How to respond to ransomware attacks

This is news no organization wants to hear. You’ve become a victim of a ransomware attack and are now wondering what to do next.

The first thing to keep in mind is that you are not alone. More than 17% of all cyberattacks involve ransomware. Ransomware is a type of malware that keeps a victim’s data or device locked unless the victim pays a ransom to the hacker. Of the 1,350 organizations surveyed in a recent study, 78% experienced a successful ransomware attack (link resides outside ibm.com).

Ransomware attacks use a variety of methods or vectors to infect networks or devices, including using phishing emails to trick individuals into clicking malicious links and exploiting vulnerabilities in software and operating systems, such as remote access. Cybercriminals typically request ransom payment in Bitcoin and other hard-to-trace cryptocurrencies, providing victims with a decryption key to unlock the device.

The good news is that in the event of a ransomware attack, there are basic steps any organization can follow to contain the attack, protect sensitive information, and minimize downtime to ensure business continuity.

initial response

Isolate affected systems

The most common ransomware variants search for vulnerabilities to propagate laterally in the network, so it is important to isolate affected systems as quickly as possible. Disconnect Ethernet connections and disable WiFi, Bluetooth, and other network features for infected or potentially infected devices.

Two other steps to consider:

• Turn off maintenance tasks. Immediately disable automatic operations (e.g. temporary file deletion, log rotation) on the affected system. These actions can disrupt files and impede ransomware investigation and recovery.
• Disconnecting backup. Keep your data backups offline, as many new types of ransomware target backups, making recovery more difficult. Restrict access to backup systems until the infection has been removed.

Take a photo of the ransom note

Take a photo of the ransom note before you do anything else. It is best to take a screenshot of the affected device’s screen with a separate device, such as a smartphone or camera. Photos will expedite the recovery process and help when filing a police report or filing a claim with an insurance company.

Notify the security team

Disconnect the affected system and notify your IT security team of the attack. In most cases, an IT security professional can advise on next steps and activate your organization’s incident response plan. In other words, it refers to an organization’s processes and technologies for detecting and responding to cyber attacks.

Do not restart the affected device

When dealing with ransomware, do not restart the infected device. Hackers know this may be your first instinct, and some types of ransomware will notify you of a restart attempt and cause further damage, such as corrupting Windows or deleting encrypted files. Rebooting may make it more difficult to investigate a ransomware attack. Valuable clues are stored in your computer’s memory and erased during restart.

Instead, put the affected system into hibernate mode. This will save all data in memory to a reference file on your device’s hard drive, preserving it for future analysis.

eradication

Now that you have isolated the affected device, you will want to unlock it and recover your data. Eradicating ransomware infections can be complicated to manage, especially for advanced variants, but the following steps can help you get started on the path to recovery.

Attack variant decision

Several free tools can help you identify the type of ransomware infecting your device. Knowing your specific variant can help you understand several key factors, including how it spreads, what files it locks, and how to remove it. Upload a sample of your encrypted files, a ransom note if you have them, and the attacker’s contact information.

The two most common types of ransomware are screen lockers and encryption tools. Screen lockers lock your system but keep your files safe until payment is made, while encryptors are more difficult to solve because they find all sensitive data, encrypt it, and decrypt it only after the ransom is paid.

Search for decryption tools

Once you have identified the ransomware variant, look for a decryption tool. There are also free tools to help with this step, including sites like No More Ransom. Just enter the name of the ransomware variant and search for matching decryption.

Download The Definitive Guide to Ransomware

recovery

If you are lucky enough to have removed the ransomware infection, it is now time to start the recovery process.

Update your system password and then recover your data from backup. You should always aim to have three copies of your data in two different formats, with one copy stored offsite. This approach, known as the 3-2-1 rule, allows you to quickly restore your data and avoid paying the ransom.

After an attack, you should also consider performing a security audit and updating all systems. Keeping your system up-to-date helps prevent hackers from exploiting vulnerabilities found in older software, and regular patches help keep your system up-to-date, stable, and resistant to malware threats. You can also use lessons learned to improve your incident response plan and ensure that you have adequately communicated the incident to all necessary stakeholders.

reporting agency

Ransomware is extortion and a crime, so you should always report ransomware attacks to law enforcement or the FBI.

If recovery efforts are ineffective, authorities may be able to help you decrypt your files. But even if you can’t save your data, it’s important to catalog cybercriminal activity and help others avoid a similar fate.

Some victims of ransomware attacks may be legally required to report their ransomware infections. For example, HIPAA compliance typically requires healthcare organizations to report all data breaches, including ransomware attacks, to the Department of Health and Human Services.

Decide whether to pay or not

Deciding whether to pay the ransom is a complex decision. Most experts suggest that you should only consider paying if you’ve tried all other options and losing your data is much more detrimental than paying.

Whatever decision you make, you should always consult with law enforcement officials and cybersecurity experts before proceeding.

Paying the ransom does not guarantee that you will regain access to your data or that the attackers will keep their promises. Victims often pay the ransom but do not receive the decryption key. Moreover, paying the ransom may perpetuate cybercrime activity and may require more funds for cybercrime.

Prevent future ransomware attacks

Email security tools and anti-malware and antivirus software are important first lines of defense against ransomware attacks.

Organizations also use advanced endpoint security tools such as firewalls, VPNs, and multi-factor authentication as part of a broader data protection strategy to defend against data breaches.

But no cybersecurity system is complete without cutting-edge threat detection and incident response capabilities that can catch cybercriminals in real time and mitigate the effects of successful cyberattacks.

IBM Security® QRadar® SIEM applies machine learning and user behavior analytics (UBA) to network traffic along with traditional logs for smarter threat detection and faster remediation. In a recent Forrester study, QRadar SIEM helped security analysts save more than 14,000 hours over three years by identifying false positives, reducing the time it takes to investigate incidents by 90%, and reducing the risk of a serious security breach by 60%. * Using QRadar As under-resourced security teams, SIEMs have the visibility and analytics they need to quickly detect threats and take immediate, informed action to minimize the impact of attacks.

Learn more about IBM QRadar SIEM

*The Total Economic ImpactTM of IBM Security QRadar SIEM is a commissioned study conducted by Forrester Consulting on behalf of IBM, April 2023. Based on expected outcomes for a composite organization modeled after four IBM customers interviewed. Actual results will vary depending on client configuration and conditions, so we may not be able to provide typical results as expected.