Ransomware Attacks

Responding to a Ransomware Attack

The number of ransomware attacks continue to rise year on year. According to the Verizon 2022 Data Breach Investigation Report there was a 13% increase in ransomware attacks and ransomware was involved in 25% of all breaches.

When a company falls victim to a ransomware attack the natural response is to wipe the infected machine and restore the data in order to get up and running again as quickly as possible. As a result, attackers will often use ransomware as a way to destroy any evidence of a data breach after they have extracted the data from the network.

It is therefore important for the company to conduct a thorough investigation even if the encrypted data cannot be recovered.

The purpose of the investigation is to preserve potential evidence in order to:

• Identify how the system came to be infected with ransomware
• Identify if any confidential data has been extracted from the system
• Provide answers to the regulatory authorities and show you have taken reasonable steps to prevent a repeat
• Preserve the data in case decryption keys are released at a later date

If you become a victim of a ransomware attack, how should you respond?

• Do not shut down the infected devices
• Disconnect the infected devices from network
• Preserve logs such as Firewall, VPN, anti-virus logs or any other logs which can be saved
• Document all information pertaining to the ransomware attack
  • Photo or copy of the ransom demand note/splash screen
  • Ransomware variant name if known
  • The file extension of encrypted files
  • The date and time of the attack
  • The file naming scheme for the ransom note/readme file left by attacker
  • Any email addresses or URL or other method provided by the attacker for communications
  • Required payment method/bitcoin addresses provided by the attacker
  • Ransom amount demanded if known