For most organizations worldwide, the growing problem of ransomware attacks that threatens to expose company data has been a serious challenge, especially over the last 15 months. That COVID-19 has increased concerns around data protection is evident in a latest survey titled ‘Value of Data’ survey. While globally, 73 percent respondents say that they are more concerned now with protecting their organizational data from ransomware than they were before the pandemic, 89 percent of IT decision makers in India say they fear the same.
Let’s say that the unavoidable has happened. Your company is indeed under a ransomware attack. With one (or several) of your company machines becoming infected, you are left in a lurch as to what your next move should be. While panic serves no purpose, prevention is the only way to rescue the company machines and data. Like in all emergencies, have a checklist of precautions handy to avoid the crisis from escalating into a data loss catastrophe for the company. Here are six steps to walk you through what should be done when under a ransomware attack.
- Paying is not the solution
Most companies would be tempted to pay the ransom in hope of finding the quickest solution to get their data back. There is, however, no guarantee that the attackers will actually unlock the files once they’re paid off. In fact, according to the CyberEdge Group, only 19 percent of companies who pay ransoms actually restore all their data and working environments, such as management consoles. The rising proliferation of attacks, and the deep damage they can today wreak on operations, has underscored the need for a robust response and recovery strategy. Even in the worst-case scenario – the successful completion of an attack – data back-up and recovery must remain resilient.In short, be wise, strategize and don’t pay the ransom.
2. Disconnect to save the network
Make sure to identify the machines that are infected and promptly disconnect them from the network while also turning off the Wi-Fi. The sooner you disconnect the infected devices, the better your chances of containing the breach. Why? Because several types of ransomwares have the capacity to spread via a network connection. Continue to keep a vigil on any new files that maybe getting encrypted or disappearing from the system. Until you have confirmed that all the infected systems have been identified, it is vital that you take all your shared drives offline temporarily.
3. Identify ‘machine zero’
After the first two crucial steps to salvage the unaffected systems and the network at large, the third thing you must do is search your IT environment for clues to the source. To find ‘machine zero’reach out to all your users to find out who experienced the first signs of the attack and when. In depth information on whether it happened after they clicked on a link in an email or were there unusual prompts coming from their web browsers will help scrutinize the source of the attack better. While any system with out-of-date or misconfigured software is easily compromised, remember that even SaaS productivity apps such as Office 365 are vulnerable to such attacks.
4. Caution all users
In case of a ransomware attack, you should take a different approach, when communicating about the crisis to everyone in the company. While the usual email announcement and post warnings on any company message board should be followed, you’ll have to go a step beyond. Personally,check with everyone to see if they’re all aware of what is happening and most importantly, to know what they need to look out for on their respective machines.
5. Wipe clean and start fresh
Despite taking precautions there is no way to guarantee that the ransomware is completely gone from your devices. You need to wipe clean the infected endpoints, servers, and virtual machines and start fresh. Reimaging the original servers and applications ensures that ransomware has been remediated. Having a cloud disaster recovery plan in place will let you continue business productivity on the move without any disruptions. It will also allow your organization to recover critical applications and data in VMs in a virtual private cloud.
6. Restore backup data to a clean device
After containing the damage, the last step is to get your data back without paying the ransom. This has to be done by restoring it from a backup stored with a reliable cloud service such as AWS. An enterprise-grade automated backup solution, combined with the knowledge of when and where the attack took place, makes it easy to go back to an uninfected, time-indexed snapshot of each system’s data. Modern file encryption methods such as AES-128 or RSA-2048, make it impossible to retrieve your data without a backup copy available.
The pandemic has taught us several lessons. Strategizing to contain an ongoing crisis is one of them. Much like the medical fraternity and the government is working to ensure our safety from the virus, companies will have to use the power of Cloud capabilities for a smooth victory over ransomware.
(The author is Country Manager, India and SAARC, Druva and the views expressed in the article are his own)