Several have probably seen that the town I live in (Durant, OK) has been hit by ransomware. Many of you may be wondering: what do you do if you are hit with ransomware?
Let’s walk through a few steps on what to do.
First, isolate the ransomware in your environment quickly!
Immediately disconnect the infected system from the internet and any local networks. This limits the spread of the ransomware to other machines. If you’re in a business setting, inform your IT department or security team right away.
Tip: Keep the information to the IT or security team at a arm’s length so you can reach out to them quickly if needed!
Second, do not pay the ransom being demanded.
As tempting as it may be to pay up and try to recover your files quickly, experts, and law enforcement, strongly advise against it. There’s no guarantee the attackers will restore your files, and paying only fuels the ransomware economy, encouraging future attacks.
Tip: Have a breach coach ready to work with you. Need one? Contact Gilliam Security and we can introduce you to one.
Third, identify what type of ransomware you are dealing with.
Understanding what kind of ransomware you’re dealing with is crucial. Some strains have known decryption tools, while others do not. Like you would work with a doctor if you are sick, work with a security professional to help identify the malware. Need help with this? Reach out to Gilliam Security so we can help!
Tip: Be careful when doing this. You may be under the surveillance of your threat actor. Secondly, make sure this is allowed by your cyber insurance provider.
Fourth, check out the situation on your system and information backups.
Check for clean backups of your systems and files. If you have off-site or offline backups that predate the infection, restoring from them is often the safest and fastest route to recovery. Make sure these backups are scanned before restoring them.
Tip: When bringing these back online, make sure to not get your backups ransomed. Think of WORM storage. Confused? Let Gilliam Security help.
Fifth, consider help from cybersecurity professionals.
If you don’t have a dedicated cybersecurity team, now is not the time to go it alone. A ransomware incident is complex, and mistakes during the response process can make things worse or even cause permanent data loss. Incident response professionals can help safely recover your systems and minimize long-term damage.
If you are to this stage, you may consider reaching out to big firm like Mandiant. Make sure you have already met with your internal teams.
Tip: Plan for this ahead of time. What does your incident response plan say to do?
Sixth, secure and rebuild your systems as you come back online.
Once the threat is contained and your systems are restored, it’s time to patch vulnerabilities, update software, reset passwords, and implement better security practices. This step is essential to prevent repeat attacks.
Tip: Keep doing this. This is basic hygiene for IT.
Don’t let ransomware paralyze your business. Call Gilliam Security now, before, during, or after an attack, and get the protection and expertise you need.
Reach out to us today to learn more.