You may have seen the recent news about cities and towns being held hostage to hackers infecting their data. With over 25 years of experience in cyber security, I’ve seen it all. To help guide you in managing a ransomware attack, I’ve outlined the steps you can take to minimize the impact on your organization – including my view on why you should not pay the ransom.
Should I pay? No!
The big question with almost all ransomware attacks boils down to one question: are you going to pay the ransom or not? As a goal, the answer should be no. Let’s start by stating the obvious: you’re dealing with a criminal who has purposely forced ransomware software onto one or more of your computers rendering them unusable unless you pay for the files to be unencrypted. You have no guarantee whatsoever that you’ll actually get the decryption key and it’s quite possible there is additional malware already installed that you’ll have to deal with next. You are essentially a hostage that is being blackmailed for money to get out of your situation, and you have no assurances that there’s an end in sight.
Take out the emotion
One of the real problems is that this is an emotional situation, you and your work environment have been made vulnerable and you’re not going to like dealing with a criminal to somehow extract yourself from the situation. This is easier said than done, but you need to take the emotion out of it and deal with the facts. Dealing with this attack is very similar to dealing with a disaster recovery situation. If you can put it in that light, it will help to diffuse the emotion and get you more focused on recovery and less on feeling like your company is being held hostage.
Isolate as quickly as possible
The number one priority once ransomware has been identified is to isolate the infected systems as quickly as possible so the problem doesn’t spread. Every second counts. If it’s a single system, don’t be gentle: unplug the power to it. If it’s a collection of systems, isolate that part of the network immediately so it can’t spread to other systems, shared file storage, or other networks. Once it is isolated you can then start to identify the problem, report the situation to authorities, and begin the restore and refresh process.
Dealing with Ransomware is like Disaster Recovery
The final step is to restore and refresh the infected systems from safe backups and reinstall safe versions of the programs and software your systems need to execute normal business activities. In other words, the plan to deal with a ransomware infection is very much modeled after how you plan for disaster recovery: document responsibilities, steps and owners, define vital applications, map out dependencies, determine appropriate backup and redundancy measures, regularly update employees, and as always, test the process periodically.