How to respond to a ransomware attack: A guide for businesses

Ransomware is a class of malware that locks down systems with encryption and demands payment to return control of the files, but there's no guarantee that paying will work. Once hackers have successfully encrypted files, recovering that data can be difficult.

Ransomware attacks are on the rise, and can target businesses both large and small. In fact, according to Verizon’s most recent data, the 2018 Data Breach Investigations Report, ransom attacks were the most common variety of malware in 2017.

Although there's no foolproof way of preventing ransomware attacks occurring, or the loss of your personal data in the event that they do, below there are several ways to protect your organisation from becoming a victim.

Read next:Ransomware explained - What is ransomware and how can it be stopped?

Prepare
iStock

Prepare

Being prepared is always remain the best defence to any security threat, after all, prevention is better than cure.

Starting from the root of the business, it is important to ensure that the security policy is regularly checked for up to date antivirus software with regular backups scheduled.

One of the most essential defence methods is to ensure that the IT team are patching vulnerabilities as soon as they are discovered.

Security training should be implemented to ensure the whole organisation is aware of the dangers of ransomware, and the best security measures to take to avoid it.

Read next: The worst types of ransomware attacks

Brief the team

Brief the team

Make sure your entire organisation is fully briefed on security protocol. A prime way attackers target employees is through social engineering, essentially tricking employees into disclosing potentially harmful information, primarily through calls and emails.

For example, the attacker may pose as a trusted organisation or contact. They may even pose as the IT department in an organisation with requests for the employee to install certain software.

To avoid any employee falling prey, ensure that they are fully briefed on telltale, suspicious signs, and advise them against opening or responding to any unusual correspondence.

Employ email scanning software

Employ email scanning software

Your organisation should be employing email scanning software that flags up any suspicious content. This should block any content or attachments which are recognised as dubious, and act as another barrier to these kinds of attacks.

Detect
iStock

Detect

It is important to know how to detect ransomware, as sometimes an attack can get into the system but you may not be aware until a huge amount of data vanishes.

To prevent this, advanced threat intelligence technology is a useful guard against cyber attacks. There are a number of tools designed to block any attack attempts and alert the security team of the likelihood of a potential attack, the key is to find the best one for your business needs.

Disconnect and contain
iStock

Disconnect and contain

If an attack has been detected, the next crucial step is to ensure the technical team works to contain it in order to prevent the attack from spreading.

If detected quickly, it is likely that the attack is only limited to one computer system but it is important to identify all possible systems there may be a link to and quickly disconnect them.

What makes a ransomware attack more harmful is when it spreads across a network, having access to even more data.

Don\'t pay the ransom

Don't pay the ransom

Never give into the temptation to pay the ransom to obtain your files. Aside from encouraging your attackers to continue targeting others, and increasing the incidence of these kinds of attacks, there is no guarantee that your files will be released to you.

Inform the right people
iStock

Inform the right people

By now, you should be aware of where the problem stems from and all machines and systems affected have been disconnected.

Make sure employees are aware of this and do not delay in informing your security and IT teams. This may include thorough checks of all remaining systems, replacing or restoring the affected systems – whatever the process, it should be done quickly.

If there was any personal customer or employee data taken, it may result in contacting legal teams to get a clear understanding of the consequences. It might not be something your in-house staff is able to identify.

Of course, you will also immediately need to inform regulatory bodies and law enforcement officials of the crime to save the reputation of your company.

Recover
iStock

Recover

Backup and recovery tools can take some of the pain out of getting lost files and data back. But this might be more complex depending on the type of attack and what you have in place.

There are also some resources available on disaster recovery, provided by the NCSC here.

Investigate
iStock

Investigate

As previously mentioned, it is important to do a thorough investigation of other potential vulnerabilities and policies that may need tidying up in order to prevent future attacks.

Make sure you and the security team understand how the attack happened and the potential of another one happening, all lessons learned will help prevent this.

Being prepared with a ransomware response plan is the best starting point, but also make sure your incident response and security teams are alert to the risks of an attack.

Copyright © 2018 IDG Communications, Inc.