Ransomware attacks, which threaten companies of all sizes and industries, inflicted an average of more than $16.8 million in losses on targeted companies, an increase of 62% over the previous year. It is estimated that ransomware attacks could cause a total of $265 billion in losses by 2030. Laykon IT Operations Director Alev Akkoyunlu, stating that despite all preventive solutions, all companies from public institutions to SMEs are at risk of potential ransomware attack, lists what needs to be done right after a ransomware attack in 6 steps.
Ransomware Sold as a Service on the Dark Web!
“The fact that ransomware attacks, one of the biggest security problems for companies today, can be outsourced completely as a service has been the driving force behind the growth of this attack type. Ransomware tools available for sale on the Dark Web have made it relatively easy for hackers to carry out sophisticated attacks.” Alev Akkoyunlu, Operations Director of Laykon Bilişim, also emphasizes that these pre-packaged services are more cost-effective for hackers. Saying that organizations of all sizes should be ready for possible attacks with solutions such as Bitdefender’s anti-ransomware, Akkoyunlu said, “These solutions stop potential attacks without encrypting your data, and also take a backup of the targeted systems after blocking the attack.” in his statements. Alev Akkoyunlu, who says that not only large companies, but also everyone from municipalities to hospitals and small businesses can be involved with potential risks due to the ease in the implementation of the attacks, lists what organizations should do right after the ransomware attacks in 6 steps.
1. Be cool. The first time you realize you’ve been attacked by a ransomware, you might panic. In the meantime, you can give strategic reactions thanks to the intervention plan you have prepared beforehand, instead of your reactions based on your emotions. In your attack response plan, consider who is likely to attack your company, their purpose, and what data they will target. Identifying the most likely scenarios and taking sensible precautions in advance will prevent you from succumbing to your emotions in times of high pressure and stress.
2. Prevent spreading. Once you detect an attack, you should quickly isolate and take infected devices offline to prevent the software from spreading further on your network. All updates and backups to the IT architecture, such as migrations to new environments, installation of new applications, should be stopped immediately. It is very important at this point that your company’s IT administrators have up-to-date information about the tools, make regular backups in order to revert to the old order in case of a possible attack, and store all copies in an offline environment.
3. Investigate the attack. After stopping the further spread of the ransomware attack, you can start investigating the attack. Get all the information about how the attacker broke into your company, the ransomware type, and the attack vector. Identifying the source and nature of the attack not only helps you determine the appropriate next steps, but also helps you harden your systems for future threats. On this side, using a security software with EDR solution will make your job easier. Thanks to this technology, with which you can analyze the root of a cyber attack, you will have no difficulty in detecting the weak link in your company.
4. You can get support from a third party institution or expert. At this stage, you can get the help of a reliable third party institution or expert. Experts may have more insight into the attackers, especially if you’ve been attacked by a known cybercriminal group. It may also be a good time to start looking for decryption tools to retrieve your stolen and encrypted data. For an up-to-date directory of freely available tools, check out Bitdefender’s list of free decryption tools.
5. Decide to “pay or not to pay the ransom”. One of the most important considerations after an attack is to determine whether you will pay the ransom. It may be a difficult decision to make, but it is very important to see the big picture. Some studies have shown that between 50% and 80% of companies that pay ransom are repeatedly attacked by the same or other attackers. So these companies define themselves as productive targets. Attackers, who often do not gain full access to the data after meeting the initial ransom demand, are making ever-increasing ransom demands for data. Ultimately, ransomware is a matter of supply and demand. If all companies unanimously agree that they will not bow to the demands of the attackers, the supply may be cut off. Even after paying the ransom, there are organizations that cannot regain their data. It would be best to make a decision by analyzing the size of the data loss experienced. After the closest data backups we can return, you have to decide between the loss you will experience and the ransom fee demanded.
6. Learn from your experiences. Reviewing the experiences taken from the attack, documenting the processes and updating your prevention plan is perhaps the most important stage of responding to the incident. Remember to include all your learning in training sessions to strengthen your systems for future attacks.