Ransomware is increasingly being used as an effective tool for cybercriminals to disrupt businesses and fund malicious activities.
Ransomware attacks doubled in 2020 during the Covid-19 outbreak. At the current pace, a ransomware attack will occur every 10 seconds in 2021.
Businesses will need to prepare for the possibility of a ransomware attack affecting their services, data, and business functions.
Five steps in recovering from a ransomware attack
- Isolate and shutdown all critical systems
- Enact your contingency plan to maintain continuity
- Report the cyberattack
- Restore from backup
- Fix, patch, and monitor
Isolate and shutdown critical systems
All critical systems to the business need to be shut down once a problem is identified. When ransomware is detected on the network, containment is the first priority priority.
By isolating where the problem is identified, one could find that it may not have impacted all data and systems. Shutting down and isolating both infected systems and healthy systems can help ensure that ransomware doesn’t spread.
Isolation and containment can include:
- isolating systems from a network perspective or
- powering them down completely
Enact your contingency plan to maintain continuity
Maintaining some level of business operations is key. Unfortunately, ransomware can wipe out all business operations if it spreads.
A business contingency plan is a step-by-step guide that helps all departments understand how a business operates in times of disaster, system failure, or other occurrences that impact the business.
The disaster recovery component will explain how important data and critical systems can be restored and brought back online.
Report the cyberattack
Being transparent is important. Customers, stakeholders, and law enforcement should be made aware of the problem. Some dislike doing so, believing it can cause a loss of confidence among customers and shareholders. But will give the chance for law enforcement to provide resources to help that may not be available if left unreported.
There may also be regulations to consider. As an example, GDPR gives businesses 72 hours to alert the authorities when customers’ personal information is leaked.
Restore from backup
Data should have backups that can be restored if case breaches or failures occur. Nonetheless, if large quantities of data need to be restored, this can a business a long time to resume operations.
Accordingly, discovering and containing ransomware infections should be done as quickly as possible to reduce the amount of data (and perhaps entire systems) that need to be restored.
Fix, patch, and monitor
The last phase of recovering from a ransomware attack involves remediating the infection, patching up systems that may have been breached, and monitor data and systems for any further malicious activity.
It’s unfortunately common for bad actors to continue their activities even if the ransom is paid, or if infected systems were fully restored.
If the same vulnerability exists in a system that led to the initial security breach, the environment could become exploited again.
Remediate common entry points for ransomware
Identifying entry points is a key consideration.
Phishing attacks are often used to steal credentials, which can then be used to access systems directly or launch a ransomware attack.
Prevention and next steps
Password security is essential, particularly with Active Directory user accounts.
Active Directory doesn’t have quality security tools that are up to par with the best practices of password security requirements.
And while larger businesses have more surface area for hackers to exploit, they can often dedicate more resources to cybersecurity. Smaller firms are generally more vulnerable and these attacks can very costly and even cause business insolvency.
Implementing patches, updating passwords, and making testing regularly are essential.
These commitments need to be integrated within the culture of a company and the importance of cybersecurity needs to be instilled in each employee. Only with a robust security strategy can all small and medium enterprises give themselves the best chance to thrive and head off all threats that come their way.