Ransomware Response Plan: Preparation, Prevention, and Recovery Tips for Your Business

Picture this: you're immersed in a busy workday when suddenly, your computer system freezes or glitches. Moments later, it shuts down completely. Your IT department informs you that your system has been compromised by ransomware. Ransomware attacks can quite literally stop you in your tracks, not to mention the loss of business continuity. As the saying goes, an ounce of prevention is worth a pound of cure.

As the name states, Ransomware is a program designed to infiltrate your network and hold it for ransom. It can take the form of locked files or entire servers that become completely inaccessible almost immediately after the payload is activated.

The Importance of Preparation & Prevention

To mitigate the impact of a ransomware attack, it's crucial to have a well-thought-out plan in place and to review and update it annually. Ideally, you'll never need to use this plan, but having one ensures you're ready for "what if" scenarios. Consider the potential consequences: losing a week's worth of work is daunting, but losing weeks or even months of data could be catastrophic.

So, what are some of the ways you can prevent these attacks from happening? Here's a list of starting points:

• Patch servers regularly, as unpatched software is where a hacker loves to play.
• Email filtering and phishing training.
  • Products such as Mimecast and Proofpoint are built to search for what you may not be able to find, and phishing training can help users know what to look out for when emails come in that seem to have something missing.
• Installing and updating firewalls that can detect and block ransomware payloads from entering your network.
• Enabling Multi-Factor Authentication (MFA).
• Enable and utilize off-site backups using any number of services available today.

Each item carries its own weight and priority. Please use this list based on your individual needs.

6 Steps to Take When Targeted by a Ransomware Attack

If you do fall victim to an attack, the VERY FIRST THING to do is:

1. CONTACT YOUR CYBERINSURANCE COMPANY TO REPORT IT.

Ransomware is a crime and needs to be treated as such. Similar to a break-in of a physical facility, you need to allow the insurance company to do its due diligence. Just about all insurance companies have a relationship with a cyber company that they'll work with to connect and triage the situation, gather facts, and work to protect your data.

However, immediate remediation steps are as follows once you have permission from the Insurance company:

2. Isolate the Infected Systems to Stop the Spread: Immediately disconnect the infected system from your network. Remove any USB drives, external hard drives, and disable Wi-Fi connections. Isolate the system completely to prevent further spread. Avoid restarting the affected devices.
3. Preserve Evidence and Information: Resist the urge to wipe everything clean. After isolating the affected systems, create backups or images of them. This documentation will be invaluable for recovery efforts and investigations.
4. Try to Identify the Ransomware: Identifying the type of ransomware can be useful when determining whether decryptor tools exist.
5. Restore Your Data from Clean Backups, Immutable Backups if Possible: Restore systems and data from a clean backup, ensuring backups are validated as malware-free before restoring. Reinstall the operating system and applications from scratch.
6. Strengthen Your Disaster Recovery Plan: Regularly reviewing and strengthening your defenses ensures your business is ready to handle unexpected disruptions. As part of your disaster recovery plan, make sure to update any company policies to prevent such attacks from occurring again.

Clean backups and regular testing are among the best ways to get your business back up and running as quickly as possible. Offsite backups, such as Amazon or Azure storage, also provide an advantage over ransomware, which typically concentrates on locally stored backups.