BotNet News

Unlike traditional malware, ransomware is designed to lock access to data, and then demand money to unlock it. Attackers have made tens of millions of dollars from this extortion model. Despite this success, attacks are increasing and the risk to your organization is real.

Detecting and containing ransomware incidents is crucial to maintaining operational continuity. Using network management tools that can quickly detect anomalous behavior, quarantine endpoints and devices, block C&C server connections and lock down networks to prevent lateral movement will help speed containment and limit damage.

If a computer is infected, it may try to spread to connected drives and other computers. Quarantine the machine, removing its ability to infect others, and keep it on. Some ransomware variants encrypt files on the system, and decryption tools are available for most of these infections, so keeping a machine on will increase the likelihood that you can retrieve your files without paying a ransom.

Communicate with stakeholders as outlined in your incident response plan, including external parties such as customers and law enforcement. Some organizations are legally required to report cyber attacks to federal agencies, such as the Internet Crime Complaint Center or local FBI field offices.

Make sure to regularly back up your data and keep it stored off the centralized network. Infected backup files could be subject to the same ransomware attack that targeted your systems and will not provide a path forward. In addition, backups are subject to the same security risks as other data, so they should also be tested periodically to make sure they’re working properly.