Share this article on:
How should organisations respond in the aftermath of a ransomware attack? Steve Singer from Zscaler explores.
It’s an unfortunate business truth that it’s not a matter of whether your organisation will fall victim to a ransomware attack – it’s when.
The attacks, which involve a cyber criminal encrypting critical data and then demanding a ransom for the decryption keys, are rapidly increasing in number. Victims include everything from large utility and manufacturing companies to healthcare providers and financial firms.
During the past 12 months, the threat has extended even further. In some cases, cyber criminals have copied sensitive data before encrypting it. They then threaten to release the files onto the internet if payment is not forthcoming.
With the increasing risk of ransomware, businesses need to be ready to make some critical decisions in the aftermath. Nine questions that will require immediate answers are:
It’s tempting to view ransomware as a purely technical problem that impacts an organisation’s IT infrastructure. In reality, however, it’s something that will have a much broader effect. Therefore, It will be necessary to immediately begin a disaster recovery (DR) plan covering all business activity facets. From staff support and customer service to suppliers and partners – having a detailed plan in place will allow operations to be restored as quickly as possible.
The first step following a ransomware attack should be containment. If the core infrastructure has been hit, it might be possible to isolate other parts so they can continue to function. This could be other data centres or backup servers in a different location. Containment will ensure the ransomware code cannot infect other systems and cause more significant problems.
If an organisation’s Active Directory (AD) server has been encrypted, there may be little choice but to isolate it temporarily. This will have a massive impact on operations, but it won’t be able to be avoided. Ensure your DR plan contains steps and contingencies that can be implemented if AD is out of action.
Initial activity after a ransomware attack tends to focus on investigating the extent of the impact. In many cases, such investigations could take weeks or even months. It’s crucial to balance this activity with others focused on recovery. This will include tasks such as locating and testing backups, conducting dry run installations and bringing up recovery systems in isolation and in parallel with all other activities. Investigations mustn’t block recoveries.
The short answer to this question is “yes”. Even if your organisation has a first-class IT team in place, additional skills and experience will be invaluable.
A good approach is to appoint one person to drive investigation activities and another to conduct recovery activities. Both roles need solid technical background and are empowered to do what is right for the organisation.
The board should be immediately notified if a ransomware attack occurs. Next, work with your legal team to begin notification processes for all customers, suppliers and partners. It’s also essential to work with your PR team to ensure the correct messaging reaches customers and other interested parties.
This is a question that is likely to be asked very soon after an attack. The answer will vary from one organisation to another, but it needs to be carefully discussed and considered by senior decision-makers. Never make a kneejerk reaction to an attack.
Quickly establish a communications channel that is accessible to all stakeholders. This will facilitate everything from communication to information sharing. Tools that could be considered include video conferencing services like Zoom or Teams, project management tools like Asana, and document sharing and storage services such as Dropbox or Google Drive. Everything needs to be in place to allow all parties to share information and rapidly make informed decisions.
If you can answer these nine questions, you’ll be as well placed as possible to recover from a ransomware attack rapidly. Likely, every organisation will eventually become a victim, but not all will have to suffer long-term disruption and loss.
Steve Singer is the regional vice-president and country manager, ANZ at Zscaler.