Let’s say it’s a Monday morning. You’re headed into work—there’s a light drizzle coming down and traffic is backed up from an accident at the large intersection close to your building.
Frustrated, you wait for the accident to clear and get to the office nearly 30 minutes late. You hurriedly rush in the front door and notice the receptionist gone from her desk. You look in a few more offices and no one is to be seen.
As you are heading to your office you notice everyone congregated in the lunch room. No one is smiling. Your accountant is crying—she’s exclaiming that all of the hours of work she’s put in (including overtime that weekend) are gone.
What’s going on?
Your network was hit with a ransomware attack. Everyone’s computer is locked down. No one—not a single sole on your operations team, sales team, or finance team—is able to do anything.
What to do next?
Today, I want to walk through some steps you can take to make sure you know how to recover from a ransomware attack (I have to go through ransomware remediations all too often now to ever wish one on anyone—even one of my competitors!).
Here are some steps that I’ve learned over hundreds of ransomware recoveries, data breach remediations and forensic investigations that can get you prepared in the event something does happen to your network. This information is from events that I’ve had to deal with over the last couple of years:
Stay focused—when you enter that really intense and emotional feeling that everything is gone, don’t get distracted by the noise. The more focused you are, the more focused your team will be. Your mission is to clean up what needs to be cleaned, get your business on track and learn from these events. There’s no time for distractions and chaos. If you, as a leader within your organization, cannot focus, there is
Understand where you are—don’t let the minutiae of all of the aftermath get in your way. Have a priorities list on what needs to be done first to get your critical systems up and running. What functions can be done manually for the time being and what completely depend on your computer systems? Understanding where your points of failure are and where you completely depend on your network or computers being up will help you focus on a clear list of priorities.
Know your safety zone—in the event of an attack, you need to have policies, processes and procedures to follow. There is no way anyone will be able to memorize all of the steps in your recovery process by heart. Have a list of where all of your data is housed, where backups are and who needs to get involved. Having a paper copy (or digital copy offsite) will help you better assess your current situation.
Know who you can trust—your leadership team should have delegated responsibilities in the event of a major event—like a ransomware attack—to key trustable team members or associates. You may also need to have identified a remediation team that you can trust to restore your data in a timely manner (this will be much harder to do the day of an attack).
Stay the course—at times, your team will complain, shout, cry, or do anything to try and focus on their needs. My advice to you? Stay the course. Keeping to your plan and checking one item off your list at a time will be much more effective than dealing with dozens of peoples’ issues all at once. You already had set priorities. Your really hard task will be to stick to those priorities.
Understand how much damage is okay—as you recover, you likely will be taking on some additional risks through the recovery process than you might find palatable. By understanding how much damage you are willing to take on as you go through the recovery process (for instance, how much downtime or how many outages), you can turn around if the damage is getting too bad.
Know when to change course—in any project, you need measurable that tell you whether the project is successful—I’ve learned this both in programming projects and any infrastructure project or implementation. A ransomware remediation similarly needs clear measurable to outline progress being made (even if you haven’t gotten to the end result yet of recovery). Hold your progress against defined measurable to see if you’re heading in the right direction. If you aren’t, be flexible to change course or seek additional advice.
Assess all of your damage—make sure you understand what was damaged as you go along the recovery process. Note that you might turn over more rocks as you continue through recovery that were not evident right out of the gate. Keeping a keen eye for anything damaged or out of place on your network will help keeping track of where your recovery needs to be focused.
Learn lessons—no problem is without a lesson (after the recovery is complete). Make sure you have a debrief session with your entire team. Walk through what caused the attack and make it a learning lesson for the future. This is where a LOT of organizations fail. Little follow up to the event makes the next attack attempt just as likely (criminals will be targeting you more if you’ve been hit once by a ransomware attack).
