How to handle a ransomware attack in eight steps

When a strange message appears on your screen demanding you pay up or lose your data, what should you do?

Should you pay the ransom and hope the criminal returns your data, or should you take a different route?

Experts in cyber security warn that paying a ransom is not only unsafe – you have no guarantee that the attacker will return your data and leave you alone – but it encourages cyber criminals to continue doing it. So if you don’t want to pay the ransom but you do want your data, what else can you do?

You can follow these eight steps:

1. Be ready for an attack by automating your data backup

If your data is backed up at the point of a ransomware attack, then you can restore your backed up files and ditch the infected ones.

And if your backup routine is 1) automatic, 2) stores incremental versions of your data and 3) is scheduled daily, then you’ll never lose more data than what was generated since your last backup.

2. Make sure the attack is in fact ransomware

Sometimes an attack is malware pretending to be ransomware. If your staff know how to identify ransomware and who to alert, they’ll be able to stop it from spreading to other devices and kick-start the recovery process. Teaching your employees about ransomware is a valuable aspect of business continuity.

3. Disconnect the affected device/s from the Internet

Once you’re sure it’s a ransomware attack, take the affected computer offline and disconnect it from your network.

4. Tell your staff

Alert everyone to the attack as soon as possible, and let them know how you’re going to handle it. This is where having a disaster recovery plan in place pays off because the steps to follow are then laid out for you and recovery will be seamless using your restored backup files. 

Much of the ground work can laid, if you have a cyber security plan.

5. Identify the kind of ransomware attack

You need to work out what kind of ransomware you’ve been hit with so you know how to handle it. The online tool ID Ransomware will help you identify the ransomware by asking you to upload the ransom note and an encrypted file. It will then tell you if it’s screen-locking ransomware or encrypting ransomware.

This free service is useful for pointing you in the right direction, and telling you if there’s a known way of decrypting your files. If there’s no “known way” to decrypt the files, you’ll have to rely on your backups to restore your data.

6. Remove the ransomware

If the ransomware code has been cracked, you’ll be able to find a decrypter for it online. If there’s no decrypter, you’ll have to restore the affected devices to factory settings. In doing this, you’ll lose everything on your devices, but you’ll be able to gain access to all the business critical files and folders you’ve (hopefully) been backing up in a few hours.

NOTE: Determining which of your backups hasn’t been affected by ransomware can sometimes be a time-consuming process. It all depends on how far back your backups have been infected with ransomware. You’ll have to inspect your various backup sets (ransomware often renames your files) before determining which backup is “clean”.

Once you’ve worked out which backup set is clean, wipe your device and do a clean re-install of your operating system and applications – and only then restore the relevant backup. While you may view this as a lengthy process, it’ll be well worth it to prevent further attacks.

7. Install an effective EDR (electronic detection and response) solution

Cybersecurity solutions in the EDR category offer a vastly higher level of protection than traditional antivirus technology.

8. Make sure ALL the devices in your network have the latest security patches

Just a single unpatched computer in your network will render the entire environment insecure and an easy target for cyber criminals. It’s essential that all the devices in your network are updated with the most current operating system security patches.

You can test how resilient your business is by taking a cyber security trial.

Ready to give IronTree Cyber Security a try?