How to handle a ransomware attack
22 January 2024
5 min read

It’s the news no organization wants to hear―you’ve been the victim of a ransomware attack, and now you’re wondering what to do next. 

The first thing to keep in mind is you’re not alone. Over 17 percent of all cyberattacks involve ransomware—a type of malware that keeps a victim’s data or device locked unless the victim pays the hacker a ransom. Of the 1,350 organizations surveyed in a recent study, 78 percent suffered a successful ransomware attack (link resides outside ibm.com).

Ransomware attacks use several methods, or vectors, to infect networks or devices, including tricking individuals into clicking malicious links using phishing emails and exploiting vulnerabilities in software and operating systems, such as remote access. Cybercriminals typically request ransom payments in Bitcoin and other hard-to-trace cryptocurrencies, providing victims with decryption keys on payment to unlock their devices.

The good news is that in the event of a ransomware attack, there are basic steps any organization can follow to help contain the attack, protect sensitive information, and ensure business continuity by minimizing downtime.

Initial response

Isolate affected systems 

Because the most common ransomware variants scan networks for vulnerabilities to propagate laterally, it’s critical that affected systems are isolated as quickly as possible. Disconnect ethernet and disable WiFi, Bluetooth and any other network capabilities for any infected or potentially infected device.

Two other steps to consider: 

  • Turning off maintenance tasks. Immediately disable automatic tasks—e.g., deleting temporary files or rotating logs—affected systems. These tasks might interfere with files and hamper ransomware investigation and recovery. 
  • Disconnecting backups. Because many new types of ransomware target backups to make recovery harder, keep data backups offline. Limit access to backup systems until you’ve removed the infection.

Photograph the ransom note

Before moving forward with anything else, take a photo of the ransom note—ideally by photographing the screen of the affected device with a separate device like a smartphone or camera. The photo will expedite the recovery process and help when filing a police report or a possible claim with your insurance company.

Notify the security team

Once you’ve disconnected the affected systems, notify your IT security team of the attack. In most cases, IT security professionals can advise on the next steps and activate your organization’s incident response plan, meaning your organization’s processes and technologies for detecting and responding to cyberattacks.

Don’t restart affected devices

When dealing with ransomware, avoid restarting infected devices. Hackers know this might be your first instinct, and some types of ransomware notice restart attempts and cause additional harm, like damaging Windows or deleting encrypted files. Rebooting can also make it harder to investigate ransomware attacks—valuable clues are stored in the computer’s memory, which gets wiped during a restart. 

Instead, put the affected systems into hibernation. This will save all data in memory to a reference file on the device’s hard drive, preserving it for future analysis.

Eradication

Now that you’ve isolated affected devices, you’re likely eager to unlock your devices and recover your data. While eradicating ransomware infections can be complicated to manage, particularly the more advanced strains, the following steps can start you on the path to recovery. 

Determine the attack variant

Several free tools can help identify the type of ransomware infecting your devices. Knowing the specific strain can help you understand several key factors, including how it spreads, what files it locks, and how you might remove it. Just upload a sample of the encrypted file and, if you have them, a ransom note and the attacker’s contact information. 

The two most common types of ransomware are screen lockers and encryptors. Screen lockers lock your system but keep your files safe until you pay, whereas encryptors are more challenging to address since they find and encrypt all your sensitive data and only decrypt it after you make the ransom payment. 

Search for decryption tools

Once you’ve identified the ransomware strain, consider looking for decryption tools. There are also free tools to help with this step, including sites like No More Ransom (link resides outside ibm.com). Simply plug in the name of the ransomware strain and search for the matching decryption. 

Recovery

If you’ve been lucky enough to remove the ransomware infection, it’s time to start the recovery process.

Start by updating your system passwords, then recover your data from backups. You should always aim to have three copies of your data in two different formats, with one copy stored offsite. This approach, known as the 3-2-1 rule, allows you to restore your data swiftly and avoid ransom payments. 

Following the attack, you should also consider conducting a security audit and updating all systems. Keeping systems up to date helps prevent hackers from exploiting vulnerabilities found in older software, and regular patching keeps your machines current, stable, and resistant to malware threats. You may also want to refine your incident response plan with any lessons learned and make sure you’ve communicated the incident sufficiently to all necessary stakeholders. 

Notifying authorities

Because ransomware is extortion and a crime, you should always report ransomware attacks to law enforcement officials or the FBI. 

The authorities might be able to help decrypt your files if your recovery efforts don’t work. But even if they can’t save your data, it’s critical for them to catalog cybercriminal activity and, hopefully, help others avoid similar fates. 

Some victims of ransomware attacks may also be legally required to report ransomware infections. For example, HIPAA compliance generally requires healthcare entities to report any data breach, including ransomware attacks, to the Department of Health and Human Services.

Deciding whether to pay

Deciding whether to make a ransom payment (link resides outside ibm.com) is a complex decision. Most experts suggest you should only consider paying if you’ve tried all other options and the data loss would be significantly more harmful than the payment.

Regardless of your decision, you should always consult with law enforcement officials and cybersecurity professionals before moving forward.

Paying a ransom doesn’t guarantee you’ll regain access to your data or that the attackers will keep their promises—victims often pay the ransom, only to never receive the decryption key. Moreover, paying ransoms perpetuates cybercriminal activity and can further fund cybercrimes.

Preventing future ransomware attacks

Email security tools and anti-malware and antivirus software are critical first lines of defense against ransomware attacks.

Organizations also rely on advanced endpoint security tools like firewalls, VPNs, and multi-factor authentication as part of a broader data protection strategy to defend against data breaches.

However, no cybersecurity system is complete without state-of-the-art threat detection and incident response capabilities to catch cybercriminals in real time and mitigate the impact of successful cyberattacks.

Tools such as security information and event management (SIEM) systems can apply machine learning and user behavior analytics (UBA) to network traffic alongside traditional logs for smarter threat detection and faster remediation.

 
Author
Related solutions IBM FlashSystem

Unlock the power of cyber resilience and sustainability with IBM FlashSystem. Explore how autonomous data storage can help you secure your data, reduce costs, and elevate operational efficiency.

Explore IBM FlashSystem Solutions
IBM storage virtualization

Virtualize your storage environment and manage it efficiently across multiple platforms. IBM Storage Virtualization helps reduce complexity while optimizing resources.

Explore storage virtualization
AI storage solutions

Accelerate AI and data-intensive workloads with IBM Storage for AI solutions.

Explore storage for AI solutions
Take the next step

From managing hybrid cloud environments to ensuring data resilience, IBM’s storage solutions empower you to unlock insights from your data while maintaining robust protection against threats.

Explore data storage solutions Take a product tour