With the rise of AI-powered, sophisticated ransomware attacks, cyber defenders are fighting an uphill battle against threat actors. Recent research from Enterprise Strategy Group found two-thirds of organizations suffered a ransomware attack in the last two years, 49% of which took up to five business days to recover, and most did not recover the entirety of their data. Ransomware is now a “when” not “if” scenario – all but inevitable no matter how much time and resources organizations put into proactive defense and detection. What’s not set in stone is how ITOps and cyber teams react after an attack, and whether their actions mitigate or exacerbate the impact.
Throughout my career, I’ve worked with many organizations aiming to ensure ransomware resiliency and have noticed the same errors and missteps often arise in the aftermath of a breach. Follow these “dos” and “don’ts” and you too can survive the threat of ransomware.
What Not to Do
The moments after a ransomware attack are stressful and tumultuous. It can be tempting for teams to throw their playbook for what to do in this scenario out the window, prioritizing moving quickly over communication and following procedure. The IT admin who discovers the intrusion may also keep it to themselves for far too long, for fear of getting in trouble, wanting to handle it themselves, or to follow orders from their managers. According to some estimates, 58% of IT and security professionals have been instructed to keep a breach confidential, even when it was required to be reported. Don’t fall into this trap – instead, follow the business continuity plan, remember the trainings, and elevate to the incident response team (IRT).
Moving too quickly following an attack can also prompt staff to respond to an intrusion without first fully understanding the type of ransomware that was used. Not all ransomware is created equal and knowing if you were a victim of locker ransomware, double extortion, ransomware-as-a-service, or another kind of attack can make all the difference in how to respond because the goal of the attacker is different for each.
For example, crypto ransomware encrypts files, rendering them inaccessible until victims pay a ransom to receive a decryption key. If attacked with that kind of ransomware, one of the first steps should be to check the backup storage method to see if it has remained uncompromised. If you are using immutable backup storage (and I hope you are), then your files should still be there, uncorrupted.
However, many claim to offer immutable storage but still allow ways for data to be altered, a common oversight that can be catastrophic for disaster recovery. Ensure the immutability is absolute, follows the zero trust security model, and ensures zero access to backup data, meaning no one — not even the most privileged admin or attacker with access to backup storage — can modify or delete data.
Once the attacker and malware are eradicated and completely out of your system, you can restore your files from backup without paying the ransom. Another common pitfall is beginning the recovery and restoration phase without fully ensuring the environment is clean and secure first. Eradicate the threat by removing all malware artifacts using trusted antivirus or EDR tools and change all credentials to prevent re-entry. When restoring, verify the backup repository has not been corrupted and identify the last known clean restore point to avoid reintroducing data that has malware in it and unintentionally re-infecting the primary infrastructure. Last but certainly not least, do not delete any files or engage with attackers directly without guidance from legal or the IRT.
Now that we have an idea of common mistakes, let’s take a look at the ideal steps to take following a ransomware attack.
What Does a Successful Response Look Like?
The first couple hours after a ransomware incident is identified are critical. In those immediate hours, work quickly to identify and isolate affected systems and disconnect compromised devices from the network to prevent the ransomware from spreading further. Don’t forget to also preserve forensic evidence as you go, such as screenshots, relevant logs, anything to inform future law enforcement investigations or legal action. Once that has been done, notify the key stakeholders and the cyber insurance provider. Doing so promptly is often required by insurance policies to activate coverage. When contacting stakeholders, avoid doing so on compromised networks and only use secure channels.
Once the incident has been contained, reference the prepared external communications plan to communicate the breach to customers, partners, regulators, and anyone else who may have been impacted. This helps to ensure the company remains in compliance with regulations and prevents reputational damage down the line.
After the dust settles, analyze how the attack was able to occur and put in place fixes to keep it from happening again. Identify the initial access point and method, and map how the threat actor moved through the network. What barriers were they able to move past, and which held them back? Are there areas where more segmentation is needed to reduce the attack surface? Do any security workflows or policies need to be modified?
Ransomware attacks are engineered to cause confusion and wreak havoc on IT environments to prolong time on the network and maximize damage. That’s why tech teams must be prepared for when disaster strikes, armed with the tools and know-how to bounce back.
Related Content
ABOUT THE AUTHOR
Anthony Cusimano
Anthony Cusimano is solutions director at Object First, where he leads go-to-market strategy for the company’s ransomware-proof backup storage solution Ootbi. With more than a decade of data protection experience spanning software development, sales, and technical marketing, he excels at distilling complex technologies into clear, customer-focused value propositions. When he isn’t evangelizing backup best practices, you can find Cusimano engrossed in the latest games on his bleeding-edge, custom-built gaming PC.
DOWNLOAD EXCEL 
DOWNLOAD PDF 
DOWNLOAD WORD DOC 
