2020-11-19 Our friends at Rectron recently invited Nick Keene, Synapsys’s Presales Engineer, to participate in a webinar discussing how companies can secure themselves from cyberthreats. During the webinar, Nick shared his recommended rapid response routine in the event of a ransomware attack.
This is based on his experience assisting companies in the aftermath of attacks, and is designed to minimise impact and assist with speedy restoration of services. We thought it would be useful to share Nick’s rapid response plan here as well.
What to do when you are hit by a ransomware attack
This is for everyone in an organisation:
- Disconnect your device from the corporate network and the internet by unplugging LAN cables and switching off WiFi connections. Do this before you call IT, before you Google the warning message, before you email anyone, before you make a cup of tea, before you finish your phone call. This is the number one thing you can do to minimise the impact of the attack.
- Call your IT department or managed service provider (MSP) immediately. Don’t panic, they want to know right away!
Ideally, IT or your MSP steps in at this point.
- Isolate your core infrastructure from the rest of the network and internet. Preferably don’t shut anything down though, as some attacks are designed to prevent rebooting.
- Isolate and secure your backups. Consider taking them off-site.
- Assess the damage and which systems have been affected.
- Quarantine the infection, clean up what you can and restore your data. A clean restore from backups (that have not been infected) is usually better than decrypting the data held ransom.
- In parallel, investigate the attack to make sure nothing is left lurking on your network. You should also find out how the attack entered your system and close these, and similar, gaps in your security perimeter. Finally your insurance might require snapshots of the encrypted system for a forensic investigation.
To pay, or not to pay, the ransom:
- If you have clean, up-to-date, comprehensive backups you can simply restore these.
- However be aware that the criminals could still sell/leak your data. Then again, they could do that even if you do pay the ransom.
- If you choose to pay, be aware that you perpetuate ransomware attacks, fund criminals, and that there’s no guarantee you will get your data back intact, or even at all.
Of course prevention is better than cure, and it is important that you have policies in place to prevent ransomware attacks, and also to have a robust backup practice to allow you to quickly restore authentic, uninfected data in the event of an attack.
Nevertheless, with ransomware attacks on the rise, it is critical that everyone in an organisation knows what to do if an attack does happen as part of basic cyber protection hygiene. As with many emergency situations, the seconds and minutes immediately after an incident can impact the ease and speed of recovery.
To hear Nick and other expert speakers discuss securing your business from cyberthreats, you can watch the full webinar.
Written for publication on the Synapsys website on 19 November 2020