Critical Infrastructure Security , Cybercrime , Cybercrime as-a-service

Alert for Ransomware Attack Victims: Here's How to Respond

Ransomware-Battling Veteran Fabian Wosar Describes Essential Steps and Challenges
Alert for Ransomware Attack Victims: Here's How to Respond
Pictured: Fabian Wosar, CTO of Emsisoft, who says that due to threats he receives thanks to his ransomware-disruption efforts, he tries to keep photographs of himself from circulating.

As ransomware continues to pummel organizations, if they do get hit, then from an incident response standpoint, what are the essential first steps they should take to smooth their recovery?

"The first thing they should do is isolate the affected systems from the network. The last thing you want is … the infection spreading to other systems," says Fabian Wosar, CTO of Emsisoft, who has spent the past 10 years working to disrupt the criminal business model and help organizations navigate their recovery efforts with data-restoration tools.

"The next step is figuring out how they got in … and the next step after that is, make sure that your backups are secure. And it's absolutely important that you don't access those backup servers using any of the already compromised infrastructure, the reason being is that sometimes ransomware still running on them."

Victims: Research Your Options

How organizations proceed from there depends on whether they have working backups, Wosar says. If not, and a victim decides to investigate paying a ransom - which he never advocates - then he recommends they use a professional negotiating service with knowledge of individual ransomware operations, including typical ransom pricing and whether they tend to provide a decryptor.

In addition, Wosar recommends reaching out to other organizations, including his firm, for free advice on any other approaches that might be available for recovering data. "Honestly, I have seen quite a couple of cases where ransoms were paid, even though it wasn't necessary, and that always pains me greatly," he says.

In this audio interview with Information Security Media Group (click on player beneath image to listen), Wosar discusses:

  • Essential response steps when organizations discover they've been hit by ransomware-wielding attackers;
  • Best practices for working with cyber insurers, incident responders and ransomware negotiators;
  • Questions to ask whenever weighing any attempt to recover by paying a ransom, as opposed to restoring from backups or - sometimes - being able to use free decryptors or unpublicized workarounds.

Wosar is CTO of Emsisoft, where he works to actively disrupt the ransomware ecosystem as well as assist victims, in part via decryption tools.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.