<p><img src="https://static6.businessinsider.com/image/605b8416106eb50019d0567e-1997/GettyImages-847207652.jpg" border="0" alt="Sophos ransomware attack response" data-mce-source="Getty Images"></p><p></p><bi-shortcode id="summary-shortcode" data-type="summary-shortcode" class="mceNonEditable" contenteditable="false">Summary List Placement</bi-shortcode><p><em>By Mat Gangwer, director of managed threat response, </em><em>Sophos</em></p><p>By this point we've all heard at least one ransomware horror story: A hospital that was breached, a school that was attacked, a business that had terabytes of data suddenly locked up one morning and held for a million-dollar ransom. We've heard the names of the victims, the names of the perpetrators, the ransoms being demanded, the consequences for employees and students and patientsbut something that so rarely often breaks through in these stories is, <em>what did they do about it</em>'</p><p>Because if you ever find yourself in the grips of a ransomware attack yourself, what will help you through the heat of that moment isn't remembering the names of ransomware groups you heard in the media or which Fortune 500 company recently paid out millions of dollars to get their data back. What will help is having a series of pre-planned contingencies to fall back on.</p><p>In the unfortunate scenario you find yourself attacked by ransomware, here are six steps you should immediately take.</p><h2><strong style="color: #000000;">1. Trigger your business continuity and incident response plans</strong></h2><p>If you find out you've been hit by a ransomware attack, executing your business continuity plan is step one. It doesn't matter if that plan wasn't designed for cyberattacks in particular. Even general business continuity strategies, including those intended more for remote working or natural disasters, will still work just fine (though obviously, if your business continuity strategy is geared specifically for cyberattacks and ransomware, all the better). But ensuring business continuity amid a crisis is an essential first step. Additionally, for those organizations that planned ahead for a potential ransomware attack and developed a documented and tested incident response plan accordingly, this is the time to put it into action.</p><h2><strong>2. Limit the blast radius</strong></h2><p>After you've triggered your business continuity plan, the next step is to respond to the malware itself. That response needs to be focused on limiting the blast radius of the attack. That's easier said than done, of course. But as we see ransomware move faster, in programmatic mass deployments and self-propagating spread, it doesn't take an attacker very long to infect the entire organization. That makes the timing and speed of your response crucial.</p><p>So what does limiting the blast radius of the breach entail' It comes down to harm reduction. Ideally your response should thread a needle of rebuilding and recovering your systems, while also preserving enough digital forensic evidence of the attack to be analyzed afterward. That's a tough balancing act to pull off, and the panic of the situation can lead to a natural inclination to shut down everything. But as much as possible, you want to disconnect network assets to limit the spread of the ransomware's spread, without shutting the power off altogether. When you do that, you may lose memory artifacts, and with it, vital evidence of the attack. This is particularly problematic for those ransomware groups that are using fileless malware. If you power off the memory, you will have likely deleted the malwarewhich might sound like a good thing, but in this case it means you've prevented yourself from finding out what the attackers may have actually done.</p><h2><strong style="color: #000000;">3. Launch a whole-of-business response</strong></h2><p>Ransomware is no longer just a matter for your IT team. We're increasingly seeing groups like <a href="https://news.sophos.com/en-us/2021/02/16/conti-ransomware-evasive-by-nature/">Conti</a> use double extortion techniques, a two-pronged attack that not only encrypts your data for ransom but threatens to leak it if you don't pay (or don't pay quickly enough). That means you need to now loop in your PR and crisis communications teams to manage that possible fallout. Your legal department and insurance provider should be a part of the conversation around privacy issues that may arise from potential leaks. And if you have any preferred vendors for launching an <a href="https://www.sophos.com/en-us/products/managed-threat-response/rapid-response.aspx" target="_blank" rel="nofollow noopener sponsored">incident response</a> to the attack, they need to be brought to the table as well.</p><h2><strong style="color: #000000;">4. Move your backups offline</strong></h2><p>This is an action you should be taking more so before an attack, rather than during. If you happen to catch a ransomware breach in the act, in real time, then you should disconnect your backups from the network and move them offline. But if you're only noticing the attack hours after it started, it may be too late. In either event, the best response you can take is to ensure right now that your backups are protected against a network breach like ransomwarebefore it hits.</p><h2><strong style="color: #000000;">5. Move critical communications offline, too</strong></h2><p>Quick, clear communication with your various internal teams (see: point #3) is crucial to an effective ransomware response. But you're undermining yourself if you carry out those communications over email or instant message, like you might during a normal business day. A ransomware attack is not a normal business day. When communicating with the response team, do so offline or outside the scope of normal business apps. Attackers may be monitoring your electronic communications, and if you put details of your response plans or the location of your backups into an email, then they'll know that too. When relaying your response plans internally, pick up the phone, send a text, or, when possible, talk face to face.</p><h2><strong style="color: #000000;">6. Maintain an active cyber-threat hunting presence</strong></h2><p>The effectiveness of your response to a ransomware attack largely depends on what stage the attackers are in by the time you discover themwhether it's before or after they've encrypted your data, or before or after they've stolen it. If it's after, that severely limits your ability to fight back. This is why <a href="https://www.sophos.com/en-us/products/managed-threat-response.aspx" target="_blank" rel="nofollow noopener sponsored">threat hunting</a> is so important. Having a threat hunting team that is actively monitoring your systems for potential adversaries is essential for getting out ahead of a ransomware attack.</p><p>There's not a lot you can do if you've discovered the ransomware hours after it's spread throughout your network, but there are ways you can minimize the damage done and the fallout. Most importantly, the best protection when it comes to ransomware is preventionleveraging lightning-fast, human-led threat hunting teams that will monitor your network 24/7 for an attack. Constant, proactive threat hunting puts you in the driver's seat and gives you the power to counter ransomware attacks, stave off other cybercriminals, and get back to normal with minimal costs or recovery time.</p><p><strong><a href="https://www.sophos.com/en-us/products/managed-threat-response/rapid-response.aspx" target="_blank" rel="nofollow noopener sponsored">Learn more about Sophos' next generation cybersecurity services and solutions.</a></strong></p><p><em>This post was created by <a href="https://www.sophos.com/en-us/products/managed-threat-response/rapid-response.aspx" target="_blank" rel="nofollow noopener sponsored">Sophos</a> with <a href="https://www.businessinsider.com/sponsor-posts/'_ga=2.7594804.748993769.1576513703-372096675.1574180919" target="_blank" rel="nofollow noopener sponsored">Insider Studios</a>.</em></p><p><a href="https://www.businessinsider.com/sc/how-businesses-should-respond-to-ransomware-attacks-2021-3#comments">Join the conversation about this story »</a></p> Click here to read full news..