CLAIM and being responsible for footing the bill yourself.  Not a place you want to be. Were are talking about things like employee security awareness training on a regular basis, installing important security updates, backing up your data offsite, and lots of other techie, geeky things your IT people should know about and be doing (again, assuming you approved and budgeted for them).

One thing to note about insurance policy coverage is that in the past, they were likely to pay the claim if your company was hacked by a foreign attacker.  That could all change depending on how the US government categorizes these attacks in the future.  If they are treated as a "terrorist attack", some insurance policies may not pay out.  It will be interesting to watch and see what happens.  The plus may be that cyber policies become more affordable again, but will they be doing any good unless the threat actors are US based?  We will see.

STEP 3 - Contact the FBI and your local police department to report the incident: This is an important step that often gets overlooked, maybe due to embarrassment?  Maybe people just don't know these resources are available?  The local police can file a report on the incident and the FBI can guide you on the recovery process, how to handle NOT paying the ransom, exchanging important forensic info so they can find the bad guys in some cases, and more.  Don't expect that the FBI will swoop in and save the day, sending over Seal Team One to hunt down the guy in Russia who did this, but they can help and that assistance should get better over time as this country starts to really take cyberattacks seriously.

STEP 4 - Let your IT team, insurance carrier and authorities guide you on the recovery process: This is the point where you need to sit back and let the professionals handle your recovery process.  It's almost always stressful and time consuming and you will constantly be wondering "how much longer is this going to take?".  Just know that the average recovery time is usually 2-3 weeks if you are a SMALL company with limited resources.  Larger companies or those with more help and great recovery systems MIGHT be up and running more quickly.  The point is, it's not as simple as restoring the data and getting back to work.  Everything takes time and there are usually problems.  Just wrap your mind around that and you will be in a better place.

 

After the dust settles...

You will want to meet as a leadership team and with your IT team to discuss lessons learned from the incident.  Are there things that yo can do to ensure that nothing like this happens again?  Did you discover that employees need to be trained and tested on a regular basis to recognize what these threats look like and how to respond?  Do you need to budget for better security tools, systems upgrades?  Is it finally time to develop that business continuity plan?  Maybe your IT team or outsourced IT company needs to change.  Learn from it and grow.  No business is 100% un-hackable.  If the bad guys want in bad enough, they will get there.  Your goal should be to do everything in your power to prevent these attacks and make your company as un-attractive to these threat actors as you can.

 

I hope that you enjoyed this little article on how to respond to a ransomware attack.

Our company, Progressive IT Solutions, keeps companies protected against ransomware attacks, hackers and other threats.  Oftentimes we do this at a fraction of what it would cost you to do it yourself. If you aren't absolutely confident that your IT people have you protected, give us a call.  At a minimum, we can run an unbiased, third party tool that will show you exactly where you stand and what needs to be fixed.  You can have your IT team fix things, or we can help if you decide to fire them for their incompetence.  Just kidding, but not really.  Your systems are way too important to put in the hands of a "one-man-band" IT company or people who just don't have the skills to get the job done.

If you would like more information about our services, or just want to chat about a question you have, please reach out anytime.

Our website is: www.progressiveitsolutions.com and our number is 214-717-4311.

If you would like to schedule a quick 10-minute call with us at no charge, you can register for that here: https://www.progressiveitsolutions.com/discoverycall

Take care and stay safe!

Mario