26.8 C
Selangor
Saturday, February 15, 2025
HomeBlockchainHow to handle a ransomware attackĀ 

How to handle a ransomware attackĀ 


Itā€™s the news no organization wants to hearā€•youā€™ve been the victim of a ransomware attack, and now youā€™re wondering what to do next.Ā 

The first thing to keep in mind is youā€™re not alone. Over 17 percent of all cyberattacks involve ransomwareā€”a type of malware that keeps a victimā€™s data or device locked unless the victim pays the hacker a ransom. Of the 1,350 organizations surveyed in a recent study, 78 percent suffered a successful ransomware attack (link resides outside ibm.com).

Ransomware attacks use several methods, or vectors, to infect networks or devices, including tricking individuals into clicking malicious links using phishing emails and exploiting vulnerabilities in software and operating systems, such as remote access. Cybercriminals typically request ransom payments in Bitcoin and other hard-to-trace cryptocurrencies, providing victims with decryption keys on payment to unlock their devices.

The good news is that in the event of a ransomware attack, there are basic steps any organization can follow to help contain the attack, protect sensitive information, and ensure business continuity by minimizing downtime.

Initial response

Isolate affected systemsĀ 

Because the most common ransomware variants scan networks for vulnerabilities to propagate laterally, itā€™s critical that affected systems are isolated as quickly as possible. Disconnect ethernet and disable WiFi, Bluetooth and any other network capabilities for any infected or potentially infected device.

Two other steps to consider:Ā 

  • Turning off maintenance tasks. Immediately disable automatic tasksā€”e.g., deleting temporary files or rotating logsā€”affected systems. These tasks might interfere with files and hamper ransomware investigation and recovery.Ā 
  • Disconnecting backups. Because many new types of ransomware target backups to make recovery harder, keep data backups offline. Limit access to backup systems until youā€™ve removed the infection.

Photograph the ransom note

Before moving forward with anything else, take a photo of the ransom noteā€”ideally by photographing the screen of the affected device with a separate device like a smartphone or camera.Ā The photo will expedite the recovery process and help when filing a police report or a possible claim with your insurance company.

Notify the security team

Once youā€™ve disconnected the affected systems, notify your IT security team of the attack. In most cases, IT security professionals can advise on the next steps and activate your organizationā€™s incident response plan, meaning your organizationā€™s processes and technologies for detecting and responding to cyberattacks.

Donā€™t restart affected devices

When dealing with ransomware, avoid restarting infected devices. Hackers know this might be your first instinct, and some types of ransomware notice restart attempts and cause additional harm, like damaging Windows or deleting encrypted files. Rebooting can also make it harder to investigate ransomware attacksā€”valuable clues are stored in the computerā€™s memory, which gets wiped during a restart.Ā 

Instead, put the affected systems into hibernation. This will save all data in memory to a reference file on the deviceā€™s hard drive, preserving it for future analysis.

EradicationĀ 

Now that youā€™ve isolated affected devices, youā€™re likely eager to unlock your devices and recover your data. While eradicating ransomware infections can be complicated to manage, particularly the more advanced strains, the following steps can start you on the path to recovery.Ā 

Determine the attack variant

Several free tools can help identify the type of ransomware infecting your devices. Knowing the specific strain can help you understand several key factors, including how it spreads, what files it locks, and how you might remove it. Just upload a sample of the encrypted file and, if you have them, a ransom note and the attackerā€™s contact information.Ā 

The two most common types of ransomware are screen lockers and encryptors. Screen lockers lock your system but keep your files safe until you pay, whereas encryptors are more challenging to address since they find and encrypt all your sensitive data and only decrypt it after you make the ransom payment.Ā 

Search for decryption tools

Once youā€™ve identified the ransomware strain, consider looking for decryption tools. There are also free tools to help with this step, including sites like No More Ransom. Simply plug in the name of the ransomware strain and search for the matching decryption.Ā 

Download the Definitive Guide to Ransomware

RecoveryĀ 

If youā€™ve been lucky enough to remove the ransomware infection, itā€™s time to start the recovery process.

Start by updating your system passwords, then recover your data from backups. You should always aim to have three copies of your data in two different formats, with one copy stored offsite. This approach, known as the 3-2-1 rule, allows you to restore your data swiftly and avoid ransom payments.Ā 

Following the attack, you should also consider conducting a security audit and updating all systems. Keeping systems up to date helps prevent hackers from exploiting vulnerabilities found in older software, and regular patching keeps your machines current, stable, and resistant to malware threats. You may also want to refine your incident response plan with any lessons learned and make sure youā€™ve communicated the incident sufficiently to all necessary stakeholders.Ā 

Notifying authoritiesĀ 

Because ransomware is extortion and a crime, you should always report ransomware attacks to law enforcement officials or the FBI.Ā 

The authorities might be able to help decrypt your files if your recovery efforts donā€™t work. But even if they canā€™t save your data, itā€™s critical for them to catalog cybercriminal activity and, hopefully, help others avoid similar fates.Ā 

Some victims of ransomware attacks may also be legally required to report ransomware infections. For example, HIPAA compliance generally requires healthcare entities to report any data breach, including ransomware attacks, to the Department of Health and Human Services.

Deciding whether to payĀ 

Deciding whether to make a ransom payment is a complex decision. Most experts suggest you should only consider paying if youā€™ve tried all other options and the data loss would be significantly more harmful than the payment.

Regardless of your decision, you should always consult with law enforcement officials and cybersecurity professionals before moving forward.

Paying a ransom doesnā€™t guarantee youā€™ll regain access to your data or that the attackers will keep their promisesā€”victims often pay the ransom, only to never receive the decryption key. Moreover, paying ransoms perpetuates cybercriminal activity and can further fund cybercrimes.

Preventing future ransomware attacks

Email security tools and anti-malware and antivirus software are critical first lines of defense against ransomware attacks.

Organizations also rely on advanced endpoint security tools like firewalls, VPNs, and multi-factor authentication as part of a broader data protection strategy to defend against data breaches.

However, no cybersecurity system is complete without state-of-the-art threat detection and incident response capabilities to catch cybercriminals in real time and mitigate the impact of successful cyberattacks.

IBM SecurityĀ® QRadarĀ® SIEM applies machine learning and user behavior analytics (UBA) to network traffic alongside traditional logs for smarter threat detection and faster remediation. In a recent Forrester study, QRadar SIEM helped security analysts save more than 14,000 hours over three years by identifying false positives, reducing time spent investigating incidents by 90%, and reducing their risk of experiencing a serious security breach by 60%.* With QRadar SIEM, resource-strained security teams have the visibility and analytics they need to detect threats rapidly and take immediate, informed action to minimize the effects of an attack.

Learn more about IBM QRadar SIEM

*The Total Economic ImpactTM of IBM Security QRadar SIEM is a commissioned study conducted by Forrester Consulting on behalf of IBM, April, 2023. Based on projected results of a composite organization modeled from 4 interviewed IBM customers. Actual results will vary based on client configurations and conditions and, therefore, generally expected results cannot be provided.

Was this article helpful?

YesNo



Source link

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -

Most Popular

Recent Comments