- A type of computer virus known as ransomware, also called malicious software or malware, locks your computer and sends out a notification requesting payment to unlock your data.
- Prevention is the best form of defence when it comes to ransomware.
- There are 10 steps you can take after a ransomware attack, such as staying calm, taking photo, reporting, quarantining systems, securing backups, decryption tools, etc.
Ransomware is a type of computer virus, also called malicious software or malware, that locks your computer and sends out an alert demanding payment for the return of your data. Cybercriminals typically target businesses and governments in hopes they’ll pay big bounties to release files and restore critical systems. But ransomware attacks happen to regular computer users as well.
When it comes to ransomware, prevention is the best defence. You or your business may frequently find yourself in the middle of a ransomware attack if you don’t have strong preventative security measures in place.
Here are 10 steps you should take following a ransomware attack.
1. Stay calm
When you are unable to access crucial files on your computer, it becomes challenging to maintain composure. However, the first thing to do after being infected with ransomware is to remain composed and calm.
Most people don’t consider the seriousness of the situation before they hastily pay the ransom. Negotiations with the attacker may occasionally be possible if you remain composed and take a backseat.
2. Take a photo of the ransomware message
Remember that using ransomware is illegal. Indeed, it is still possible to prosecute hackers for felonies if they spread ransomware and extract less than $1,000 from their victims. Take a picture of the ransomware message that appears on your device before reporting an attack. This can be accomplished with a smartphone, a camera, or, if practical, a screenshot.
3. Report the ransomware
If your company works with an external IT team or cybersecurity firm, alert them to the attack, so they can begin evaluating the extent of the damage. If your company has a ransomware insurance policy, contact your insurance provider to let them know what’s happened.
Finally, report the attack to the FBI. You can contact your local FBI field office, which may be able to provide support with tracing how the attack occurred in the first place.
Also read: AI: The opportunities and the threats
4. Quarantine affected systems
Disconnect the affected computer from your network. While the ransomware may have already infiltrated your network, you reduce this likelihood as well as it has reached your backups by isolating the attack. This is especially true if you use cloud backups. Disconnecting the affected computer helps stop the ransomware in its tracks.
5. Secure backups
While backups play a crucial role in remediation, it’s important to remember that they are not immune to ransomware. To thwart recovery efforts, many modern ransomware strains will specifically target a company’s backups and try to encrypt, override or delete them.
In the event of a ransomware incident, organisations must secure their backups by disconnecting backup storage from the network or locking down access to backup systems until the infection is resolved.
6. Disable maintenance tasks
On impacted systems, organisations should immediately turn off automated maintenance tasks like log rotation and temporary file removal because they can tamper with files that forensics teams and investigators may need.
File logs, for instance, could provide crucial hints about the original point of infection, and certain ransomware variants with weak programming might store crucial data—like encryption keys—in temporary files.
7. Look for decryption tools in your antivirus software.
A decryption tool of some kind is included in good antivirus software to assist in removing ransomware without caving into the demands of the hacker. Use your antivirus program to search for decryption tools. If your software isn’t working, try searching for a decryption tool online with a different device (a smartphone using cellular data is safe).
Also read: What is open banking? A short guide
8. Identify the attack variant
You can use free tools like ID Ransomware and Emsisoft’s online ransomware identification tool to identify the type of ransomware.
Users can upload a sample of the encrypted file, any ransom note that was left behind, and, if available, the attacker’s contact details using these services. The type of ransomware strain that has affected the user’s files can be determined by analysing this data.
9. Reset passwords
If a hacker manages to get access to your computer, they can also retrieve any passwords you store in your operating system keychain or web browser. After your operating system has been restored, proceed to change as many passwords as you can. Making each one distinct from the ones you used before the hack is also a good idea, as a hacker with access to your list of passwords will eventually be able to decipher your new ones.
10. Decide whether to pay the ransom
If backups are damaged and there is no appropriate decryption tool available, organisations may be tempted to pay the ransom to recover their files.
While paying the ransom can help reduce disruption and may be cheaper than the overall cost of downtime, it is not a decision that should be taken lightly. Organisations should only consider paying the ransom if all other options have been exhausted and the loss of data will likely result in the company going out of business.
A ransomware attack can happen at any time, so it’s important to know how to respond quickly if your organisation’s network is attacked. Alerting other parties to the attack and quickly isolating the affected part of your network is key to minimising damage. After a ransomware attack, it’s essential to fully audit your network to make sure the attackers have been removed, and that there’s no remaining ransomware.