What is the first thing you should do if you suspect you have been affected by ransomware?
We understand finding ransomware on your system can be quite an alarming experience, but please don't panic. With the information below, we will guide you through how to react and how you can use ElephantDrive to recover your backups.
Although it is important to react quickly when trying to determine which systems were affected in order to stop the spread of the ransomware infection, it is also equally important to respond slowly and thoughtfully when using ElephantDrive to restore backups because configuring restores haphazardly without proper guidance can lead to restore failures or worse, losing your backups altogether.
We've compiled the following Dos and Don'ts as a guide for reacting to ransomware.
- Determine which systems were impacted and immediately isolate them. Take the network offline at the switch level. If taking the network temporarily offline is not immediately possible, locate the network cable and physically unplug affected devices from the network or remove them from any wireless connection to contain the infection. If you're unable to disconnect your devices from the network for any reason, then it might be necessary to power them down to avoid further spread of the ransomware infection.
- Contact federal law enforcement regarding possible decryptors available. Some security researchers have already broken the encryption algorithms for some common ransomware variants.
- Consult with your incident response team to develop and document an initial understanding of what has occurred. Engage your internal/external teams and stakeholders with an understanding of what they can provide to help you mitigate, respond to, and recover from the incident. Share the information you have at your disposal to receive the most timely and relevant assistance. Relevant stakeholders may include your IT department, managed security service providers, cyber insurance company, shareholders, investors, suppliers, and departmental or elected leaders.
Do Slowly and Thoughtfully:
- Triage impacted systems for restoration and recovery. Identify and prioritize critical systems (directories, folders, etc.) for restoration. Prioritize restoration and recovery based on a predefined critical asset list that includes information systems critical for health and safety, revenue generation, or other critical services. Keep track of systems and devices that are not perceived to be impacted so they can be deprioritized for restoration and recovery. Triaging restoration and recovery enables your organization to get back to business in a more efficient manner.
- Read this short article, https://support.elephantdrive.com/hc/en-us/articles/1260806168329-Steps-to-Configure-a-Restore-Job-How-do-I-restore-my-data-after-a-ransomware-attack-.
- Panic or react without proper guidance.
- Restore data to the affected device.
- Allow affected systems and devices to reconnect to the Internet or other devices (until the ransomware infection has been contained or resolved).