In the wake of the Covid-19 pandemic, the year 2020 will have been marked by the explosion of another virus: ransomware. Often destitute and unprepared, businesses and communities affected by an attack must act quickly but with the right method.
The increase in cases of cyberattacks by ransomware (or ransomware) was dramatic in 2020: + 50% in the third quarter worldwide. A surge to which the Covid-19 pandemic is not unrelated, the massive use of teleworking having more exposed companies and administrations. The objective of these attacks: to force organizations to pay them heavy ransoms against the release of their essential data previously encrypted or made inaccessible.
Cornered by pressure, victims often think they have no other choice but to pay the ransom to hackers to recover their data. The instructions of the ANSSI (National Agency for the Security of Information Systems) are however clear on this point: this form of cybercrime should not be maintained by paying and nothing says that the data can be recovered by this means.
So what if you are attacked? There are as many different situations as there are types of organizations and ransomware, but a few first actions are essential to hope to limit the damage, restart the business as soon as possible and perhaps recover intact data. Despite the stress generated by an incident of this type, it is important to take a step back and think before acting.
Here are 4 tips to follow to deal with a ransomware attack:
Isolate infected areas and identify the perimeter of the attack
A decision must be made at the start of a crisis between disconnecting the system immediately in order to hope for a rapid resumption of activity or taking the time to gather evidence against cybercriminals. A compromise between these two options will undoubtedly have to be found depending on the scope, scale and impact of the incident, by assessing the risks to the integrity of the organization’s assets. The objective will be anyway to limit the damage by blocking the attacker and to make every effort to return to normalcy, with a usable system and access preserved for users.
It is therefore necessary to start by disconnecting from the network (wired and Wi-Fi) and from any storage device the computers or devices suspected of being infected, in order to prevent the spread of the attack to other systems and devices. Ransomware may have entered the organization through multiple computers and devices, or it may be dormant and not yet manifested on some systems. Each connected device should therefore be treated with suspicion.
Identifying the type of attacking ransomware can also help to understand its impact, its mode of spread, what types of files it encrypts, possible disinfection options, then to assess the scope of the infection..
Avoid certain hasty and irreversible actions
Restarting a newly infected computer is not recommended as it can help newer malware encrypt files. Executables designed to browse disks sometimes crash for a permission issue and a restart may cause them to resume this task. It is therefore preferable to put the components on standby after disconnecting from the network.
IT managers should immediately turn off automated maintenance tasks on affected systems as they can interfere with files useful to investigators: logs containing clues to the initial point of infection or temporary files created by poorly programmed ransomware containing encryption keys.
Be careful not to restore the system from a backup without verifying that the backup is not infected, as this will prevent a quick recovery and destroy the chances of data recovery. Backups may indeed have been contaminated by an “APT” (Advanced Persistent Threat) hack that infects systems for a long time before the attack is triggered.
Set up a crisis unit to manage people and communication
Often overlooked in anti-ransomware plans, the creation of a crisis unit is essential for a rapid resumption of activity, the ideal being that it has already been set up and tested upstream.
Due to his knowledge of the system architecture, the CIO or the IT manager is logically at the center of the cell. Its role and responsibility being essential, it should be protected from too much pressure and be well framed to limit its load, at the risk of seeing it leave the ship in a storm. The rest of the unit must therefore be made up of senior management, finance or communication.
All unfavorable development scenarios must be considered by the crisis unit to anticipate actions accordingly, whether in terms of operations, finances, legal, social and human matters.
Managing your crisis communication well is also essential, starting internally by giving clear security instructions to employees and reassuring them about data loss or leaks. A cyber attack can be badly experienced by some, communicating regularly is therefore the approach to adopt to keep employees engaged.
External communication with customers, partners and the media is just as essential because it involves anticipating the answers to everyone’s questions before rumors spread in a bad way. Factual press releases will limit the media rush, reassure the market, and thus protect the image of the organization.
Get support from experts as soon as possible
From the start of the crisis, it is essential to be supported by specialists with a 360 ° understanding of the problem. This can range from experts in cybersecurity, business recovery or data recovery, to insurers to representatives of ANSSI or CNIL.
The organization must also contact its local IT service provider if it is he who knows best its system architecture. IHe will be able to identify infected backups and take care of data reintegration, but will still need to call in a cybersecurity expert to avoid inappropriate and irreversible actions. Only close collaboration between experts will make it possible to successfully counter this type of incident.
Finally, it is important to keep in mind that the objective of institutional specialists will be above all to understand and find the origin of the attack, while IT service providers accompanied by data recovery experts will be there as a priority to support organization towards resumption of activity, without however compromising a possible investigation.