Step One in Dealing With Ransomware: Don’t Panic
With ransomware attacks increasing, it’s important to know how to respond if you’re the victim of an attack.
Here’s what not to do:
In any crisis, the first order of business is to stay calm and assess the situation. When it appears you’ve been hit by ransomware, before doing anything else, take a moment to determine exactly what kind of attack you’ve suffered. In some cases, the attack is fake—just pretending to be ransomware. If it is a genuine ransomware attack, it may be screen-locking ransomware, which is simpler to deal with. If it’s encrypting ransomware, it may be a variant which has a known decrypting solution. Until you determine the type of attack, you don’t know what the most appropriate response is.
It’s true that rebooting is an easy solution to many IT problems, but it’s not always a safe choice when you’re hit by ransomware. Rebooting can resolve screen-locking ransomware and fake ransomware, but if you’re hit by genuine encrypting ransomware, rebooting can give the malware a second chance to encrypt files it hadn’t reached previously. Rebooting also clears out memory, which sometimes holds the ransomware key that can be used to identify the malware or potentially decrypt files.
The criminals who write ransomware aren’t known for their ethics, so there’s no guarantee your machine will be decrypted even if you pay the ransom. By paying the ransom, you fund their attacks on others, and you also identify yourself as someone willing to pay—meaning you may be targeted by other attacks with higher ransoms.
What should you do?
Disconnect infected machines from your network to prevent the infection from spreading. This includes wireless connections and Bluetooth, along with ethernet cables. You should disconnect the machine from networked or shared storage, as well.
Then take advantage of the information you collected while you weren’t panicking. If the attack is fake or simply a screen locker, you may be able to resolve it by rebooting. If it is true encrypting ransomware, you may be able to download a tool to decrypt the specific variant that attacked you. In most cases, however, you will need to access a clean backup to restore uncorrupted data. While you’re doing that, you may want to declare a small-scale disaster recovery incident and use your disaster recovery plan to bring up an alternate server if the affected machine provided any critical functionality.
Prescient Solutions helps businesses in Chicago and Schaumburg address all their information security challenges, including coping with ransomware. Contact us to find out how our services help you minimize the panic when a cyberattack occurs.