๐ฅ๐ฎ๐ป๐๐ผ๐บ๐๐ฎ๐ฟ๐ฒ ๐ต๐ถ๐, ๐ฎ๐ป๐ฑ ๐๐ต๐ฒ๐ป ๐๐ต๐ฎ๐? Time is of the essence. The longer you wait, the more damage will occur, and the longer the recovery time, which translates to bigger business losses. First things first, shut down all of the computers and servers. Stop the spread of the malware within the network, and stop access for the bad actor.
Next, reach out to 3 teams/companies specializing in ransomware situations:
๐๐ผ๐ป๐๐ฎ๐ถ๐ป๐บ๐ฒ๐ป๐ & ๐ฅ๐ฒ๐๐๐ผ๐ฟ๐ฎ๐๐ถ๐ผ๐ป: This team will work around the clock to restore all of the computers in the network, as well as servers and infrastructure. In the best-case scenario, the company has backups and is able to restore from them, and everything just works. Anything outside the best-case scenario is bad. Depending on the number of servers and computers in the network, and how complicated the network is, expect the restoration process to last at least a week.
๐๐ผ๐ฟ๐ฒ๐ป๐๐ถ๐ฐ: This team will work around the clock to monitor the network. They will deploy EDR (Endpoint Detection and Response) software such as Carbon Black or Crowd Strike to every single computer and server in the network, and they will monitor activities on those computers. When suspicious activities are detected, they will be able to shut them down remotely. They will also gather forensic information from the network and try to figure out the path taken by the bad actor to enter the network. The goal is to close any unsecured and unnecessary holes in the network. Lastly, they will start the conversation with the threat actor to negotiate down the ransom demand in case the company needs any of the data. Please note, there’s no guarantee the encryption key will work to decrypt the data.
๐๐ฒ๐ด๐ฎ๐น: The legal team will help with communication inside and outside the company. Employees will need to be made aware of what’s going on. For some, they will need to know how to answer questions from customers and vendors. A proper unified message will be required to minimize the damage of potential lawsuits. Some customers or vendors will demand answers; how you answer and what information to give will require special review by counsel.
Unfortunately, getting hit by ransomware is never a pleasant experience. Some will give in and pay the ransom demand, some will have to shut down the business, and some will use the opportunity to learn and grow.
Have you experienced ransomware? What did you learn? How did you survive it?