Help, I've got ransomware. What do I do next?

A high level plan for detecting, responding and recovering from ransomware.

Immediate steps ransomware discovery steps:

If you think you have been attacked with ransomware. Don't panic  Here's a summary of the immediate actions you need to take:

The importance of Cyber Insurance

You should always contact your insurer before doing anything else as most insurance companies have specialist crisis management teams to deal with events like the one you're currently experiencing. They will guide you and your IT team (regardless of whether they are an internal team or an external partner) through the steps that they want you to take.

There are two reasons why this is so important:

1. By following the process that your insurer wants you to follow, you increases the chances that they will pay out on your insurance claim. Recovering from a ransomware attack can be very costly.
2. If you skip this step your IT team may take steps to stop, limit, or remediate the attack that might inadvertently destroy important forensic evidence that your insurer and the authorities might want.

Now that we've covered the basic emergency first steps, we should probably take a step back and explain ransomware before we go through the next steps you'll need to take to get back up and running.

What is ransomware?

Ransomware is a type of malicious software designed to block access to your computer systems or data until a ransom is paid. Software infecting your computers or servers encrypts your data rendering it in accessible. A message will usually pop up on your screens, and you may receive a phone call either offering to unblock your device or giving you instructions to pay a ransom to have your data released. If you get such a call the National Centre for Cyber Security says to hang up.

More often than not, your data won't be released even if you do pay a ransom, or the attacker will release it, only to encrypt it again a short time later before demanding more money. This is where incident response plans and backups come into their own.

These attacks can be devastating, leading to significant financial losses and operational disruption. Knowing how to identify and respond to ransomware can make all the difference in mitigating its impact.

How to check if you have ransomware

Recognising a ransomware attack early can help you respond more effectively. It is possible to spot the early signs of an attack before you get to the lock screen demanding a ransom.

Here are some common signs that your system may have been compromised:

• Unusual File Extensions: If you notice that your files have strange extensions (e.g., .locked, .encrypted), this is a strong indicator of ransomware.
• Inaccessible Files: If you suddenly can’t open your files or they appear corrupted, ransomware might be the culprit.
• System Slowdown: A significant decrease in system performance can be a sign of malicious activity, including ransomware.
• Unusual Network Activity: Increased or unusual network traffic can indicate that ransomware is communicating with its command and control servers.
• Ransom Note: The final stage that is pretty unambiguous is a ransom note, either as a text file, a pop-up window, or an email, demanding payment in exchange for the decryption key.

Ransomware Recovery - Next steps

After following the steps at the top of this article, and subject to the instructions of your insurer you should continue to follow the steps below.

1. Minimise damage and record everything

• Isolate the Infected Systems: Disconnect the affected computers from the network to prevent the ransomware from spreading to other devices. The best way to do this is via your endpoint protection. Most business grade endpoint security tools will allow you to isolate a device. If this isn't possible then pulling the network cable from it, or disconnecting it from Wi-Fi is the next best solution. DO NOT TURN THE DEVICE OFF.
  
  Disconnecting the device aims to stop the spread of the infection. It's not a guarantee that things won't escalate as an attacker could have been in your systems for some time and already have access to other devices but you might get lucky.
• Document Everything: Keep detailed records of the attack, including screenshots of ransom notes, unusual file extensions, and any communication with the attackers. This information will be valuable for your IT team, insurance company, and law enforcement.
  
  The Information Commissioners Office (ICO) requires you to keep a record of all personal data breaches, regardless of whether or not they are significant enough to be officially reported.

2. Get legal advice & plan communications

If you haven't got an incident response plan to help guide you through this process then you need to quickly seek expert advice.

Contact your lawyers to discuss the attack so that they are kept fully abreast of the situation as it unfolds.

You also need to quickly consider your communications around the incident, both internally and externally. 

You will want to brief you staff on the situation and give them very clear instructions about what they can and cannot say to anyone outside the organisation. Your lawyers will be able to assist you with providing a script that aims to protect you and your customers.

Providing staff with a script will help re-assure them and can avoid people feeling pressured to say something more. This is especially true in the early stages of an attack while you are still trying to understand what is going on.

3. Undertake forensic analysis

At this stage, you, and likely your insurer, will want to conduct an investigation to identify the extent of the damage and the cause. You need to understand whether data has simply been encrypted or whether it has been stolen (exfiltrated in technical parlance). The latter has significant implications for you, your customers, and for regulators.

This is done primarily through analysing logs in your system. These are records that are automatically generated and record actions taken by various systems in your computer and network. Your team may also look on the dark web to see if any of your data has been immediately made available online in known data breach repositories.

Identifying the source of your attack (the vector) and the tool used is equally important. You need to understand how the attacker accessed your system and how they encrypted it. You don't want to re-build your systems only to find the weakness is saved in your backups and lets the attacker lock everything up again. Once the vector and tool have been identified, the weakness can be addressed, any malicious software can be cleansed and then you can think about beginning to rebuild.

4. Regulatory reporting

If you are based in, or do business with the UK and identify that a data breach contains personally identifiable information that poses a risk to people’s rights and freedoms then you must report the breach to the Information Commissioners Office within 72 hours. If the stolen data is likely to be high risk to the individuals affected (credit card details, passport number etc) then you must notify them without undue delay.

You should also report the ransomware attack to the police, although you are not obliged to. The act of hacking into your system and encrypting your data is a criminal offence, perpetrated by the attacker against you.

4. Plan for recovery 

Once the immediate threat is contained, it’s time to focus on recovery. Here are the steps to take:

1. Use Decryption Tools: Some ransomware strains have publicly available decryption tools. Your IT team can check resources like No More Ransom (nomoreransom.org) to see if a tool is available for your specific strain.
2. Restore from Backups: If you have recent backups, use them to restore your data. Ensure that the backups are clean and not infected with ransomware.
3. Rebuild Systems: In some cases, it may be necessary to rebuild infected systems from scratch. This ensures that all traces of the ransomware are removed.
4. Update Security Measures: Strengthen your cyber security defences to prevent future attacks. This includes updating software, implementing strong passwords, and educating employees about phishing and other cyber threats.

This stage can take a long time, particularly if systems need to be re-built from scratch. Identify your priority systems like payroll that you need to be up and running first, and then work your way methodically through everything until you have a fully restored service.

5. Review lessons learned

The above steps help if you have suffered a ransomware attack but as any doctor will tell you, prevention is always better than cure.

There are some simple things that you can do to reduce the likelihood that you will fall victim to a ransom attack (and to minimise the damage if you do).

• Employee Training: Educate your employees about the dangers of phishing and how to recognise suspicious emails and links.
• Security Software: Use reputable antivirus and anti-malware software, and keep it updated.
• Patch Management: Ensure that all software and systems are up to date with the latest security patches.
• Access Controls: Implement strict access controls to limit who can install software and access sensitive data.
• Regular Backups: Regularly back up your data and store backups offline or in a secure cloud environment.
• Incident Response Plan: Develop and regularly update an incident response plan so that everyone knows what to do in the event of a ransomware attack.

Conclusion

Ransomware attacks are a serious threat, but with the right knowledge and preparation, you can protect your business and respond effectively if an attack occurs. Remember, the key steps are to contact your insurance company, notify your IT team, isolate the infection, avoid paying the ransom, and focus on recovery and prevention. By following these guidelines, you can minimise the impact of ransomware and keep your business running smoothly.

Here to help...

If you would like to discuss improving your business' cyber security then get in touch with us today. We are based in Edinburgh but provide IT support across Scotland and northern England.