Ransomware attack: Don't panic!
More and more cases of cyber extortion are becoming public. But what should you do in the event of a ransomware attack? A cybersecurity expert lists seven immediate measures.
The ransomware wave continues to sweep over companies and authorities. The security situation seems to be getting worse everywhere. It is only a matter of time before your own company is hit, you might think. There are many guides on how to set up cyber defenses against a ransomware attack, or technologies that promise successful defense. But when the time actually comes, it's useful to know what to do first.
In the event of a ransomware attack: Do not pay a ransom
Panic is a bad advisor in any case. Just like reaching for your wallet to pay the ransom, even if this seems like the easiest solution at first.
The first priority is, of course, to get the data and systems available again as quickly as possible. For this to work and for the right lessons to be learned from a successful attack, a few more measures should be followed.
1. quickly isolate devices
Ransomware should not be able to spread further than it already has. Therefore, administrators should isolate affected systems from the network as soon as possible. Especially when cleaning up after the ransomware attack, it helps to prevent the extortionate malware from spreading further.
2. understand the attack vector
Once the affected devices are isolated, it is important to understand how the incident could have occurred. On the one hand, this helps to manage the incident. It also provides valuable lessons for the future. So it's important to find out: Who was Patient Zero on the network?
3. backup and check backups
Applications and servers can be set up again, but data is irreplaceable. Without backups, it is no longer possible to secure them. Therefore, the measure is to take them off the network first. Attackers specifically look for backups as part of their attack. If they are still online, there is a risk that they will be included in the attack. Of course, it is even better to keep offline backups in a physically separate location from the outset. The 3-2-1 rule of backup (there should be at least three Copies of your data will be available, stored on two different media, a backup copy stored at an external location) is an indispensable prerequisite, especially for securing data against extortionist attacks. This means that a ransom demand may come to nothing - at least as far as the data is concerned. Instead, IT administrators can take care of rebuilding the systems.
4. stop projects and planned tasks
A ransomware attack is an emergency and requires the pooling of all resources. Rebuilding the IT architecture, such as migrations to new environments, or installing new applications and servers should be stopped immediately. Such projects could help the malware spread further. It is equally important to stop scheduled tasks, such as backups. Because in the course of them, the extortionate malware can spread further.
5. quarantine potentially compromised areas.
In general, no possibility should be ruled out immediately after an attack and all potentially affected parts of the infrastructure should be quarantined. This means taking everything offline and examining it individually before it can be used again.
6. after the attack is before the attack: change passwords
Forewarned is forearmed. At the beginning of an incident, it is often not completely clear how it could have happened. Was it just a simple attack? Or was it a complex attack that was possible because the attacker had captured authentication data? If this was the case, he can always make the next attempt. It therefore makes sense in any case to change the passwords of system-critical user accounts.
7. don't panic in case of a ransomware attack - plan and practice critical security situations
If the worst comes to the worst, IT administration will be under a lot of pressure - and there is therefore a risk of making the wrong decision in this pressure situation. To prevent this as far as possible, IT departments should prepare for an emergency. Ideally, those responsible for security should have defined processes. After all, it is precisely in the event of an emergency that companies need a blueprint so that no sensible measures are forgotten. These processes should also be practiced regularly, for example in simulated "red and blue team testing". If employees know that there is a plan that takes effect in the event of an emergency and that this plan has been practiced, the risk of acting incorrectly under pressure is minimized.
Source: Bitdefender
