You’ve Experienced a Ransomware Attack - Now What? 5 Practical Steps to Take In Response to a Ransomware Attack

By: Lewis Brisbois' Data Privacy & Cybersecurity Team 

By now, most of you know that due to the COVID-19 pandemic and the shift to remote work, data security incidents increased both in number and severity in 2020 and show no signs of slowing down in 2021. A report conducted by the cybersecurity company, Deep Instinct, shows triple-digit increases across all malware types in 2020, including a 435% increase in ransomware attacks alone. The expenses associated with increased cybercrime are similarly skyrocketing, costing companies and insurers billions of dollars. 

What you may not know, however, is what to do when your business experiences a ransomware attack. Accordingly, the five steps detailed below describe actions that your organization should take immediately to reduce the impact of the attack.

1. Contact Your Cyber Insurance Company
If you suspect that your business is experiencing a ransomware attack, immediately contact your cyber insurance carrier, regardless of the coverage you have. This step is critical to securing the necessary resources to minimize risk and mitigate harm. Cyber insurance carriers are prepared to connect you with leading cybersecurity attorneys, forensic firms, and other professionals who will be able to assist you further. If you do not have cyber insurance, you should strongly consider obtaining it.

2. Do Not Initiate Communications With the Threat Actor
When your organization suffers a ransomware attack, the threat actor will usually leave a ransom note that provides instructions for communicating with the actor. To increase pressure to pay a ransom, the actor may also implement a countdown that begins once you establish contact. The actor may threaten, for example, to double the ransom amount if you do not pay the initial demand within 96 hours or to publish data taken from your environment. As such, refrain from contacting the actor to avoid triggering a countdown that could lead to the threatened consequences.

3. Contact Your IT Team 
Your IT team is in the best position to help secure your systems in response to a ransomware attack. Leveraging your IT team’s knowledge about your digital environment can help you swiftly identify potential vulnerabilities and implement necessary security measures. For instance, your IT team can quickly disconnect your network access or ensure that all Remote Desktop Protocol (RDP) ports are closed to the internet.

4. Preserve Digital Forensic Evidence
Preserving relevant forensic evidence is a critical, but often forgotten step in responding to a ransomware attack. Reformatting (or “wiping”) impacted servers and workstations in an effort to restore the organization’s operations destroys forensic evidence. Thus, before reformatting infected servers or computers, make a copy of the impacted devices. Save all available logs before they automatically roll over, too. 

5. Develop and Follow a Communication Plan 
Carefully consider any communications about the ransomware attack before issuing them to internal and/or external parties and avoid making unnecessary public statements. If possible, craft communications with the assistance of experienced cybersecurity attorneys or public relations professionals. 

Implementing the above five steps in response to a ransomware attack will help an organization reduce the negative impact of the cyber incident. Next month, we will discuss proactive steps an organization can take before a ransomware attack, which will help the business respond in the event that an incident actually occurs.