How to prevent & act on a ransomware attack
Ransomware attacks: how to prevent them, and how to act if compromised.
Is your team’s data safe?
According to the European Union Agency for Cybersecurity, between May 2021 and June 2022, around 10 terabytes of data were stolen each month by ransomware threat actors. 58% of the data taken included employees’ personal details.
With ransomware continuing to make the headlines, how can you protect your business from such attacks? With so much information online about them, it’s hard to know where to begin.
That’s why we’ve done the heavy lifting for you. In this guide, we explain what ransomware is, with six steps on how to help prevent one from happening in the first place, and another six tips on how to manage an attack if the worst happens.
What is ransomware?
Ransomware is a type of cybersecurity attack that prevents users from accessing their system and demands ransom payments in order to regain access. Ransomware authors usually order that payment be sent via cryptocurrency or credit card, and attackers target individuals, businesses, and organisations of all kinds.
Better still – how do I prevent an attack from happening in the first place?
Defending against ransomware requires an all-hands-on-deck approach that brings together your entire business.
Here are six steps to take to help prevent an attack:
1. Maintain backups – thoughtfully
Although backing up data can help in the recovery from an attack, make sure your backup files are appropriately protected and stored offline so they can’t be targeted by attackers. Using cloud services can help reduce the impact of a ransomware attack as many retain previous versions of files, allowing you to roll back to an unencrypted version.
2. Put company-wide plans in place
Create an incident response plan, so your IT team knows what to do during an attack. Security awareness training is also key to stopping ransomware in its track – when employees know how to spot and avoid malicious emails, they can help protect the business too.
3. Protect your endpoints
Endpoint protection is vital as endpoints can represent an ‘entry point’ for a hacker into a company network. And with hybrid working set to stay, the need for a secure network on-the-go couldn’t be more crucial.
4. Keep systems up to date
Ensure your business’ operating systems, applications, and software are regularly updated. Applying the latest updates helps to close security gaps that attackers are looking to exploit.
5. Introduce an Intrusion Detection System (IDS)
An IDS looks for malicious activity by comparing network traffic logs to signatures that detect known malicious activity. A robust IDS will regularly update signatures and alert your business quickly if it detects potential malicious activity.
6. Review port settings
Many ransomware attackers take advantage of Remote Desktop Protocol (RDP) port 3389 and Server Message Block (SMB) port 445. Consider whether your business needs to leave these ports open and think about limiting connections to only trusted hosts.
What if the worst happens – how do I manage an attack?
Although prevention is the best form of defence (read on for prevention tips), if your business finds itself under attack, by acting promptly, you can limit the damage.
Six quick steps to take in event of an attack:
1. Don’t panic and never pay the ransom
Try to stay level-headed. Most people rush into paying the ransom before analysing the gravity of the situation. According to research, it doesn’t always pay to pay, with 80% of businesses who pay the ransom getting hit a second time. Taking a step back with a calm head can sometimes open doors for negotiations with the attacker, and result in a better outcome than an immediate reaction.
2. Report to local authorities (and / or the appropriate local regulator in your country)
As soon as you notice an attack, notify local authorities (which could be the police, or local government agency, depending on where you are based). Ransomware is a serious crime and needs to be investigated – at the very least, your action will help others to avoid a similar fate.
3. Isolate systems
Isolate the affected systems as soon as possible – ransomware typically scans the target network and can gain access to other systems. Sever the affected systems from the network to contain the infection and stop the attack from spreading.
4. Disable maintenance tasks and disconnect backups
Immediately disable automated maintenance tasks, e.g., temporary file removal on affected systems, to prevent them from interfering with files that might be useful for forensics. Since most ransomware strains immediately go after backups to slow down recovery efforts, secure your backups by disconnecting them from the rest of the network. Lock down access to backup systems until after the virus is removed.
5. Identify the type of ransomware attack
Use a free service such as ID Ransomware to determine the ransomware strain. You’ll be asked to upload a sample of the encrypted file, and any ransom note left behind.
6. Reset passwords
Change all online and account passwords once you have disconnected the affected systems from the network. After the ransomware gets removed, change all the system passwords once again.
Prevention is always better than cure, so taking steps to avoid a ransomware attack is crucial. In the event of an attack, however, acting quickly can help to limit the damage. According to research, it should take mature businesses just 10 minutes to investigate an intrusion, yet only 10% are able to meet this benchmark. Make sure you’re one step ahead, with a plan in place to deal with the worst-case scenario.
Keen to read more widely about how you can protect your business? Check out our tips for managing increased risks of cyber security in the new world of remote working.
Or if you’d like to know how to set up the security measures we’ve listed, our V-Hub Digital Advisers can offer free, tailored support. For more cyber security help for small businesses, visit our cyber security hub to help keep your business safe and secure.
Microsoft Enterprise Mobility + Security (EMS)
Help protect users, devices, apps, and data in a mobile-first world.
Free one-to-one support
Available Monday to Friday, 8am-6pm, our friendly team are here to provide guidance and support on the topics that matter to your business.
0808 239 8345
Content made available to you on this website is for general information purposes. Independent advice should be obtained for your needs. Read full disclaimer