Responding to Ransomware: The Most Important Steps

Written By Paige Leach

Euan Carswell

SOC Team Lead


A recent report from Chainalysis revealed that ransomware earnings have surged over the last year, with adversaries grossing $1 billion from the threat in 2023 alone.

This massive figure highlights that ransomware has become today’s most lucrative attack vector, offering criminals the potential to make huge earnings with little effort.

Ransomware-as-a-service operations have lowered the barrier of entry into cybercrime, meaning relatively novice criminals can hire box-packed ransomware attacks and use them to launch devastating attacks on organisations.

This has all turned ransomware into today’s cyber weapon of choice, but it also means organisations are at an increased risk of attack. With the potential to make such high earnings, all organisations are targets for ransomware actors – large, small, private or public sector.

In the face of this increased threat, organisations must prioritise their defences against ransomware. However, no security measure is 100% bulletproof, so organisations must also prepare their response to ransomware attacks when they do occur. Not all attacks can be prevented, but organisations can minimise their impact if they respond to them effectively.

So, how can organisations respond to a successful ransomware attack on their systems to limit its impact?

Have a team assembled

After discovering a ransomware attack, the first step is knowing who to call to inform them about the attack and work to limit damage.

This team of ‘incident responders’ should be listed in a physical and digital file along with their out-of-hours contact details – everyone knows ransomware most frequently strikes after midnight.

The team will vary depending on the organisation, but most cyber incident response teams include the CEO, CISO, CFO, IT/security manager, and the marketing and communications lead.

Execute the incident response plan

Incident response planning is a vital part of cyber defences today. Not all attacks can be prevented, but their impact can be limited if organisations respond effectively. This is precisely where incident response fits.

Organisations should ideally have an incident response plan in place, which details how they will respond to attacks, the roles and responsibilities of the incident response team, and steps that should be taken regarding informing customers, partners, and regulators.

As soon as a ransomware attack unfolds, the first step is to execute a well-rehearsed incident response plan to limit damages and contain the attack.

Don’t switch everything off

Upon discovering a ransomware attack, the knee-jerk reaction is often to switch everything off. But this can hinder forensics.

Disconnecting assets from the internet is acceptable, and segregating them from other network areas is also okay. Still, when infected machines are switched off, this deletes important memory data that can support forensics and provide information about how the criminals gained access to systems and what data they touched.

Avoid turning off machines.

Run forensics

Once the attack has been identified, it is essential to run forensics to understand the attack path used to deploy ransomware and ensure the attacker is no longer on the network.

This type of forensics can be run internally or via a third-party cyber expert. Still, the goal is to find out as quickly as possible how the attackers got in, what data they reached, and how it was impacted, as well as to ensure they have left the network and no longer have a way to gain access again. The attacker must be locked out completely, with no opportunity to return to systems.

The organisation must then begin restoring access to systems and recovering the encrypted data.

Data can often be restored via physical hardware backups or through data stored in the cloud, but in some cases, it needs to be rebuilt entirely. Organisations must strive to avoid this situation, which reinforces the importance of running regular backups, keeping them separate from the digital network, and testing frequently to ensure data is being successfully backed up.

Learn from the incident

Organisations must learn from the incidents to improve their defences when they suffer ransomware attacks.

How did the attackers get it? What can we do differently to ensure it doesn’t happen again? Organisations need to use this intelligence to learn from attacks and work to improve their defences to limit their exposure to assaults happening again in the future.

Ransomware is today’s cyber weapon of choice, and the chances of organisations facing attacks increase daily.

Therefore, organisations must bolster their cyber defences with knowledge of how to respond to attacks when they do occur.

This allows them to step into effective action immediately, reducing the chances of attacks causing long-lasting damage while safeguarding business continuity.

Paige Leach
Previous

Issue 4
Next

Are We Secure? Today’s Most Important Cyber Questions