Alert for Ransomware Attack Victims: Here's How to RespondRansomware-Battling Veteran Fabian Wosar Describes Essential Steps and Challenges
As ransomware continues to pummel organizations, if they do get hit, then from an incident response standpoint, what are the essential first steps they should take to smooth their recovery?
"The first thing they should do is isolate the affected systems from the network. The last thing you want is … the infection spreading to other systems," says Fabian Wosar, CTO of Emsisoft, who has spent the past 10 years working to disrupt the criminal business model and help organizations navigate their recovery efforts with data-restoration tools.
"The next step is figuring out how they got in … and the next step after that is, make sure that your backups are secure. And it's absolutely important that you don't access those backup servers using any of the already compromised infrastructure, the reason being is that sometimes ransomware still running on them."
Victims: Research Your Options
How organizations proceed from there depends on whether they have working backups, Wosar says. If not, and a victim decides to investigate paying a ransom - which he never advocates - then he recommends they use a professional negotiating service with knowledge of individual ransomware operations, including typical ransom pricing and whether they tend to provide a decryptor.
In addition, Wosar recommends reaching out to other organizations, including his firm, for free advice on any other approaches that might be available for recovering data. "Honestly, I have seen quite a couple of cases where ransoms were paid, even though it wasn't necessary, and that always pains me greatly," he says.
In this audio interview with Information Security Media Group (click on player beneath image to listen), Wosar discusses:
- Essential response steps when organizations discover they've been hit by ransomware-wielding attackers;
- Best practices for working with cyber insurers, incident responders and ransomware negotiators;
- Questions to ask whenever weighing any attempt to recover by paying a ransom, as opposed to restoring from backups or - sometimes - being able to use free decryptors or unpublicized workarounds.
Wosar is CTO of Emsisoft, where he works to actively disrupt the ransomware ecosystem as well as assist victims, in part via decryption tools.