Seven measures to take in the event of a ransomware attack

Ransomware attacks occur again and again. A few weeks ago, the comparison portal "Comparis" and a track-laying machine company in western Switzerland came under attack. Ransoms are usually extorted for the encrypted data. Hacker groups can sometimes display particularly aggressive behavior and, if negotiations are hesitant, do not shy away from publishing internal company data on the darknet. But what if it really hits a company? Bitdefender has seven pieces of advice for dealing with such a situation:

1. quickly isolate devices.
Ransomware should not be able to spread further than it already has. Therefore, administrators should isolate affected systems from the network as soon as possible. Especially when cleaning up after the ransomware attack, it helps to prevent the extortionate malware from spreading further.

2. understand the attack vector.
Once the affected devices are isolated, it is important to understand how the incident could have occurred. On the one hand, this helps to manage the incident. It also provides valuable lessons for the future. So it's important to find out: Who was Patient Zero on the network?

3. back up and check backups. 
Applications and servers can be set up again, but data is irreplaceable. Without backups, it is no longer possible to secure them. Therefore, the measure is to take them off the network first. Attackers specifically look for backups as part of their attack. If they are still online, there is a risk that they will be included in the attack. Of course, it is even better to keep offline backups in a physically separate location from the outset. The 3-2-1 rule of backup is a given, especially for backing up data against extortionist attacks. This means that a ransomware demand may come to nothing - at least as far as the data is concerned. Instead, IT administrators can take care of rebuilding the systems.

4. stop projects and planned tasks. 
A ransomware attack is an emergency and requires the pooling of all resources. Rebuilding the IT architecture, such as migrations to new environments, or installing new applications and servers should be stopped immediately. Such projects could help the malware spread further. It is equally important to stop scheduled tasks, such as backups. Because in the course of them, the extortionate malware can spread further.

Quarantine potentially compromised areas. 
In general, no possibility should be ruled out immediately after an attack and all potentially affected parts of the infrastructure should be quarantined. This means taking everything offline and examining it individually before it can be used again.

6. after the attack is before the attack: change passwords. 
Forewarned is forearmed. At the beginning of an incident, it is often not completely clear how it could have happened. Was it just a simple attack? Or was it a complex attack that was possible because the attacker had captured authentication data? If this was the case, he can always try again. It therefore makes sense to change the passwords of system-critical user accounts in any case.

7. don't panic - plan and practice critical safety situations
If the worst comes to the worst, IT administration will be under a lot of pressure - and there is therefore a risk of making the wrong decision in this pressure situation. To prevent this as far as possible, IT departments should prepare for an emergency. Ideally, those responsible for security should have defined processes. After all, it is precisely in an emergency that companies need a blueprint so that no sensible measures are forgotten. These processes should also be practiced regularly, for example in simulated "red and blue team testing". If employees know that there is a plan that takes effect in the event of an emergency and that this plan has been practiced, the risk of acting incorrectly under pressure is minimized.

Source: Bitdefender