Cybersecurity attacks are becoming increasingly common. From individuals, small to large organizations, government, and private sectors, no one is immune. Even with a network scanner and proper cyber hygiene practices in place, the worst case scenario can happen. Needless to say, losses can come in the form of damaged systems, client remuneration and far worse, a damaged reputation as well as loss of business.
However, do not panic and do not give into the demands. In doing so, you’ll only open up a floodgate to further attacks.
The following are key steps to take after a ransomware attack has occurred. Call this a cheat sheet if you will.
- Within the first 24 hours of discovery, isolate affected endpoints and notify the appropriate channels (e.g your InfoSec team). You’ll want to document the date and time of the attack as well as when an incident response plan takes place.
- After isolating the affected endpoints, take them offline to prevent further spreading of the malware. System recovery via backup may sound like the end-all remedy and albeit highly tempting, allow the InfoSec team to complete their assessment and come up with a course of action first.
- Document, document, document. Recovery, mitigation, and prevention can only happen after you have gathered intel needed to communicate it with the forensics and incident response teams.
- After recovering systems, you should also engage the legal team in order to come up with an effective communications strategy. This is a good opportunity to review vulnerabilities and take steps towards system hardening.
- All the documentation should have paid off as you have now experienced a live drill and can update the controls and processes in place. More importantly, train staff to be up to speed and/or as a refresher, to always stay vigilant against malicious attacks.
In short, no one anticipates being a ransomware victim. In the current timeline where household names such as Target, Facebook, or even public transportation systems can be compromised, it certainly means no one is safe. One must always be prepared to be the next target. In following the above steps, you’re not only heading towards recovery post-ransomware, but you’re also establishing information security resilience.