If you happen to get an unwanted notice of your system being encrypted with ransomware, do not panic. The first thing you should do is to stay calm, panic has never brought out any solutions! There are some steps that should be taken in case of an attack. It’s not necessary to take these steps one after another, measuring the emergency, these might be performed parallelly as well. The only aim is to mitigate ransomware attack loss.
The first step after discovering any ransomware attack is to determine how deep the malware has spread its roots. It’s always ideal to point out the Patient zero aka the Endpoint to get a grasp on how the malware got its way past the firewall in the first place. You need to determine the scale of the attack to decide the response and mitigate ransomware attack loss.
Once the identification is done, you need to immediately isolate the affected ones. For a single affected machine, cut the power if possible. In the case where a single or a few PCs have been breached, disconnecting those PCs and dealing with them individually might work.
However, for breaches in several systems or subnets, more significant actions are required. You might consider getting offline at the switch level to cease the ransomware from spreading further. If taking the whole network offline is not an option, unplug (ethernet or wifi) the located devices from the network for the least will help mitigate ransomware attack loss.
Quarantining the virus with the affected files is the most important step to reduce its effect. So, keeping the affected computers separate till the situation is alleviated is a must.
In a secure channel keep up the communication with your teammates. Based on the initial analysis, draw an image of what damages have already been done. This image will be getting clearer over time as more information about the attack is gathered but the initial understanding will often ameliorate the current situation and mitigate ransomware attack loss.
Also, for an enterprise, it’s common to have people working with cybersecurity. They should be notified as soon as possible in case of an attack like this. Depending on the emergency, engage all available internal and external forces to respond to the threat and recover the loss.
You should never delete the affected files. In fact, you should back up the isolated files in a secure place. There are a couple of reasons for that.
Firstly, there is always a chance of data loss during the process of decryption. It’s often reported that files are not fully functioning after decryption. The core reason behind this is many decryptors contain bugs within themselves. While some file formats are immune to those bugs, surely not all are. And you never know which types of files you are dealing with. Having a backup of your infected system puts you on the safer side. Even if some data is lost, you can always perform the decryption process over again from your backup.
Then, there is the possibility of free decryption in the upcoming future. Technology is always evolving. Something which seems extraordinary today might be a child’s play in the near future. There are cases of the apprehension of ransomware authors and discovering C&C servers, which offered victims free decryption keys. So, if the data is not of great significance or value, just back them up and address them at a later time.
Finally, if you delete the files without a backup, you no longer have any potential evidence of the attack which might be useful to the authorities. Everyone working against malware including the law enforcement agencies is always trying to gather a wide variety of information on any specific ransomware.
Judging by the damage done and how badly & urgently you need the files to be recovered you might consider paying the ransom. However, this is highly discouraged and should never be done at the beginning as there is no guarantee that even after getting the ransom the bad guys will provide you with a working key or simply would not demand more money! There are events where ransoms were paid, still, the attackers did harm to the encrypted files. Some sophisticated ransomware using advanced encryption algorithms are scripted in such a way that they have yet to have a decryption key. If you decide to spend your money, you better spend it in the right place where results are guaranteed. That’s why investing in cybersecurity often turns out to be most important!