Hostage Rescue: How to Respond If Your Business Falls Victim to Ransomware

By Andrew Lance | CEO

Ransomware needs no introduction. In 2021, it has been on the tips of the tongues of government leaders, Fortune 500 CEOs, and business owners nationwide. It is no wonder because the ransomware playbook has changed drastically for the worse.

The Growing Ransomware Threat

Today, the industry is built upon a full-scale international criminal syndicate. Initial Access Brokers (IABs) penetrate businesses to identify flaws in their security posture and then sell the information on the dark web to bad actors for a stake in the ransom’s that businesses pay. Customers purchasing the identified flaws use Ransomware as a Service (RaaS) toolkits to execute the ransomware and wreak havoc upon businesses.

The creativity of criminals is only growing and the threat of ransomware continues to rise as they improve their game. It is essential for the protection of your business that you also continue to improve your game and stay proactive building and refining your security network.

After all, protecting your business’s most critical asset–your data–means preventing successful ransomware attacks. That’s why it is crucial to prepare as much as possible. If your company does not yet have a plan in place to limit ransomware threats, check out 5 Things Your Business Can Do to Cut Ransomware Risk by 90%.

Responding When Your Business is Taken Hostage

Unfortunately, despite our best efforts, it is impossible to guarantee your business will not suffer a ransomware attack. So, how do you respond if your business does fall victim? What steps can you take to mitigate the impact caused by system shutdowns, workforce stoppage, and hijacked computers?

First things first: should you pay the ransom? While the FBI explicitly advises victims of ransomware not to pay up, there are certain scenarios where it may be more cost-effective. If your data is not securely backed up and you cannot secure your systems, it may cost your business much more to avoid paying the ransom. In this case, it may make sense to pay for your files. However, paying the ransom is no guarantee that your data will be restored.

There is a silver lining though. With the proper cybersecurity plan in place, you will not have to succumb to the malicious demands of ransomware operators. Read on to learn how you can save your business’s bottom line in the event of a successful ransomware attack.

Fall Back on Your Cybersecurity Plan

Responding to ransomware on the fly is never a good idea. Every minute wasted is an upper hand to your assailants, providing valuable time for an attack to penetrate your systems further and cause more disruption. As such, it is vital to have a cybersecurity plan in place before an attack occurs. Doing so will prevent the loss of valuable productivity, profit, and business reputation.

A proper cybersecurity plan requires building an incident response policy that details the actions your business will take from attack onset to stabilization.

The following five steps should inform the creation of your incident response policy to mitigate the damage of a ransomware attack.

Step One: Stop the Bleeding

First things first: the moment you realize a ransomware attack is disrupting your business, you should begin initiating system shutdowns at a mass scale. The more systems you can shut down quickly, the fewer targets the ransomware will have to infiltrate, meaning less of your data is exfiltrated and encrypted by the bad actors.

Ransomware seeks out connections, so you’ll want to disconnect your computers from both the network and external storage devices.

The reason you need to disconnect all systems is that ransomware can lie dormant before appearing elsewhere. A full-scale shutdown will ensure you do not overlook a compromised system.

Step Two: Assess the Damage

Once you’ve stopped the bleeding, you need to assess the damage. That means determining the blast radius of the attack (which systems were compromised) and the criticality of the damage (what data has been encrypted and is at-risk for extortion).

Was the ransomware confined to a specific department or network, or did it propagate company-wide? Depending on the spread and depth of damage, you may want to consider hiring an expert cybersecurity firm to diagnose and root cause the issue. They can hunt for further active attacks attempting to breach your systems, perform an analysis on the ransomware, and support your incident response initiatives.

Step Three: Engage the Relevant Stakeholders

Now that you understand the severity of the ransomware attack, it is time to inform and engage the relevant stakeholders of your business, both internal and external. Who needs to know about the attack, and when do they need to know? It is best to think about this step well in advance of an attack so that you can immediately begin executing on communication rather than analyzing who should be privy to the information.

When communicating with stakeholders, be sure to consider your data breach notification requirements to maintain compliance. You should absolutely report the attack to the FBI at the Internet Crime Complaint Center.

Step Four: Start from Scratch

It is time to get your systems back online. When your data is encrypted by ransomware, you’re in trouble if it is not backed up. Thankfully, you’ve already read our article detailing how your business can cut its ransomware risk by 90%, meaning you would have already created a detailed cybersecurity plan which included twice backing up your data. If you have not read it, take a moment to significantly reduce the threat ransomware poses to your business.

With the complete store of your data available, you can reimage your computer systems and download your data from the cloud. Now, it is back to the races for your business with your most critical asset–your data–still safely within your reach.

Step Five: Triage

Though your company may be up and running again, it is essential not to overlook the fifth and final step for responding to a breach. Due diligence requires a full sweep of your systems to ensure that the ransomware has not somehow survived and is not lingering anywhere, waiting to retake your business hostage.

Additionally, best practice necessitates that you identify the exploited vulnerabilities to protect against a repeat cyber event. If you succumb to a ransomware attack, the odds of you facing another rise sharply because your system has been exposed.

The best way to ensure you identify and fix any weaknesses in your security posture that could be exploited again is to conduct a penetration test, or a security configuration review. Either will provide valuable information on flaws that hackers or other cybercriminals will try to utilize.

Remember, if you’ve been exposed once it is a near guarantee it will happen again unless you make moves to resolve your vulnerabilities. That is why Step Five: Triage is a must.

Once you’ve determined your systems are all clear, you must pinpoint and fix your security flaws. Then, and only then, is it back to business as usual.

Identify Your Vulnerabilities with Sidechain Security

If having a cybersecurity partner with more than two decades of industry expertise conducting security reviews and building protective cyber infrastructures sounds useful, look no further than Sidechain Security.

Whether you need to conduct a penetration test post-ransomware attack to identify continued vulnerabilities, or you are developing a robust cybersecurity plan with a detailed incident response strategy, Sidechain is here to help. To find out how your business can best improve its security posture, get started with a free Sidechain security assessment today.

For additional information on how you can secure your business from ransomware, visit the Cybersecurity and Infrastructure Security Agency of the United States.

Are you sure your data is safe?  Learn More:

Contact Us

About Us

Speak to an expert

Thank you for reaching out. One of our experts will be in touch with you.