Ask an MSP: What to do when attacked by ransomware


February 7, 2021

Ransomware: the risk is all too real. Ransomware attacks nearly doubled in the first quarter of 2021, and they impact more small businesses than ever.

As its name suggests, ransomware involves a hacker holding your data hostage in exchange for a ransom. The whole process usually kicks off with a phishing email – a calculated attempt to trick your network users into clicking on a malicious link or downloading a suspicious attachment. From there, hackers launch malware that encrypts shared files, rendering them useless unless the ransom is paid.

Fortunately, with the right protections – routine backups, threat detection tools, and employee training – most organizations can head off an attack without looking back. The trouble is that most advice about ransomware centers on preventative measures, which won’t do any good if you’re already in the throes of an attack. Today, we’ll answer your questions about ransomware and tell you what to do when ransomware attacks.

How do I know that I’ve been attacked?

There are a few clear smoke signals associated with ransomware. Unusual changes to file names, lockout screens or strange computer backgrounds complete with a ransom note are all good indicators that you’ve been hacked.

However, it’s also possible that you have a ransomware lookalike on your hands. While this is rare, hackers do occasionally send fake ransom messages. The hope is that you’ll become so panicked when you read them that you’ll pay up without even a cursory glance at your files. In this case, your data and servers will still be accessible, so after you check your files and servers, you can avoid the message and proceed as usual.

If you think you’ve genuinely been attacked, your best bet is to try to identify the strain of ransomware. Ransom notes are not subtle missives, and they often offer up the name of the ransomware right in the text of the message. Look for common strains like “Linux.Encoder” or “TeslaCrypt,” or try to locate a ransomware support email address. If you see that, it’s a clear sign that the hacker means business.

What do I do first? How can I stop ransomware from spreading?

As with any hack, fast action is critical if you want to minimize damage. Along with identifying your ransomware, you’ll also want to lock down systems to save the data you can and triage the infection.

If you are able, disconnect your servers from the internet and WAN connections or call IT support providers to help you do so. This will help you isolate infected machines and buy you time for cleanup.

Of course, going offline is simply not an option for some businesses. If that’s the case for you, you may need to identify affected users and revoke their accounts. You can do this by looking at open shares on affected network drives, or by having your business IT support team do it for you.

Is there any way to save user files?

In some cases, you may be able to decrypt files using a ransomware decryptor tool like the ones offered by Trend Micro and McAfee. It’s worth a shot, especially if you haven’t backed up your servers in a while.

If you try out the decryption tools and you still can’t recover your files, the only thing to do is revert to a backup. If it’s been a long time since your last backup, you may lose some data. That’s why business IT support providers strongly recommend routine automated backups.

Should I pay the ransom?

IT support professionals strongly recommend that you do not pay ransomware fees. There’s no honor among thieves, after all, which means there’s no guarantee you’ll actually get your files back. In fact, about 1 in 5 businesses that decide to pay never receive their data.

Even worse, paying means you provide incentives for hackers in the future. It’s not like hackers don’t talk among themselves; in fact, they’re highly likely to brag about their recent conquests. Not only will your payment encourage new hackers, but it could also potentially peg you as an easy mark for additional attacks by the original perpetrator.

That said, there are certain instances where paying up makes sense. Mission-critical and sensitive files may need to be saved at any cost, but you shouldn’t pay the ransom if there’s any way you can avoid it.

What steps do I take afterward?

Dealing with the aftermath of a ransomware attack is often more painful than stopping the attack in the first place. Once you’ve successfully removed the malware and reinstated your files, you may still need to deal with the PR fallout and investigate any legal ramifications associated with the attack.

Just as important is securing your systems so you aren’t targeted again. Here’s where those preventative measures we mentioned before come in. You can peruse our article on ransomware protections to get the full picture, but the bottom line is that regular backups and employee training go a long way. Additionally, you’ll want to create a documented data recovery and response plan so there’s no question about what to do the next time you face a cybersecurity threat.

Of course, you don’t have to do it all on your own. If you need help with ransomware protections and recovery plans, contact us today for a free security consultation –and say hasta la vista to ransomware!

We're Integris. We're always working to empower people through technology.

Keep reading

vCIO vs. vCISO: What’s The Difference? 

vCIO vs. vCISO: What’s The Difference? 

Managing your IT operations is a big job, especially if you're a small or mid-sized company without the resources to hire a full internal IT staff. In these cases, most companies hire a managed IT service provider to fill the gaps. Yet, knowing who to hire and what...

Retainers for vCIOs and vCISOs: A Comprehensive Guide

Retainers for vCIOs and vCISOs: A Comprehensive Guide

If you're running an IT department at a small to mid-size company, you know— the demands on your infrastructure are greater than ever. Cyber threats are growing at an alarming pace, primarily fueled by the accessibility of AI to hackers. Cloud productivity, system...